Description:
Create an activity log alert for the Create or Update Network Security Group Rule event.
Rationale:
Monitoring for Create or Update Network Security Group Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.
From Azure Console
Using Azure Command Line Interface
Use the below command to create an Activity Log Alert for 'Create or Update Network Security Groups'
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@"input.json"'
Where 'input.json' contains the Request body JSON data as mentioned below.
{
"location": "Global",
"tags": {},
"properties": {
"scopes": [
"/subscriptions/"
],
"enabled": true,
"condition": {
"allOf": [
{
"containsAny": null,
"equals": "Administrative",
"field": "category"
},
{
"containsAny": null,
"equals": "Microsoft.Network/networkSecurityGroups/securityRules/write",
"field": "operationName"
}
]
},
"actions": {
"actionGroups": [
{
"actionGroupId": "/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/",
"webhookProperties": null
}
]
},
}
}
Configurable Parameters for command line:
Configurable Parameters for 'input.json':
in scopes
in actionGroupId
in actionGroupId
in actionGroupId
.