KQL Search

Query Details

HomeAI ToolsDevice Query

HUNT 12 NSG Firewall Change History

Query

// Hunt     : Hunt - NSG Deletion and Firewall Rule Modification History (30 Days)
// Tactics  : DefenseEvasion
// MITRE    : T1562.007
// Purpose  : Show the complete history of NSG deletions AND individual security rule modifications (inbound/outbound allow-all rules added) over 30 days. Helps determine whether Rule-14 alerts are isolated events or part of a broader network exposure campaign.
//==========================================================================================

let NSGOps = dynamic([
    "MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE",
    "MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE",
    "MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE",
    "MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE"
]);
AzureActivity
| where TimeGenerated > ago(30d)
| where OperationNameValue has_any (NSGOps)
| where ActivityStatusValue =~ "Success"
| extend ChangeType = case(
    OperationNameValue has "DELETE" and OperationNameValue has "NETWORKSECURITYGROUPS/DELETE", "NSG Deleted",
    OperationNameValue has "SECURITYRULES/DELETE", "Security Rule Deleted",
    OperationNameValue has "SECURITYRULES/WRITE",  "Security Rule Modified/Added",
    OperationNameValue has "NETWORKSECURITYGROUPS/WRITE", "NSG Created/Modified",
    "Other")
| project
    TimeGenerated,
    Caller,
    CallerIpAddress,
    ChangeType,
    ResourceId,
    ResourceGroup,
    SubscriptionId,
    Properties
| order by TimeGenerated desc

Explanation

This query is designed to track and analyze changes made to Network Security Groups (NSGs) and their security rules over the past 30 days. It focuses on identifying any deletions or modifications, particularly those that might indicate a broader attempt to expose the network. Here's a simple breakdown of what the query does:

  1. Define Operations of Interest: It specifies a list of operations related to NSGs, including deletions, creations, and modifications of both NSGs and their security rules.

  2. Filter Azure Activity Logs: It looks at Azure activity logs from the last 30 days, filtering for successful operations that match the specified NSG-related actions.

  3. Classify Changes: Each operation is categorized into types of changes:

    • "NSG Deleted" for deletions of entire NSGs.
    • "Security Rule Deleted" for deletions of individual security rules.
    • "Security Rule Modified/Added" for modifications or additions of security rules.
    • "NSG Created/Modified" for creations or modifications of NSGs.

  4. Select and Display Relevant Information: It selects key details such as the time of the operation, who performed it, their IP address, the type of change, and other resource-related information.

  5. Sort Results: Finally, it orders the results by the time the changes were made, showing the most recent changes first.

This query helps security teams determine if specific alerts (like Rule-14 alerts) are isolated incidents or part of a larger pattern of network security changes.

Details

David Alonso profile picture

David Alonso

Released: March 12, 2026

Tables

AzureActivity

Keywords

AzureActivityNetworkSecurityGroupsSecurityRulesResourceResourceGroupSubscriptionPropertiesTimeGeneratedCallerCallerIpAddressChangeType

Operators

letdynamicagohas_any=~casehasprojectorder bydesc

Actions