Azure API calls indicating NSG deletion
Description
AlphaSOC detected deletion of an Azure Network Security Group (NSG) or its security rules. NSGs provide network access controls for Azure resources. Deleting NSGs or security rules removes these network protections, potentially exposing resources to unauthorized access or enabling attacker lateral movement.
Impact
Deleting NSGs eliminates network-level security controls, exposing Azure resources to unrestricted network access. This can allow attackers to directly access protected resources, perform lateral movement within the environment, or establish unauthorized connections. The removal of security rules may also disrupt legitimate network segmentation.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review Azure Activity logs for the
Microsoft.Network/networkSecurityGroups/delete or
Microsoft.Network/networkSecurityGroups/securityRules/delete events. Identify
which NSG or rules were deleted and the principal responsible for the action.
If unauthorized, immediately recreate the deleted NSG or rules to restore network protections. Review network logs for suspicious connections during the period when protections were absent. Rotate credentials for the compromised identity and implement Azure Policy to prevent unauthorized NSG deletions.
Known False Positives
- Administrators decommissioning resources and their associated NSGs
- Infrastructure reorganization activities
- Cleanup of unused security rules