Query Details
RULE 14 NSG Deleted
Query
// Rule : Azure - Network Security Group Deleted
// Severity: High
// Tactics : DefenseEvasion
// MITRE : T1562.007
// Freq : PT1H Period: PT2H
//==========================================================================================
let KnownIaCPatterns = dynamic(["terraform", "bicep", "pipeline", "github", "pulumi",
"devops", "arm-deployment", "cleanup", "deprovisioner"]);
// NSG rule-change ops are lower severity; only full NSG DELETE is escalated here
let NSGDeleteOp = "MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE";
AzureActivity
| where TimeGenerated > ago(2h)
| where OperationNameValue =~ NSGDeleteOp
| where ActivityStatusValue =~ "Success"
| where not(tolower(Caller) has_any (KnownIaCPatterns))
| where isnotempty(CallerIpAddress)
| where CallerIpAddress !startswith "168.63." and CallerIpAddress !startswith "169.254."
| summarize
DeletionCount = count(),
DeletedNSGs = make_set(ResourceId, 20),
AffectedSubscriptions = make_set(SubscriptionId, 5),
AffectedResourceGroups = make_set(ResourceGroup, 5),
SourceIPs = make_set(CallerIpAddress, 5),
CallerIP = any(CallerIpAddress),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by Caller
| extend
AccountName = tostring(split(Caller, "@")[0]),
AccountUPNSuffix = tostring(split(Caller, "@")[1])
Explanation
This query is designed to detect and summarize instances where a Network Security Group (NSG) has been deleted in Azure, which is considered a high-severity event related to defense evasion tactics. Here's a breakdown of what the query does:
-
Define Known Patterns: It starts by defining a list of known infrastructure-as-code (IaC) patterns, such as "terraform" and "bicep", which are typically used for legitimate automated operations.
-
Specify Operation: It focuses on the specific operation of deleting a Network Security Group (
NSGDeleteOp). -
Filter Events: The query looks at Azure activity logs from the past 2 hours (
TimeGenerated > ago(2h)) and filters for successful NSG delete operations. -
Exclude Known Patterns: It excludes operations initiated by callers whose names contain any of the known IaC patterns, assuming these are likely legitimate.
-
Filter IP Addresses: It further filters out internal Azure IP addresses that start with "168.63." or "169.254.".
-
Summarize Results: For each caller (user or service account) that performed a deletion, it summarizes:
- The number of deletions (
DeletionCount). - The set of deleted NSGs (
DeletedNSGs). - The subscriptions and resource groups affected (
AffectedSubscriptions,AffectedResourceGroups). - The source IP addresses involved (
SourceIPs). - The first and last time the deletion was seen (
FirstSeen,LastSeen).
- The number of deletions (
-
Extract Account Information: It extracts and separates the account name and domain from the caller's email address for further analysis.
In summary, this query identifies and summarizes potentially suspicious deletions of Network Security Groups in Azure, excluding those likely performed by known automated processes, and provides details about the involved accounts and IP addresses.
Details
David Alonso
Released: March 12, 2026
Tables
Keywords
Operators