Logging and monitoring are a critical requirement when trying to identify, detect, and mitigate security threats. Having a proper logging policy can ensure you can determine when a security violation has occurred, but also potentially identify the culprit responsible. Azure Activity logs provide data about both external access to a resources and diagnostic logs, which provide information about the operation of that specific resource.
The Azure Activity Log provides insight into subscription-level events that have occurred in Azure. This includes a range of data, from Azure Resource Manager operational data to updates on Service Health events. The Activity Log was previously known as Audit Logs or Operational Logs, since the Administrative category reports control-plane events for your subscriptions. There is a single Activity Log for each Azure subscription. It provides data about the operations on a resource from the outside. Diagnostic Logs are emitted by a resource and provide information about the operation of that resource. You must enable diagnostic settings for each resource.
- In the Azure Portal go to Monitor, then select Activity log.
- Click on Export to Event Hub.
- Configure the following settings then click Save.
- Region: EastUS
- Select: Export to Storage Account
- Storage Account: Select your storage account and click OK
- Retention: 90 days
- Select Save.
Setting the Retention (days) to 0 retains the data forever.
- Follow the steps listed above. Adjust the Retention days slider bar.
By default, no monitoring alerts are created when NSGs are created/updated/deleted. Changing or deleting a security group can allow internal resources to be accessed from improper sources, or for unexpected outbound network traffic.
- In to the Azure portal go to Monitor, then select Alerts.
- Select + New alert rule.
- In the Resource section click Select.
- Select your subscription and click Done.
- In the Condition section click Add.
- Search for Create or Update Network Security Group and select it.
- On the Configure signal logic blade, in the Event initiated by enter any and click Done.
- In the Actions section click Create action group.
- On the Add action group blade enter the following details:
- Action group name: NSG Alert
- Short name: NSGAlert
- Action Name: NSG Alert
- Action type: Email/SMS/Push/Voice
- On the Email/SMS/Push/Voice blade check the email box and enter your email address and click OK.
- On the Add action group blade click OK.
- On the Create rule blade, in the Alert Details section enter the following details:
- Alert rule name: NSG Alert
- Save to resource group: myResourceGroup
- Click Create alert rule