Activity Log

Network Security Groups Logging Disabled

Risk Level- Medium 

Description 

This plugin ensures Activity Log alerts for the create or update and delete Network Security Group events are defined as well as enabled. Monitoring for create or update and delete Network Security Group events gives insight into network access changes and may reduce the time it takes to detect suspicious activity. 

About the Service

Alerts: Alerts in Azure in the most simple of terms can be termed as a notification centre for all the things in Azure. Users can create, view and manage all the alert rules from a single place including metric rules, log alerts and activity log alerts. Customized  alerts can be created by selecting the alert target (can be resource, subscription or anything on their azure account), the rule condition managing action groups(specifications about actions to be taken whenever an alert is triggered). To sum up the entire basic process and working of the service, the user specifies the target, condition (logic or any condition when the alert should trigger) and action group. Azure monitors the provided target and when the specified conditions are met an alert is triggered and sent to the action group.

Impact 

The importance of network security in an organization is already known, and to achieve this, the administration and management of network security groups is a necessity. But, when the alert rule regarding creation, updation or deletion of a network security group is not enabled, it leads to administrative mismanagement with any unwanted updation or deletion of any security group that may go unnoticed which can cause severe damages and invite security threats for the company.

Steps to Reproduce-

  1. Login to the Azure account
  2. From Azure services, select Alerts.
  3. The Alerts page will open, select the Alert rules option. 
  4. The alerts rule page will appear. By default, only the enabled alert rules are shown on the screen.
  5. To check the list of disabled alert rules as well, go to the Status option and click on Select all.
  6. Now we will check for 2 things:
    1. Whether the NSG Logging create, update or delete rule is created.
    2. If the NSG Logging create, update or delete alert rule is created then is it enabled.
  7. Search alert rules based on rule name:
    1. If the user remembers the NSG Logging alert rule name, simply type it in the search bar given above the list of subscriptions.
    2. Now check the status of the alert rule and check the Status. If the Status is set as Disabled, we need to enable it. To do so follow from steps under the Steps for Remediation section given next to the current section(Steps to reproduce).  
  8. Search alert rules based on condition:
    1. In case the rule name is not known, in the search bar type ‘networkSecurityGroups’ and if the status is set as Disabled then go to Steps for Remediation section and follow the steps.
  9. Else, if the screen appears blank, we will have to create a security policy rule first. To check the steps of creating a security policy rule, click here.   

Steps for Remediation

Create Alert Rule:

  1. Login to the Azure account.
  2. From Azure services, select Alerts.
  3. The Alerts page will open. Click on +Create.
  4. Select the target resource by clicking on the Select Resource option.
  5. Under the Conditions section, click on Add condition.
  6. Click on the search bar and type “Network security group”, select the signal name stating “Create or update Network Security Groups diagnostic settings (Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/diagnosticSettings)”.
  7. Users can also select an action group but that is optional. Next, provide the alert rule name as desired and give a little description to it for later reference (optional). 
  8. By default, the alert rule is enabled but it is recommended to cross verify it and then click on Create alert rule.

Enable Alert Rule:

  1. Login to the Azure account.
  2. From Azure services, select Alerts.
  3. The Alerts page will open. Click on alert rules.
  4. To check the list of disabled alert rules as well, go to the Status option and click on Select all.
  5. To search alert rules based on:
    1. Rule name: Type the rule name in the search bar.
    2. Rule condition: In the search bar write, “networkSecurityGroups”. 
  6. The required alert rule(s) will appear on the screen. Click on the check-box of the concerning alert rule(s). 
  7. Click on Enable and wait for a few minutes for the changes to get reflected.

Please feel free to reach out to support@pingsafe.ai with any questions that you may have.

Thanks

PingSafe Support