Network Security Group Rule Logging Disabled

Risk Level: Medium                 

Description 

The plugin ensures Activity Log alerts for the create or update and delete Network Security Group rule events are enabled. Monitoring for create or update and delete Network Security Group rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.

About the Service

Alerts: Alerts in Azure in the most simple of terms can be termed as a notification centre for all the things in Azure. Users can create, view and manage all the alert rules from a single place including metric rules, log alerts and activity log alerts. Customized alerts can be created by selecting the alert target (can be resource, subscription or anything on their azure account), the rule condition managing action groups(specifications about actions to be taken whenever an alert is triggered). To sum up the entire basic process and working of the service, the user specifies the target, condition (logic or any condition when the alert should trigger) and action group. Azure monitors the provided target and when the specified conditions are met an alert is triggered and sent to the action group.

Impact 

Any changes in the network security group need to be notified, to ensure security and control over the organization’s network. 

Having no alert rule or disabled alert rule for Network Security Group Logging implies that there is no activity being recorded concerning the network security groups, which is a must needed thing in any organization to handle any misconfigurations before an incident occurs and for assessing the root cause problem after breaches. 

Steps to Reproduce

1. Log in to the Azure account.
2. From Azure services, select Alerts.
3. The Alerts page will open, select the Alert rules option. 
   
4. The alerts rule page will appear. By default, only the enabled alert rules are shown on the screen.
   
5. To check the list of disabled alert rules as well, go to the Status option and click on Select all.
   
6. Now we will check if any of the two things are existing and enabled, else move to the Steps to Remediation section:
   1. All the NSG alert rules combined should have "Create" and "Delete" rules enabled.
   2. Any one NSG alert rule has the condition "All Administrative functions"
   
   

Steps for Remediation

Create Alert Rule:

1. Log in to the Azure account.
2. From Azure services, select Alerts.
   
3. The Alerts page will open. Click on +Create.
   
4. Select the target resource by clicking on the Select Resource option.
   
5. Under the Conditions section, click on Add condition.
   
6. Click on the search bar and type “Network security group”, select the signal name stating “Create or update Network Security Groups diagnostic settings (Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/diagnosticSettings)” either with administrative or with create and delete permissions.
7. By default, the alert rule is enabled but it is recommended to cross verify it and then click on Create alert rule.
   

Enable Alert Rule:

1. Log in to the Azure account
2. From Azure services, select Alerts.
   
3. The Alerts page will open, select the Alert rules option. 
   
4. The alerts rule page will appear. By default, only the enabled alert rules are shown on the screen.
   
5. To check the list of disabled alert rules as well, go to the Status option and click on Select all.
   
6. To find alert rules based on:
   1. Rule name: Type in the alert rule name in the search bar.
      
   2. Rule Condition: To find the alert rule on the basis of condition, type “networkSecurityGroups/securityRules”.
      
7. Select all the disabled alert rules by clicking on the checkbox.
   
8. Click on Enable and wait for the changes to save.
   

Please feel free to reach out to support@pingsafe.ai with any questions that you may have.

Thanks

PingSafe Support