Ensure Flow-Logs are Enabled on NSG

Ensure to enable Flow-Logs on NSG in order to keep track of network activities and be alerted on suspicious/malicious network operations in your Azure account.

Risk Level: Low
Cloud Entity: Network security group
CloudGuard Rule ID: D9.AZU.NET.59
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

NetworkSecurityGroup should have nsgFlowLog.properties.enabled=true

REMEDIATION

With Azure CLI:
az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location

References
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-cli

Network security group

You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.

Compliance Frameworks

  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset