Detections
Analytics

Ensure that traffic analytics is enabled via Azure Network Watcher Flow Log

MEDIUM

Description

Traffic Analytics is not used via Azure Network Watcher Flow Log, this may reduce capabilities of Network Security/SoC teams.

Remediation

In Azure Console -

  1. Open the Azure Portal and go to Policy.
  2. Under Authoring, select Assignments.
  3. Select Assign policy and search for Flow log.
  4. Choose the policy to assign. For more information on how the flow log policies work, see the Azure documentation.

Alternatively, you can follow these steps for individual network security group flow log configurations:

  1. Open the Azure Portal and go to Network security groups.
  2. Select the NSG you wish to edit.
  3. Under Monitoring, select NSG flow logs.
  4. Select Create, follow the prompts to configure.

In Terraform -

  1. In the azurerm_network_watcher_flow_log resource, create a traffic_analytics block.
  2. Set enabled to true.
  3. Configure workspace_id, workspace_region, and workspace_resource_id as needed.

Note from Terraform: The azurerm_network_watcher_flow_log creates a new storage lifecycle management rule that overwrites existing rules.

References:
https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-policy-portal
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_watcher_flow_log

Policy Details

Rule Reference ID: AC_AZURE_0416
CSP: Azure
Remediation Available: Yes
Domain: Security Best Practices
Resource: azurerm_network_watcher_flow_log
Resource Category: Logging and Monitoring
Resource Type: Network Watcher

Frameworks