KQL Query to match NSG Inbound Rules with other Resource Group NSG Inbound Rules.

Rahul 276 Reputation points
2023-05-02T10:57:03.2933333+00:00

Hello Team,

I'm looking to create an Azure monitor alert to compare NSG Inbound Rules with other RG NSG Rules. If the Rules did not match then should be fired an alert.

For the same, I enabled Diagnostic settings under both NSG and set the same Log Analytics Workspace one week ago.

MicrosoftTeams-image (3)

MicrosoftTeams-image (4)

The Table ("Azure Activity") under Log Analytics Workspace won't show me any Results. What would be the cause?

MicrosoftTeams-image (5)

Secondly, how it possible to compare using KQL? the KQL Query as per below is correct?

let primary_nsg = "<primary_nsg_name>";
let secondary_nsg = "<secondary_nsg_name>";
let primary_rg = "<primary_resource_group_name>";
let secondary_rg = "<secondary_resource_group_name>";
let primary_rules = AzureNetworkSecurityGroupRule
| where ResourceGroup == primary_rg and SecurityRuleDirection == "Inbound" and NetworkSecurityGroupName == primary_nsg
| project-away ResourceId, SubscriptionId, ResourceGroup, NetworkSecurityGroupName;
let secondary_rules = AzureNetworkSecurityGroupRule
| where ResourceGroup == secondary_rg and SecurityRuleDirection == "Inbound" and NetworkSecurityGroupName == secondary_nsg
| project-away ResourceId, SubscriptionId, ResourceGroup, NetworkSecurityGroupName;
let diff = set_difference(primary_rules, secondary_rules);
Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,785 questions
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,072 questions
Azure Network Watcher
Azure Network Watcher
An Azure service that is used to monitor, diagnose, and gain insights into network performance and health.
156 questions
0 comments
Accepted answer
  1. Andrew Blumhardt 9,491 Reputation points Microsoft Employee
    2023-05-02T11:53:56.2766667+00:00

    Activity logs only get recorded when a change is made and are retained for 90 days. A diagnostic setting will only transfer new changes. This method could only find duplicate NSG rules they were both made withing that timeframe. Your workspace may also be on the default 30 days retention. It might be better to query the Resource Graph to compare all current NSG rules. Unfortunately, I don't think you can call the resource graph from an alert rule. Workbooks can query the graph. Maybe a workbook that lists all of the NSG rules and flags duplicates would be sufficient. I wouldn't be surprised if there is already a workbook to help review NSG configuration. I think Defender for Servers does some NSG evaluation called Adaptive Network Hardening.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Monalla-MSFT 11,551 Reputation points
    2023-05-09T21:56:20.2833333+00:00

    @Rahul - Thanks for reaching out to us and for being patient while I was trying to gather more information on this.

    So, this feature is currently being developed for this semester and I am gathering more information on the timelines. And at this moment the workaround is looks like you needed Infra-as-code, ideally you would have their desired state for NSGs in some git repo, and that would be then propagated (for example, daily) to both regions.

    If you don't want to go IaC just yet, I would recommend building something with Azure Automation and Azure Resource Graph: a PowerShell script could check the NSGs, and raise an alert when there is a discrepancy. The script could be either run periodically or triggered by changes to NSGs.

    Hope this helps. and please feel free to reach out if you have any further questions.

    If the above response was helpful, please feel free to "Accept as Answer" and click "Yes" so it can be beneficial to the community.

    0 comments