Skip to content

Microsoft.Network/networkSecurityGroups/securityRules/write

Azure

Microsoft.Network/networkSecurityGroups/securityRules/write

service: Azure - Network Security Group
techniques:

Event

Creates or updates a security rule in an Azure Network Security Group, controlling inbound or outbound traffic.

Security Context

  • Modifying network security controls can open unauthorized access paths while removing evidence of the original restrictive configuration.
  • Lateral movement techniques allow adversaries to expand their foothold by accessing additional systems and services within the environment.

Log Source

Azure Activity Log

Sample Event

Adversarial. draco@fantasticlogs.cloud adds a permissive inbound rule allow-rdp-from-anywhere to the NSG nsg-vm-demiguise-prod, allowing TCP/3389 from 0.0.0.0/0 (Any) to the VM’s private IP. This opens RDP from anywhere on the internet to a previously-segmented internal VM and is a textbook lateral-movement / initial-access enabler. Maps cleanly to T1686.001 (Cloud Firewall).

{
"authorization": {
"action": "Microsoft.Network/networkSecurityGroups/securityRules/write",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Network/networkSecurityGroups/nsg-vm-demiguise-prod/securityRules/allow-rdp-from-anywhere"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"puid": "1003200000000666",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud",
"http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814",
"uti": "nsgRule207ExampleUtid",
"ver": "1.0"
},
"correlationId": "90000000-0000-4000-8000-000100010010",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000100010011",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T18:33:54.1148902Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Network/networkSecurityGroups/nsg-vm-demiguise-prod/securityRules/allow-rdp-from-anywhere/events/90000000-0000-4000-8000-000100010011/ticks/638798253941148902",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000100010100",
"operationName": {
"value": "Microsoft.Network/networkSecurityGroups/securityRules/write",
"localizedValue": "Create or update Network Security Rule"
},
"resourceGroupName": "rg-fantasticlogs-prod",
"resourceProviderName": {
"value": "Microsoft.Network",
"localizedValue": "Microsoft.Network"
},
"resourceType": {
"value": "Microsoft.Network/networkSecurityGroups/securityRules",
"localizedValue": "Microsoft.Network/networkSecurityGroups/securityRules"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Network/networkSecurityGroups/nsg-vm-demiguise-prod/securityRules/allow-rdp-from-anywhere",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "Created",
"localizedValue": "Created (HTTP Status Code: 201)"
},
"submissionTimestamp": "2026-04-15T18:33:54.7058821Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "Created",
"serviceRequestId": null,
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Network/networkSecurityGroups/nsg-vm-demiguise-prod/securityRules/allow-rdp-from-anywhere",
"message": "Microsoft.Network/networkSecurityGroups/securityRules/write",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001",
"requestbody": "{\"properties\":{\"protocol\":\"Tcp\",\"sourcePortRange\":\"*\",\"destinationPortRange\":\"3389\",\"sourceAddressPrefix\":\"*\",\"destinationAddressPrefix\":\"*\",\"access\":\"Allow\",\"priority\":100,\"direction\":\"Inbound\"}}"
},
"relatedEvents": []
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment Lateral Movement

Techniques:
  • T1686.001 — Cloud Firewall — Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.