Enabling the Network Security Groups Connector for Microsoft Sentinel

The Network Security Groups connector is now available in the Microsoft Sentinel console. This enables customers to monitor rules for things like virtual network subnets and network interfaces. The connector streams the NSG diagnostic logs directly into Microsoft Sentinel.

Two new Data Types are available: NetworkSecurityGroupEvent and NetworkSecurityGroupRuleCounter

The Data Types are exposed through the AzureDiagnostics table.

There’s not much collateral included with the Data Connector currently. Only 2 queries that expose these two Data Types.

Just 2 queries

The connector can be found in the Data Connector blade if you do a quick search for ‘network.’

The connector

Enabling this connector follows the same path as many of the newer Azure service-based connectors, in that it utilizes the Azure Policy Assignment wizard.

Policy wizard

The unfortunate thing is that once you launch the wizard you can no longer follow the instructions supplied on the connector page because focus is handed over to Azure Policy assignment. So, I’ve included the instructions below…

Launch the Azure Policy Assignment wizard and follow the steps:​

  1. In the Basics tab, click the button with the three dots under Scope to select your resources assignment scope.
  2. In the Parameters tab, choose your Microsoft Sentinel workspace from the Log Analytics workspace drop-down list, and leave marked as “True” all the log and metric types you want to ingest.
  3. To apply the policy on your existing resources, select the Remediation tab and mark the Create a remediation task checkbox.

P.S. NSG data is normally massive, so be careful with this connector. It could cause sticker shock.


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Bi-Weekly Defender for Cloud Newsletter]