Skip to main content

Description

Ensure that network flow logs are captured and sent to a central Log Analytics workspace.

Retirement Notice On September 30, 2027, network security group (NSG) flow logs will be retired. Starting June 30, 2025, it will no longer be possible to create new NSG flow logs. Azure recommends migrating to virtual network flow logs. Review https://azure.microsoft.com/en-gb/updates?id=Azure-NSG-flow-logs-Retirement for more information. For virtual network flow logs, consider applying the recommendation Ensure that virtual network flow logs are captured and sent to Log Analytics in this section.

Rationale​

Network Flow Logs provide valuable insight into traffic patterns and feed into both Azure Monitor and Azure Sentinel, if in use, which enables visual flow diagrams for analyzing lateral movement and other activity.

Impact​

The impact of configuring NSG Flow Logs is primarily cost and configuration. If deployed, it creates storage accounts that hold small amounts of data on a 5-day lifecycle before sending it to Log Analytics. This increases the amount of data stored and used by Azure Monitor.

Audit​

From Azure Portal​

  1. Navigate to Network Watcher.
  2. Under Logs, select Flow logs.
  3. Click Add filter.
  4. From the Filter drop-down, select Flow log type.
  5. From the Value drop-down, check Network security group only.
  6. Click Apply.
  7. Ensure that at least one network security group flow log is listed and is configured to send logs to a Log Analytics Workspace.

From Azure Policy​

If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure.

Default Value​

By default, Network Security Group logs are not sent to Log Analytics.

References​

  1. https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-tutorial
  2. https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-4-enable-network-logging-for-security-investigation