Ensure Activity Log Alert exists for Delete Network Security Group

More Info:

Monitoring for ‘Delete Network Security Group’ events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.

Risk Level

Low

Address

Security, Operational Maturity

Compliance Standards

CISAZURE, CBP, SOC2, ISO27001, HIPAA, HITRUST, NISTCSF

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of not having an Activity Log Alert for Delete Network Security Group in Azure using Azure CLI, follow these steps:

Open Azure CLI on your machine.
Run the following command to create an Activity Log Alert for Delete Network Security Group:

az monitor activity-log alert create --name <Alert_Name> --description <Alert_Description> --condition category=Administrative and operationName=Microsoft.Network/networkSecurityGroups/delete --action email <Email_Address>

Replace <Alert_Name> with the name of the alert you want to create, <Alert_Description> with a brief description of the alert, and <Email_Address> with the email address to which the alert should be sent.

Once the command is executed successfully, the alert will be created and configured to send an email notification whenever a Network Security Group is deleted.
You can verify the alert by running the following command:

az monitor activity-log alert list

This will display a list of all the activity log alerts configured in your Azure environment, including the one you just created.By following these steps, you can remediate the misconfiguration of not having an Activity Log Alert for Delete Network Security Group in Azure using Azure CLI.

Using Python

To remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Network Security Group” in Azure using Python, you can follow the below steps:Step 1: Install the Azure SDK for Python using the following pip command:

pip install azure-mgmt-monitor

Step 2: Use the below code to check if an Activity Log Alert exists for Delete Network Security Group:

from azure.mgmt.monitor import MonitorManagementClient
from azure.common.credentials import ServicePrincipalCredentials

# Replace with your tenant ID, client ID and client secret
tenant_id = '<your_tenant_id>'
client_id = '<your_client_id>'
client_secret = '<your_client_secret>'

# Replace with your subscription ID and resource group name
subscription_id = '<your_subscription_id>'
resource_group_name = '<your_resource_group_name>'

# Replace with your Activity Log Alert name and resource ID of the Network Security Group
activity_log_alert_name = '<your_activity_log_alert_name>'
network_security_group_resource_id = '<your_network_security_group_resource_id>'

# Create credentials object
credentials = ServicePrincipalCredentials(client_id=client_id, secret=client_secret, tenant=tenant_id)

# Create MonitorManagementClient object
monitor_client = MonitorManagementClient(credentials, subscription_id)

# Get Activity Log Alert by name
activity_log_alert = monitor_client.activity_log_alerts.get(resource_group_name, activity_log_alert_name)

# Get the condition of the Activity Log Alert
condition = activity_log_alert.condition.all_of[0].field_value == network_security_group_resource_id and activity_log_alert.condition.all_of[0].equals == 'Microsoft.Network/networkSecurityGroups/delete'

# Check if the Activity Log Alert exists for Delete Network Security Group
if activity_log_alert.enabled and condition:
    print('Activity Log Alert exists for Delete Network Security Group')
else:
    print('Activity Log Alert does not exist for Delete Network Security Group')

Step 3: If the output of the above code is “Activity Log Alert does not exist for Delete Network Security Group”, then you can use the below code to create an Activity Log Alert for Delete Network Security Group:

from azure.mgmt.monitor.models import *

# Replace with your Activity Log Alert name, description and resource ID of the Network Security Group
activity_log_alert_name = '<your_activity_log_alert_name>'
activity_log_alert_description = '<your_activity_log_alert_description>'
network_security_group_resource_id = '<your_network_security_group_resource_id>'

# Create the condition for the Activity Log Alert
condition = Condition(all_of=[ManagementEventRuleCondition(field='resourceId', equals=network_security_group_resource_id), ManagementEventRuleCondition(field='operationName', equals='Microsoft.Network/networkSecurityGroups/delete')])

# Create the Action Group for the Activity Log Alert
action_group = ActionGroup(action_group_id='<your_action_group_id>')

# Create the Activity Log Alert object
activity_log_alert = ActivityLogAlert(enabled=True, name=activity_log_alert_name, description=activity_log_alert_description, condition=condition, actions=[action_group])

# Create the Activity Log Alert
monitor_client.activity_log_alerts.create_or_update(resource_group_name, activity_log_alert_name, activity_log_alert)

Note: Replace the placeholders <your_tenant_id>, <your_client_id>, <your_client_secret>, <your_subscription_id>, <your_resource_group_name>, <your_activity_log_alert_name>, <your_activity_log_alert_description>, <your_network_security_group_resource_id> and <your_action_group_id> with the actual values for your Azure environment.

Additional Reading:

https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

Ensure Activity Log Alert exists for Delete Network Security Group

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: