Description:
Create an activity log alert for the Delete Network Security Group Rule event.
Rationale:
Monitoring for Delete Network Security Group Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.
From Azure Console
Using Azure Command Line Interface
Use the below command to create an Activity Log Alert for 'Delete Network Security Groups rule'
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@"input.json"'
Where 'input.json' contains the Request body JSON data as mentioned below.
{
"location": "Global",
"tags": {},
"properties": {
"scopes": [
"/subscriptions/"
],
"enabled": true,
"condition": {
"allOf": [
{
"containsAny": null,
"equals": "Administrative",
"field": "category"
},
{
"containsAny": null,
"equals": "Microsoft.Network/networkSecurityGroups/securityRules/delete",
"field": "operationName"
}
]
},
"actions": {
"actionGroups": [
{
"actionGroupId": "/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/",
"webhookProperties": null
}
]
},
}
}
Configurable Parameters for command line:
Configurable Parameters for 'input.json':
in scopes
in actionGroupId
in actionGroupId
in actionGroupId
.