Skip to content

AZT506 - Network Security Group Modification#

Adversaries can modify the rules in a Network Security Group to establish access over additional ports.

Resource

Network Security Group

Actions

  • Microsoft.Network/networkSecurityGroups/*

Detections

Logs#

Data Source Operation Name Action Log Provider
Resource Create or Update Security Rule Microsoft.Network/networkSecurityGroups/securityRules/write AzureActivity

Queries#

Platform Query
Log Analytics AzureActivity | where OperationNameValue=='MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE'

Azure Monitor Alert#

Deploy to Azure