Monitor and Alert for NSG Rule Change

Article
07/16/2019

Question

_{Tuesday, July 16, 2019 6:11 PM}

I am looking to create an alert for whenever an NSG rule is created or updated within an NSG. In the Activity log for the NSG, this action is recorded as "Create or Update Security Rule."

However, when using Azure Monitor, or Azure Event Hubs, there are only 4 signal options to alert for when creating an alert:

All Administrative Operations

Create or Update Network Security Group

Delete Network Security Group

Join Network Security Group

"All Administrative Operations" and "Create or Update Network Security Group" both do not send an email alert when a Rule is updated. Does anyone know how to monitor for the NSG rule changes and send an alert based on that action occurring?

All replies (1)

_{Wednesday, July 17, 2019 8:32 AM}

Below ARM template might help you to create alert for NSG rule change.

{  
   "$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion":"1.0.0.0",
   "parameters":{  
      "activityLogAlertName":{  
         "type":"string",
         "metadata":{  
            "description":"Unique name (within the Resource Group) for the Activity log alert."
         }
      },
      "activityLogAlertEnabled":{  
         "type":"bool",
         "defaultValue":true,
         "metadata":{  
            "description":"Indicates whether or not the alert is enabled."
         }
      },
      "actionGroupResourceId":{  
         "type":"string",
         "metadata":{  
            "description":"Resource Id for the Action group."
         }
      }
   },
   "resources":[  
      {  
         "type":"Microsoft.Insights/activityLogAlerts",
         "apiVersion":"2017-04-01",
         "name":"[concat(parameters('activityLogAlertName'),'-creatOrUpdate')]",
         "location":"Global",
         "properties":{  
            "enabled":"[parameters('activityLogAlertEnabled')]",
            "scopes":[  
               "[subscription().id]"
            ],
            "condition":{  
               "allOf":[  
                  {  
                     "field":"category",
                     "equals":"Administrative"
                  },
                  {  
                     "field":"resourceType",
                     "equals":"Microsoft.Network/networkSecurityGroups/securityRules"
                  },
                  {  
                     "field":"status",
                     "equals":"Succeeded"
                  },
                  {  
                     "field":"operationName",
                     "equals":"Microsoft.Network/networkSecurityGroups/securityRules/write"
                  }
               ]
            },
            "actions":{  
               "actionGroups":[  
                  {  
                     "actionGroupId":"[parameters('actionGroupResourceId')]"
                  }
               ]
            }
         }
      }
   ]
}

Share via

Monitor and Alert for NSG Rule Change

Question

All replies (1)

Additional resources