More Info:

Monitoring for ‘Delete Network Security Group’ events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.

Risk Level

Low

Address

Security, Operational Maturity

Compliance Standards

CISAZURE, CBP, SOC2, ISO27001, HIPAA, HITRUST, NISTCSF

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Network Security Group” for Azure using the Azure console:
  1. Log in to the Azure portal (https://portal.azure.com/).
  2. Click on “Monitor” from the left-hand menu.
  3. Click on “Activity log” from the “Monitor” menu.
  4. Click on the “Alerts” tab.
  5. Click on the “New alert rule” button.
  6. In the “Create rule” page, select the “Resource Manager” option.
  7. In the “Condition” section, select “Delete Network Security Group” from the “Event name” drop-down menu.
  8. In the “Actions” section, select “Create action group” and click on the “OK” button.
  9. In the “Create action group” page, provide a name for the action group, select the “Email/SMS/Push/Voice” option, and enter the email address or phone number to receive the alert.
  10. Click on the “OK” button to create the action group.
  11. In the “Create rule” page, provide a name for the alert rule, select the action group you just created, and click on the “Create alert rule” button.
You have now successfully remediated the misconfiguration “Ensure Activity Log Alert exists for Delete Network Security Group” for Azure using the Azure console. Now, whenever a network security group is deleted, an alert will be sent to the specified email address or phone number.

To remediate the misconfiguration of not having an Activity Log Alert for Delete Network Security Group in Azure using Azure CLI, follow these steps:
  1. Open Azure CLI on your machine.
  2. Run the following command to create an Activity Log Alert for Delete Network Security Group: 
az monitor activity-log alert create --name <Alert_Name> --description <Alert_Description> --condition category=Administrative and operationName=Microsoft.Network/networkSecurityGroups/delete --action email <Email_Address>
Replace <Alert_Name> with the name of the alert you want to create, <Alert_Description> with a brief description of the alert, and <Email_Address> with the email address to which the alert should be sent.
  1. Once the command is executed successfully, the alert will be created and configured to send an email notification whenever a Network Security Group is deleted.
  2. You can verify the alert by running the following command: 
az monitor activity-log alert list
This will display a list of all the activity log alerts configured in your Azure environment, including the one you just created.By following these steps, you can remediate the misconfiguration of not having an Activity Log Alert for Delete Network Security Group in Azure using Azure CLI.
To remediate the misconfiguration “Ensure Activity Log Alert exists for Delete Network Security Group” in Azure using Python, you can follow the below steps:Step 1: Install the Azure SDK for Python using the following pip command:
pip install azure-mgmt-monitor
Step 2: Use the below code to check if an Activity Log Alert exists for Delete Network Security Group:
from azure.mgmt.monitor import MonitorManagementClient
from azure.common.credentials import ServicePrincipalCredentials

# Replace with your tenant ID, client ID and client secret
tenant_id = '<your_tenant_id>'
client_id = '<your_client_id>'
client_secret = '<your_client_secret>'

# Replace with your subscription ID and resource group name
subscription_id = '<your_subscription_id>'
resource_group_name = '<your_resource_group_name>'

# Replace with your Activity Log Alert name and resource ID of the Network Security Group
activity_log_alert_name = '<your_activity_log_alert_name>'
network_security_group_resource_id = '<your_network_security_group_resource_id>'

# Create credentials object
credentials = ServicePrincipalCredentials(client_id=client_id, secret=client_secret, tenant=tenant_id)

# Create MonitorManagementClient object
monitor_client = MonitorManagementClient(credentials, subscription_id)

# Get Activity Log Alert by name
activity_log_alert = monitor_client.activity_log_alerts.get(resource_group_name, activity_log_alert_name)

# Get the condition of the Activity Log Alert
condition = activity_log_alert.condition.all_of[0].field_value == network_security_group_resource_id and activity_log_alert.condition.all_of[0].equals == 'Microsoft.Network/networkSecurityGroups/delete'

# Check if the Activity Log Alert exists for Delete Network Security Group
if activity_log_alert.enabled and condition:
    print('Activity Log Alert exists for Delete Network Security Group')
else:
    print('Activity Log Alert does not exist for Delete Network Security Group')
Step 3: If the output of the above code is “Activity Log Alert does not exist for Delete Network Security Group”, then you can use the below code to create an Activity Log Alert for Delete Network Security Group:
from azure.mgmt.monitor.models import *

# Replace with your Activity Log Alert name, description and resource ID of the Network Security Group
activity_log_alert_name = '<your_activity_log_alert_name>'
activity_log_alert_description = '<your_activity_log_alert_description>'
network_security_group_resource_id = '<your_network_security_group_resource_id>'

# Create the condition for the Activity Log Alert
condition = Condition(all_of=[ManagementEventRuleCondition(field='resourceId', equals=network_security_group_resource_id), ManagementEventRuleCondition(field='operationName', equals='Microsoft.Network/networkSecurityGroups/delete')])

# Create the Action Group for the Activity Log Alert
action_group = ActionGroup(action_group_id='<your_action_group_id>')

# Create the Activity Log Alert object
activity_log_alert = ActivityLogAlert(enabled=True, name=activity_log_alert_name, description=activity_log_alert_description, condition=condition, actions=[action_group])

# Create the Activity Log Alert
monitor_client.activity_log_alerts.create_or_update(resource_group_name, activity_log_alert_name, activity_log_alert)
Note: Replace the placeholders <your_tenant_id>, <your_client_id>, <your_client_secret>, <your_subscription_id>, <your_resource_group_name>, <your_activity_log_alert_name>, <your_activity_log_alert_description>, <your_network_security_group_resource_id> and <your_action_group_id> with the actual values for your Azure environment.

Additional Reading: