AZT506 - Network Security Group Modification

Adversaries can modify the rules in a Network Security Group to establish access over additional ports.

Resource

Network Security Group

Actions

• Microsoft.Network/networkSecurityGroups/*

Examples

Az PowerShellAzure CLIAzure REST APIAzure Portal

Set-AzNetworkSecurityRuleConfig

az network nsg rule

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkSecurityGroups/{networkSecurityGroupName}/securityRules/{securityRuleName}?api-version=2021-08-01

Detections

Logs

Data Source	Operation Name	Action	Log Provider
Resource	Create or Update Security Rule	Microsoft.Network/networkSecurityGroups/securityRules/write	AzureActivity

Queries

Platform	Query
Log Analytics	AzureActivity | where OperationNameValue=='MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE'

Azure Monitor Alert

Additional Resources

https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group