Microsoft.Network/networkSecurityGroups/securityRules/write
Azure
Microsoft.Network/networkSecurityGroups/securityRules/write
Event
Creates or updates a security rule in an Azure Network Security Group, controlling inbound or outbound traffic.
Security Context
- Modifying network security controls can open unauthorized access paths while removing evidence of the original restrictive configuration.
- Lateral movement techniques allow adversaries to expand their foothold by accessing additional systems and services within the environment.
Log Source
Azure Activity Log
Sample Event
Adversarial. draco@fantasticlogs.cloud adds a permissive inbound rule allow-rdp-from-anywhere to the NSG nsg-vm-demiguise-prod, allowing TCP/3389 from 0.0.0.0/0 (Any) to the VM’s private IP. This opens RDP from anywhere on the internet to a previously-segmented internal VM and is a textbook lateral-movement / initial-access enabler. Maps cleanly to T1686.001 (Cloud Firewall).
{ "authorization": { "action": "Microsoft.Network/networkSecurityGroups/securityRules/write", "scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Network/networkSecurityGroups/nsg-vm-demiguise-prod/securityRules/allow-rdp-from-anywhere" }, "caller": "draco@fantasticlogs.cloud", "channels": "Operation", "claims": { "appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "ipaddr": "203.0.113.66", "name": "Draco Malfoy", "http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010", "puid": "1003200000000666", "http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud", "http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814", "uti": "nsgRule207ExampleUtid", "ver": "1.0" }, "correlationId": "90000000-0000-4000-8000-000100010010", "description": "", "eventDataId": "90000000-0000-4000-8000-000100010011", "eventName": { "value": "EndRequest", "localizedValue": "End request" }, "category": { "value": "Administrative", "localizedValue": "Administrative" }, "eventTimestamp": "2026-04-15T18:33:54.1148902Z", "id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Network/networkSecurityGroups/nsg-vm-demiguise-prod/securityRules/allow-rdp-from-anywhere/events/90000000-0000-4000-8000-000100010011/ticks/638798253941148902", "level": "Informational", "operationId": "90000000-0000-4000-8000-000100010100", "operationName": { "value": "Microsoft.Network/networkSecurityGroups/securityRules/write", "localizedValue": "Create or update Network Security Rule" }, "resourceGroupName": "rg-fantasticlogs-prod", "resourceProviderName": { "value": "Microsoft.Network", "localizedValue": "Microsoft.Network" }, "resourceType": { "value": "Microsoft.Network/networkSecurityGroups/securityRules", "localizedValue": "Microsoft.Network/networkSecurityGroups/securityRules" }, "resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Network/networkSecurityGroups/nsg-vm-demiguise-prod/securityRules/allow-rdp-from-anywhere", "status": { "value": "Succeeded", "localizedValue": "Succeeded" }, "subStatus": { "value": "Created", "localizedValue": "Created (HTTP Status Code: 201)" }, "submissionTimestamp": "2026-04-15T18:33:54.7058821Z", "subscriptionId": "20000000-0000-4000-8000-000000000001", "tenantId": "10000000-0000-4000-8000-000000000001", "properties": { "statusCode": "Created", "serviceRequestId": null, "eventCategory": "Administrative", "entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Network/networkSecurityGroups/nsg-vm-demiguise-prod/securityRules/allow-rdp-from-anywhere", "message": "Microsoft.Network/networkSecurityGroups/securityRules/write", "hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001", "requestbody": "{\"properties\":{\"protocol\":\"Tcp\",\"sourcePortRange\":\"*\",\"destinationPortRange\":\"3389\",\"sourceAddressPrefix\":\"*\",\"destinationAddressPrefix\":\"*\",\"access\":\"Allow\",\"priority\":100,\"direction\":\"Inbound\"}}" }, "relatedEvents": []}MITRE ATT&CK Mapping
Tactics: Defense Impairment Lateral Movement
Techniques:
- T1686.001 — Cloud Firewall — Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.