'Create or Update Network Security Group' activity log alert should be configured

azure.activity_log

Description

To improve the detection of suspicious activity and gain insights into network access changes, it is recommended to create an Activity Log Alert specifically for the “Create or Update Network Security Group” event. By monitoring these events, it becomes easier to detect and respond to any unauthorized modifications made to network security groups, leading to a quicker response time and enhanced security measures.

Remediation

From the console

  1. Navigate to the Monitor blade.
  2. Select Alerts > Create > Alert rule.
  3. Under Filter by subscription, choose a subscription.
  4. Under Filter by resource type, select Network security groups.
  5. Under Filter by location, select All.
  6. From the results, select the subscription, then click Done.
  7. Select the Condition tab.
  8. Under Signal name, click Delete Create or Update Network Security Group (Microsoft.Network/networkSecurityGroups).
  9. Select the Actions tab.
  10. To use an existing action group, click Select action groups. To create a new action group, click Create action group. Fill out the appropriate details for the selection.
  11. Click the Details tab.
  12. Select a Resource group, then provide an Alert rule name and an optional Alert rule description.
  13. Click Review + create.
  14. Click Create.