Monitor Network Security Groups

Risk Level: Medium (should be achieved)

Rule ID: SecurityCenter-007

Ensure that the Network Security Groups (NSGs) monitoring is enabled at the subnet level within your Microsoft Azure cloud account.

Security

When monitoring of NSGs is enabled at the subnet level, Microsoft Defender for Cloud detects Network Security Groups with overly permissive rules and recommends that these be properly configured in order to control the inbound and outbound traffic to and from the associated subnets.

Audit

To determine if the monitoring of Network Security Groups (NSGs) on subnets is enabled within the Microsoft Defender for Cloud security policy, perform the following actions:

Using Azure Console

Sign in to the Microsoft Azure Portal.
Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.
In the main navigation panel, under Management, choose Environment settings.
Click on the name (link) of the Azure subscription that you want to examine.
In the navigation panel, under Policy settings, choose Security policy.
In the Default initiative section, click on the name of the default initiative enabled for the selected subscription (i.e. ASC Default (subscription: <subscription-id>)).
Choose the Parameters tab, uncheck Only show parameters that need input or review, and search for the following parameter: Network Security Groups on the subnet level should be enabled. If the Network Security Groups on the subnet level should be enabled parameter is set to Disabled, the Network Security Group (NSG) monitoring on subnets is not enabled in the selected Azure subscription.
Repeat steps no. 4 – 7 for each Microsoft Azure subscription created within your Azure account.

Using Azure CLI and PowerShell

Run account get-access-token command (Windows/macOS/Linux) using custom query filters to determine if the monitoring of Network Security Groups (NSGs) on subnets is enabled within the current Azure subscription by checking the networkSecurityGroupsOnSubnetsMonitoringEffect configuration parameter value:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01' | jq 'select(.name=="SecurityCenterBuiltIn")'|jq '.properties.parameters.networkSecurityGroupsOnSubnetsMonitoringEffect.value'

The command output should return the requested parameter value:
```
"Disabled"
```
If the account get-access-token command output returns "Disabled", as shown in the output example above, the Network Security Group (NSG) monitoring on subnets is not enabled within the current Azure subscription.
Repeat steps no. 1 and 2 for each Microsoft Azure subscription available in your Azure cloud account.

Remediation / Resolution

To enable the monitoring of Network Security Groups (NSGs) at the subnet level within the Microsoft Defender for Cloud security policy, perform the following actions:

Using Azure Console

Sign in to the Microsoft Azure Portal.
Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.
In the main navigation panel, under Management, choose Environment settings.
Click on the name (link) of the Azure subscription that you want to access.
In the navigation panel, under Policy settings, choose Security policy.
In the Default initiative section, click on the name of the default initiative enabled for the selected subscription (i.e. ASC Default (subscription: <subscription-id>)).
Choose the Parameters tab and uncheck the Only show parameters that need input or review checkbox to list all the initiative parameters.
Select AuditIfNotExists from the Network Security Groups on the subnet level should be enabled parameter dropdown list to enable the monitoring of Network Security Groups (NSGs) at the subnet level, in the selected Azure subscription.
Select Review + save to review the configuration changes, then choose Save to apply the new changes. If the operation is successful, the following confirmation message should be displayed: "Updating policy assignment succeeded".
Repeat steps no. 4 – 9 for each Microsoft Azure subscription available within your Azure account.

Using Azure CLI and PowerShell

Define the configuration parameters for the account get-access-token command, where the networkSecurityGroupsOnSubnetsMonitoringEffect parameter is enabled to turn on the monitoring feature. Save the configuration document to a JSON file named enable-nsg-subnet-level-monitoring.json and replace the highlighted details, i.e. <azure-subscription-id> and <policy-definition-id>, with your own Azure account subscription details:

{
  "properties":{
     "displayName":"ASC Default (subscription: <azure-subscription-id>)",
     "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/<policy-definition-id>",
     "scope":"/subscriptions/<azure-subscription-id>",
     "parameters":{
        "networkSecurityGroupsOnSubnetsMonitoringEffect":{
           "value":"AuditIfNotExists"
        }
     }
  },
  "id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
  "type":"Microsoft.Authorization/policyAssignments",
  "name":"SecurityCenterBuiltIn",
  "location":"eastus"
}

Run account get-access-token command (Windows/macOS/Linux) using the configuration document defined at the previous step (i.e. enable-nsg-subnet-level-monitoring.json file), to enable the monitoring of Network Security Groups (NSGs) at the subnet level, within the current Azure subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01 -d@"enable-nsg-subnet-level-monitoring.json"'

The command output should return information about the modified configuration parameter:

{
  "sku": {
    "name": "A0",
    "tier": "Free"
  },
  "properties": {
    "displayName": "ASC Default (subscription: abcdabcd-1234-1234-1234-abcdabcdabcd)",
    "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1234abcd-1234-1234-1234-abcd1234abcd",
    "scope": "/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd",
    "parameters": {
      "networkSecurityGroupsOnSubnetsMonitoringEffect": {
        "value": "AuditIfNotExists"
      }
    },
    "metadata": {
      "createdBy": "abcdabcd-1234-1234-1234-abcdabcdabcd",
      "createdOn": "2019-05-17T15:38:40.3473931Z",
      "updatedBy": "1234abcd-1234-1234-1234-abcd1234abcd",
      "updatedOn": "2022-02-01T21:22:40.7422203Z"
    }
  },
  "id": "/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
  "type": "Microsoft.Authorization/policyAssignments",
  "name": "SecurityCenterBuiltIn",
  "location": "eastus"
}

Repeat steps no. 1 – 3 for each Microsoft Azure subscription available in your Azure cloud account.

References

Azure Command Line Interface (CLI) Documentation
az
az account get-access-token

Publication date May 21, 2019

Audit

Using Azure Console

Using Azure CLI and PowerShell

Remediation / Resolution

Using Azure Console

Using Azure CLI and PowerShell

References

Related SecurityCenter rules