How to set up an Azure alert for inbound port rule changes

Question

Is there a way to create an alert in Azure that can notify us when an inbound port rule is changed from "Deny" to "Allow" for port 3389 (RDP)? We have several virtual machines with their own virtual network, and we want to be notified whenever the inbound port rule is not set back to "Deny" after it has been changed for RDP access. Can we schedule something to alert us so that we can switch the status back to "Deny"?

Answer 1

Hi,

A couple of options here I can think of:

1. Diagnostic settings streaming to log analytics (from the network security group). The Network Security Group Event category logs the VM and security rule applied when changes are made to a NSG. Hence getting the latest log will tell you if there is an allow rule with the port 3389.
2. Using the in Preview Azure Resource Graph. This allows ARG queries to be used in log analytic queries. More info here: https://azure.microsoft.com/en-us/updates/public-preview-azure-log-alerts-support-for-azure-resource-graph-arg/
   Using this you could write a query like:

arg("").Resources
| where type == "microsoft.network/networksecuritygroups"
| mv-expand properties["securityRules"]
| where properties['securityRules'] contains "Allow" and properties['securityRules'] contains "3389"

This code works within Azure Resource Graph Explorer but doesn't seem to work in log analytics which maybe a bug?

Please note the usage of preview features https://azure.microsoft.com/en-gb/support/legal/preview-supplemental-terms