5.1.6 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Ensure that network flow logs are captured and fed into a central log analytics workspace.

Rationale:

Network Flow Logs provide valuable insight into the flow of traffic around your network and feed into both Azure Monitor and Azure Sentinel (if in use), permitting the generation of visual flow diagrams to aid with analyzing for lateral movement, etc.

Impact:

The impact of configuring NSG Flow logs is primarily one of cost and configuration. If deployed, it will create storage accounts that hold minimal amounts of data on a 5-day lifecycle before feeding to Log Analytics Workspace. This will increase the amount of data stored and used by Azure Monitor.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From Azure Portal

Navigate to the Azure Monitor Blade

Select Networking

Select the Network Watcher option

Then NSG Flow Logs

Select + Create

Select the desired Subscription.

Select the + NSG and the network service group for a network.

Select the Storage Account to log and the retention in days to retain the log.

In Configurations keep the default value of v2. If you desire even further analysis select Enable Traffic Analytics, then the processing interval, and the Log Analytics Workspace.

Tag as desired, then go to Create. Then create.

Warning
The remediation policy creates remediation deployment and names them by concatenating the subscription name and the resource group name. The MAXIMUM permitted length of a deployment name is 64 characters. Exceeding this will cause the remediation task to fail.

Default Value:

By default Network Security Group logs are not sent to Log Analytics.

See Also

https://workbench.cisecurity.org/files/4052