Description
Ensure that network flow logs are captured and fed into a central log analytics workspace.
Rationaleβ
Network Flow Logs provide valuable insight into the flow of traffic around your network and feed into both Azure Monitor and Azure Sentinel (if in use), permitting the generation of visual flow diagrams to aid with analyzing for lateral movement, etc.
Impactβ
The impact of configuring NSG Flow logs is primarily one of cost and configuration. If deployed, it will create storage accounts that hold minimal amounts of data on a 5-day lifecycle before feeding to Log Analytics Workspace. This will increase the amount of data stored and used by Azure Monitor.
Auditβ
From Azure Portalβ
- Navigate to
Network Watcher. - Under
Logs, selectFlow logs. - Click
Add filter. - From the
Filterdrop-down, selectFlow log type. - From the
Valuedrop-down, checkNetwork security grouponly. - Click
Apply. - Ensure that at least one network security group flow log is listed and is configured to send logs to a
Log Analytics Workspace.
From Azure Policyβ
If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure.
- Policy ID: 27960feb-a23c-4577-8d36-ef8b5f35e0be - Name:
All flow log resources should be in enabled state - Policy ID: c251913d-7d24-4958-af87-478ed3b9ba41 - Name:
Flow logs should be configured for every network security group - Policy ID: 4c3c6c5f-0d47-4402-99b8-aa543dd8bcee - Name:
Flow logs should be configured for every virtual network
Default Valueβ
By default Network Security Group logs are not sent to Log Analytics.