Ensure Network Security Group Flow logs are captured and sent to Log Analytics

Overview

Ensure that network flow logs are captured and fed into a central log analytics workspace.

Rationale

Network Flow Logs provide valuable insight into the flow of traffic around your network and feed into Azure Monitor and Azure Sentinel (if in use), permitting the generation of visual flow diagrams to aid with analyzing for lateral movement, etc.

Impact

The impact of configuring NSG Flow logs is primarily cost and configuration. If deployed, it will create storage accounts that hold minimal amounts of data for a 5-day lifecycle before feeding it to the Log Analytics Workspace.

This will increase the amount of data stored and used by Azure Monitor.

Default Value

By default, Network Security Group logs are not sent to Log Analytics.

References

Remediation guidance

Remediate from Azure Portal

Navigate to Network Watcher.
Under Logs, select Flow logs.
Select + Create.
Select the desired Subscription.
For Flow log type, select Network security group.
Select + Select target resource.
Select Network security group.
Select a network security group.
Click Confirm selection.
Select or create a new Storage Account.
If using a v2 storage account, input the retention in days to retain the log.
Click Next.
Under Analytics, for Flow log version, select Version 2.
Check the box next to Enable traffic analytics.
Select a processing interval.
Select a Log Analytics Workspace.
Select Next.
Optionally add Tags.
Select Review + create.
Select Create.

Warning

The remediation policy creates remediation deployment and names them by concatenating the subscription name and the resource group name. The MAXIMUM permitted length of a deployment name is 64 characters. Exceeding this will cause the remediation task to fail.

Multiple Remediation Paths

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

Execute the control-specific Console/CLI steps documented above for each flagged resource.
Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

Re-scan after each remediation batch.
Track exceptions with owner and expiry date.
Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

Azure Flow Logs for NSGs without Log Analytics

Connectors

Microsoft Azure

Covered asset types

FlowLog

Expected check: eq []

{
  flowLogs(
    where: {
      targetResourceID_CONTAINS: "networkSecurityGroups"
      trafficAnalyticsEnabled: false
    }
  ) {
    ...AssetFragment
  }
}