How to receive an email on Azure Network Security Group Rule changes

Abs07act

Microsoft Azure Portal already gives a capability to receive an email alert when new Azure Network Security Group  (NSG) is added or existing is deleted. However there is no option today to receive an email when individual NSG security rules are added, deleted or modified. This post will provide the solution to receive emails on Azure NSG security rules changes which isn’t offered by Azure Portal.

If you are chief security officer of the company, then you definitely understand why do you care to receive an alert when NSG rules are changed.

NSG’s are fundamental to res07ict/ allow access in Azure IaaS VM deployments. They offer con07olled access using source and destination port, protocol and IP. So as a security best practice any Azure VM (Network Interface Card) NIC or Subnet in VNET should have NSG associated to it.
Having said that, maintaining rules in NSG is critical. Hence many times Azure portal adminis07ators, CISO staff, IT head, Security head will always love to receive an email in Inbox to verify if the NSG security rule added/ modified/ deleted is after appropriate approval or no.

Creating alert is possible from Azure Monitor services. For example, if I want to create alert of NSG creation or deletion then below is the screenshot which shows how exactly you can configure alert.





As you can see in the above screenshot, there is no resource type available for NSG Security Rules. So, you may get under impression that “email alert on NSG security rule change can’t be configured”; which is wrong. The rule of thumb for Microsoft Azure I follow is
“If any functionality in not achievable from the Azure Portal then 07y it using Azure PowerShell or Azure ARM Templates.”
So, email alert on NSG security rule change can’t be configured from Portal however it is possible to configure using ARM Template.
Also, we need to create an “Action Group” on Azure portal so as to receive the email. So as a summary we will need below artifacts from Azure  -
1.      Azure ARM template to create Alert
2.      Action group to send emails
3.      Resource group which will contain the alert and action group.
So let’s get started.

Creation an action group to send emails as per the steps mentioned in the link - https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-action-groups

I have created an action group named as AdminsActionsGroup as shown below with Email as Action type –



After successful creation action group, you will receive an email about welcome as shown below –



Copy the resource ID for future use from overview tab as shown below –


A sample ARM script to create an Activity Log alert using ARM is available here - https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-create-activity-log-alerts-with-resource-manager-template


Out of the base ARM template present in above link, we need to replace the operationName for NSG rules Write operation as shown below –



Then search “templates” store at the top in Azure portal. Click on “add”, then provide the suitable name and description for the template. Copy the ARM template we created in above step. After adding the template it will be visible as below –



Complete template download is available at the end of this post.

Click on the Deploy button as highlighted in above screenshot. Provide the action group resource id copied in above steps. Then click on “accept terms and condition” and then click on “Purchase” to complete deployment.



You can view the created alert as shown below –




Modify the security rule of any NSG present in Azure subscription and you should receive an email.

The approach is same. We need to create another alert for delete operation of NSG rules. Only the operation name will change as below –




Hope this helps.
Download complete script - https://gallery.technet.microsoft.com/Receive-an-email-on-Azure-6ebdd9a5