Skip to main content

πŸ“ Network Security Group Flow Logs are not captured and sent to Log Analytics Workspace 🟒

  • Contextual name: πŸ“ Network Security Group Flow Logs are not captured and sent to Log Analytics Workspace 🟒
  • ID: /ce/ca/azure/network-watcher/network-security-group-flow-logs
  • Located in: πŸ“ Azure Network Watcher

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY
    • RELIABILITY
    • PERFORMANCE

Description​

Open File

Description​

Ensure that network flow logs are captured and fed into a central log analytics workspace.

Rationale​

Network Flow Logs provide valuable insight into the flow of traffic around your network and feed into both Azure Monitor and Azure Sentinel (if in use), permitting the generation of visual flow diagrams to aid with analyzing for lateral movement, etc.

Impact​

The impact of configuring NSG Flow logs is primarily one of cost and configuration. If deployed, it will create storage accounts that hold minimal amounts of data on a 5-day lifecycle before feeding to Log Analytics Workspace. This will increase the amount of data stored and used by Azure Monitor.

Audit​

From Azure Portal​
  1. Navigate to Network Watcher.
  2. Under Logs, select Flow logs.
  3. Click Add filter.
  4. From the Filter drop-down, select Flow log type.
  5. From the Value drop-down, check Network security group only.
  6. Click Apply.
  7. Ensure that at least one network security group flow log is listed and is configured to send logs to a Log Analytics Workspace.

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Navigate to Network Watcher.
  2. Under Logs, select Flow logs.
  3. Select + Create.
  4. Select the desired Subscription.
  5. For Flow log type, select Network security group.
  6. Select + Select target resource.
  7. Select Network security group.
  8. Select a network security group.
  9. Click Confirm selection.
  10. Select or create a new Storage Account.
  11. If using a v2 storage account, input the retention in days to retain the log.
  12. Click Next.
  13. Under Analytics, for Flow log version, select Version 2.
  14. Check the box next to Enable traffic analytics.
  15. Select a processing interval.
  16. Select a Log Analytics Workspace.
  17. Select Next.
  18. Optionally add Tags.
  19. Select Review + create.
  20. Select Create.

Warning​

The remediation policy creates remediation deployment and names them by concatenating the subscription name and the resource group name. The MAXIMUM permitted length of a deployment name is 64 characters. Exceeding this will cause the remediation task to fail.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 5.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics - Level 2 (Manual)1
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 6.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics (Manual)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration49