Skip to main content

πŸ“ Azure Virtual Network Flow Logs are not captured and sent to Log Analytics Workspace 🟒

  • Contextual name: πŸ“ Virtual Network Flow Logs are not captured and sent to Log Analytics Workspace 🟒
  • ID: /ce/ca/azure/network-watcher/virtual-network-flow-logs
  • Located in: πŸ“ Azure Network Watcher

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY
    • RELIABILITY

Description​

Open File

Description​

Ensure that virtual network flow logs are captured and fed into a central log analytics workspace.

Rationale​

Virtual network flow logs provide critical visibility into traffic patterns. Sending logs to a Log Analytics workspace enables centralized analysis, correlation, and alerting for faster threat detection and response.

Impact​

  • Virtual network flow logs are charged per gigabyte of network flow logs collected and come with a free tier of 5 GB/month per subscription.
  • If traffic analytics is enabled with virtual network flow logs, traffic analytics pricing applies at per gigabyte processing rates.
  • The storage of logs is charged separately.

Audit​

From Azure Portal​
  1. Go to Network Watcher.
  2. Under Logs, select Flow logs.
  3. Click Add filter.
  4. From the Filter drop-down menu, select Flow log type.
  5. From the Value drop-down menu, check Virtual network only.
  6. Click Apply.
  7. Ensure that at least one virtual network flow log is listed and is configured to send logs to a Log Analytics Workspace.

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Navigate to Network Watcher.
  2. Under Logs, select Flow logs.
  3. Select + Create.
  4. Select a subscription.
  5. Next to Flow log type, select Virtual network.
  6. Click + Select target resource.
  7. Select Virtual network.
  8. Select a virtual network.
  9. Click Confirm selection.
  10. Select a storage account, or create a new storage account.
  11. Set the retention in days for the storage account.
  12. Click Next.
  13. Under Analytics, for Flow logs version, select Version 2.
  14. Check the box next to Enable traffic analytics.
  15. Select a processing interval.
  16. Select a Log Analytics Workspace.
  17. Click Next.
  18. Optionally, add Tags.
  19. Click Review + create.
  20. Click Create.
  21. Repeat steps 1-20 for each subscription or virtual network requiring remediation.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS Azure v4.0.0 β†’ πŸ’Ό 7.1.1.7 Ensure that virtual network flow logs are captured and sent to Log Analytics (Manual)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration59