AZT506 - Network Security Group Modification

Adversaries can modify the rules in a Network Security Group to establish access over additional ports.

Resource

Network Security Group

Actions

• Microsoft.Network/networkSecurityGroups/*

Examples

Az PowerShellAzure CLIAzure REST APIAzure Portal

Set-AzNetworkSecurityRuleConfig

az network nsg rule

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkSecurityGroups/{networkSecurityGroupName}/securityRules/{securityRuleName}?api-version=2021-08-01

Detections

Logs

Data Source	Operation Name	Action	Log Location
Resource	Create or Update Security Rule	Microsoft.Network/networkSecurityGroups/securityRules/write	Azure Activity Log

Queries

Log Analytics

      |where OperationNameValue=="Microsoft.Network/networkSecurityGroups/securityRules/write"

Additional Resources

https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group