Azure API calls indicating NSG modification
Description
AlphaSOC detected modification of an Azure Network Security Group (NSG) or its security rules. NSGs control inbound and outbound network traffic to Azure resources. Adversaries may modify NSG rules to open unauthorized network access, enable lateral movement, or create backdoor entry points into the cloud environment.
Impact
Unauthorized NSG modifications can weaken network segmentation and expose Azure resources to unauthorized access. Attackers may add rules to allow inbound connections from malicious infrastructure or outbound connections for data exfiltration. This can lead to compromise of protected resources and facilitate lateral movement within the Azure environment.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review Azure Activity logs for the
Microsoft.Network/networkSecurityGroups/write or
Microsoft.Network/networkSecurityGroups/securityRules/write events. Examine
the specific rule changes and identify the principal that performed the
modifications.
If unauthorized, revert the NSG rules to their previous secure configuration. Review NSG flow logs for suspicious traffic during the period when rules were modified. Rotate credentials for the compromised identity and audit RBAC assignments to restrict NSG modification permissions.
Known False Positives
- Authorized administrators making routine security rule changes
- Infrastructure as Code deployments updating network configurations
- DevOps teams configuring network access for new applications