Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
Ensure that network flow logs are captured and fed into a central log analytics workspace
Risk Level: Low
Cloud Entity: Network Security Group flow logs
CloudGuard Rule ID: D9.AZU.NET.70
Covered by Spectral: No
Category: Networking & Content Delivery
GSL LOGIC
NsgFlowLog should have properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled=true
REMEDIATION
From Portal
- Navigate to Network Watcher.
- Select NSG flow logs.
- Select + Create.Select the desired Subscription.
- Select + Select NSG. Select a network security group.
- Click Confirm selection.Select or create a new Storage Account.
- Input the retention in days to retain the log.Click Next.
- Under Configuration, select Version 2. If rich analytics are required, select Enable Traffic Analytics, a processing interval, and a Log Analytics Workspace.Select Next.
- Optionally add Tags.Select Review + create.
- Select Create.
From TF
Set the 'enabled' argument under 'azurerm_network_watcher_flow_log' as below:
resource "azurerm_network_watcher_flow_log" "example" {
...
enabled = "true"
...
}
Note: In order to create NSG Flow log, there will be other configurations required please follow the link in references.
From Command Line
Run
az network watcher flow-log create --resource-group RESOURCEGROUPNAME --enabled true --nsg NSGNAME --storage-account STORAGEACCOUNTNAME --location LOCATION --format JSON --log-version 2
References
- https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
- https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-cli
- https://docs.microsoft.com/en-us/cli/azure/postgres/server/configuration?view=azure-cli-latest#az-postgres-server-configuration-set
Network Security Group flow logs
Network security group (NSG) flow logs is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through an NSG. Flow data is sent to Azure Storage accounts from where you can access it as well as export it to any visualization tool, SIEM, or IDS of your choice.
Compliance Frameworks
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CSA CCM v.4.0.1
- Azure CloudGuard Best Practices
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago