Enable Network Security Group Monitoring

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Security policy to access Policy Management portal.

04 On the Policy Management page, click on the name of the subscription that you want to examine to access the selected subscription configuration settings.

05 On the Security Policy page, click on the ASC Default (subscription: abcdabcd-1234-1234-1234-abcdabcdabcd) policy assignment to access the policy configuration.

06 On the selected policy assignment page, in the PARAMETERS section, check the Monitor network security groups setting status. If the configuration setting is set to Disabled, the network security group monitoring is not enabled within Microsoft Azure Security Center, in the selected Azure subscription.

07 Repeat steps no. 4 - 6 for each Microsoft Azure subscription available in your account.

01 Run account get-access-token command (Windows/macOS/Linux) using custom query filters to get the "Monitor Network Security Groups" feature status for the current Azure account subscription:

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01' | jq 'select(.name=="SecurityCenterBuiltIn")'|jq '.properties.parameters.networkSecurityGroupsMonitoringEffect.value'

02 The command output should return the requested Security Center feature configuration status:

"Disabled"

03 Repeat step no. 1 and 2 for each Microsoft Azure subscription available in your account.

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Security policy to access Policy Management portal.

04 On the Policy Management page, click on the name of the subscription that you want to reconfigure to access the selected subscription configuration settings.

05 On the Security Policy page, click on the ASC Default (subscription: abcdabcd-1234-1234-1234-abcdabcdabcd) policy assignment to edit the policy configuration.

06 On the selected policy assignment page, in the PARAMETERS section, select AuditIfNotExists from Monitor network security groups dropdown list to enable network security group monitoring for all Microsoft Azure virtual machines (VMs) provisioned in the selected Azure subscription.

07 Click Save to apply the changes. If successful, the following message should be displayed: "Updating policy assignment succeeded". Once the configuration changes are saved, the Security Center network security group monitoring feature becomes active for the selected subscription.

08 If required, repeat steps no. 4 – 7 for other Microsoft Azure cloud subscription available.

01 Define the necessary parameters for the account get-access-token command, where the networkSecurityGroupsMonitoringEffect configuration parameter is enabled. Save the following content to a JSON file named enable-network-security-groups-monitoring.json and replace the highlighted details, i.e. <azure-subscription-id> and <policy-definition-id>, with your own Azure account details:

{
   "properties":{
      "displayName":"ASC Default (subscription: <azure-subscription-id>)",
      "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/<policy-definition-id>",
      "scope":"/subscriptions/<azure-subscription-id>",
      "parameters":{
         "networkSecurityGroupsMonitoringEffect":{
            "value":"AuditIfNotExists"
         }
      }
   },
   "id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
   "type":"Microsoft.Authorization/policyAssignments",
   "name":"SecurityCenterBuiltIn",
   "location":"eastus"
}

02 Run account get-access-token command (Windows/macOS/Linux) using the parameters defined at the previous step (i.e. enable-network-security-groups-monitoring.json file) to enable network security group monitoring for all Microsoft Azure virtual machines (VMs) provisioned in the selected Azure subscription (the command request does not produce an output):

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01 -d@"enable-network-security-groups-monitoring.json"'

03 If successful, the command output should return the updated Azure Security Center policy (truncated):

{
   "sku":{
      "name":"A0",
      "tier":"Free"
   },
   "properties":{
      "displayName":"ASC Default (subscription: abcdabcd-1234-1234-1234-abcdabcdabcd)",
      "scope":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd",

      ...

      "description":"This is the default set of policies monitored by Azure Security Center. It was automatically assigned as part of on-boarding to Security Center. The default assignment contains only audit policies. For more information please visit https://aka.ms/ascpolicies",
   },
   "id":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
   "type":"Microsoft.Authorization/policyAssignments",
   "name":"SecurityCenterBuiltIn",
   "location":"eastus"
}

04 If required, repeat steps no. 1 – 3 for other Microsoft Azure cloud subscription available.