Skip to main content

πŸ›‘οΈ Network Security Group Flow Logs are not captured and sent to Log Analytics Workspace🟒βšͺ

  • Contextual name: πŸ›‘οΈ Network Security Group Flow Logs are not captured and sent to Log Analytics Workspace🟒βšͺ
  • ID: /ce/ca/azure/network-watcher/network-security-group-flow-logs
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY, RELIABILITY, PERFORMANCE

Description​

Open File

Description​

Ensure that network flow logs are captured and sent to a central Log Analytics workspace.

Retirement Notice On September 30, 2027, network security group (NSG) flow logs will be retired. Starting June 30, 2025, it will no longer be possible to create new NSG flow logs. Azure recommends migrating to virtual network flow logs. Review https://azure.microsoft.com/en-gb/updates?id=Azure-NSG-flow-logs-Retirement for more information. For virtual network flow logs, consider applying the recommendation Ensure that virtual network flow logs are captured and sent to Log Analytics in this section.

Rationale​

Network Flow Logs provide valuable insight into traffic patterns and feed into both Azure Monitor and Azure Sentinel, if in use, which enables visual flow diagrams for analyzing lateral movement and other activity.

Impact​

The impact of configuring NSG Flow Logs is primarily cost and configuration. If deployed, it creates storage accounts that hold small amounts of data on a 5-day lifecycle before sending it to Log Analytics. This increases the amount of data stored and used by Azure Monitor.

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Navigate to Network Watcher.
  2. Under Logs, select Flow logs.
  3. Select + Create.
  4. Select the desired subscription.
  5. For Flow log type, select Network security group.
  6. Select + Select target resource.
  7. Select Network security group.
  8. Select a network security group.
  9. Click Confirm selection.
  10. Select or create a new Storage Account.
  11. If using a v2 storage account, enter the retention in days.
  12. Click Next.
  13. Under Analytics, for Flow log version, select Version 2.
  14. Check the box next to Enable traffic analytics.
  15. Select a processing interval.
  16. Select a Log Analytics Workspace.
  17. Select Next.
  18. Optionally add tags.
  19. Select Review + create.
  20. Select Create.

Warning​

The remediation policy creates a remediation deployment and names it by concatenating the subscription name and the resource group name. The MAXIMUM permitted length of a deployment name is 64 characters. Exceeding this causes the remediation task to fail.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS Azure v5.0.0 β†’ πŸ’Ό 6.1.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics (Manual)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration77no data