Check provider logo

Subscription has an Activity Log alert for Network Security Group create or update operations

monitor_alert_create_update_nsg

Severityhigh
Servicemonitor
by Prowler
logging

Azure Monitor Activity Log alert monitors Network Security Group changes via the Microsoft.Network/networkSecurityGroups/write operation to capture create/update events across the subscription

Risk

Lack of alerting on NSG changes allows unauthorized network policy modifications to go unnoticed. Adversaries or mistakes could open ports, reduce segmentation, and enable lateral movement, impacting data confidentiality and service availability through exposure or disruption of critical traffic

Run this check with Prowler CLI

prowler azure --checks monitor_alert_create_update_nsg

Run in Prowler Cloud

Recommendation

Implement a subscription-wide Activity Log alert for NSG change operations and route notifications to an action group for rapid triage.

Apply least privilege for change tooling, enforce change management, and add complementary alerts for Microsoft.Network/networkSecurityGroups/securityRules/write and .../delete. Integrate with SIEM for correlation

Remediation

CLI

az monitor activity-log alert create --resource-group '<example_resource_name>' --name '<example_resource_name>' --scopes '/subscriptions/<subscription ID>' --condition "category=Administrative and operationName=Microsoft.Network/networkSecurityGroups/write" --location global

Native IaC
Terraform
Other
  1. In the Azure portal, go to Monitor > Alerts > Alert rules > Create
  2. Scope: Select your subscription and click Apply
  3. Condition: Choose Activity log, set Category to Administrative, set Operation name to Microsoft.Network/networkSecurityGroups/write, then Done
  4. Actions: Skip (optional)
  5. Details: Name the rule and set Region to Global, ensure Enable upon creation is checked
  6. Review + create > Create

Source Code

Resource Type

microsoft.insights/activitylogalerts

References