Microsoft AzureOverview
Ensure that network flow logs are captured and fed into a central log analytics workspace.
Rationale
Network Flow Logs provide valuable insight into the flow of traffic around your network and feed into Azure Monitor and Azure Sentinel (if in use), permitting the generation of visual flow diagrams to aid with analyzing for lateral movement, etc.
Impact
The impact of configuring NSG Flow logs is primarily cost and configuration. If deployed, it will create storage accounts that hold minimal amounts of data for a 5-day lifecycle before feeding it to the Log Analytics Workspace.
This will increase the amount of data stored and used by Azure Monitor.
Default Value
By default, Network Security Group logs are not sent to Log Analytics.
References
Remediation guidance
Remediate from Azure Portal
- Navigate to
Network Watcher. - Under
Logs, selectFlow logs. - Select
+ Create. - Select the desired Subscription.
- For
Flow log type, selectNetwork security group. - Select
+ Select target resource. - Select
Network security group. - Select a network security group.
- Click
Confirm selection. - Select or create a new Storage Account.
- If using a v2 storage account, input the retention in days to retain the log.
- Click
Next. - Under
Analytics, forFlow log version, selectVersion 2. - Check the box next to
Enable traffic analytics. - Select a processing interval.
- Select a
Log Analytics Workspace. - Select
Next. - Optionally add Tags.
- Select
Review + create. - Select
Create.
Warning
The remediation policy creates remediation deployment and names them by concatenating the subscription name and the resource group name. The MAXIMUM permitted length of a deployment name is 64 characters. Exceeding this will cause the remediation task to fail.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Azure
Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Azure Flow Logs for NSGs without Log Analytics
Connectors
Covered asset types
Expected check: eq []
{
flowLogs(
where: {
targetResourceID_CONTAINS: "networkSecurityGroups"
trafficAnalyticsEnabled: false
}
) {
...AssetFragment
}
}
