Opening a Network Security Group to the Internet







EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




An attacker can modify Network Security Group rules to allow for new traffic. This typically allows them to maintain access to your infrastructure.

Understanding Impact

Business Impact

Compute resources in Azure are protected by Network Security Groups (NSGs). When an attacker allows traffic on an NSG, it exposes the affected resource publicly and allows the attacker to remain in your environment.

Technical Impact

Network Security Groups are used to control traffic to and from Azure resources. When an attacker modifies an NSG, they can allow traffic to a resource that was previously blocked. This allows them to gain or maintain access to your environment.


You can identify when a Network Security Group ingress rule is created or modified, using the Azure Activity log event Microsoft.Network/networkSecurityGroups/securityRules/write.

Sample event, shortened for readability:

  "id": "/subscriptions/<subscription-id>/resourcegroups/<resource-group>/providers/Microsoft.Network/networkSecurityGroups/<nsg-name>/securityRules/AllowAnySSHInbound/events/<...>",
  "operationName": {
    "value": "Microsoft.Network/networkSecurityGroups/securityRules/write",
    "localizedValue": "Create or Update Security Rule"
  "resourceGroupName": "<resource-group>",
  "resourceProviderName": {
    "value": "Microsoft.Network",
    "localizedValue": "Microsoft.Network"
  "resourceType": {
    "value": "Microsoft.Network/networkSecurityGroups/securityRules",
    "localizedValue": "Microsoft.Network/networkSecurityGroups/securityRules"
  "resourceId": "/subscriptions/<subscription-id>/resourcegroups/<resource-group>/providers/Microsoft.Network/networkSecurityGroups/<nsg-name>/securityRules/AllowAnySSHInbound",
  "properties": {
    "eventCategory": "Administrative",
    "entity": "/subscriptions/<subscription-id>/resourcegroups/<resource-group>/providers/Microsoft.Network/networkSecurityGroups/<nsg-name>/securityRules/AllowAnySSHInbound",
    "message": "Microsoft.Network/networkSecurityGroups/securityRules/write",

When the rule is created for the first time, the event does not include information about the port or source IP range that has been opened. When the rule already existed, properties.responseBody contains the JSON of the modified NSG rule:

  "name": "AllowAnySSHInbound",
  "id": "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Network/networkSecurityGroups/<nsg-name>/securityRules/AllowAnySSHInbound",
  "type": "Microsoft.Network/networkSecurityGroups/securityRules",
  "properties": {
    "provisioningState": "Updating",
    "protocol": "TCP",
    "sourcePortRange": "1024-54335",
    "destinationPortRange": "22",
    "sourceAddressPrefix": "<source-ip>",
    "destinationAddressPrefix": "*",
    "access": "Allow",
    "priority": 100,
    "direction": "Inbound",
    "sourcePortRanges": [],
    "destinationPortRanges": [],
    "sourceAddressPrefixes": [],
    "destinationAddressPrefixes": []

How Datadog can help

Cloud SIEM

Datadog Cloud SIEM detects this attack using the following out-of-the-box rules:


AZT506 - Network Security Group Modification

Network Security Groups

azure documentation

Did you find this article helpful?