Ensure that Network Security Group Flow logs are captured and sent to Log Analytics

Ensure that network flow logs are captured and fed into a central log analytics workspace

Suggest Edits

Risk Level: Low
Cloud Entity: Network Security Group flow logs
CloudGuard Rule ID: D9.AZU.NET.70
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

NsgFlowLog should have properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled=true

REMEDIATION

From Portal

  1. Navigate to Network Watcher.
  2. Select NSG flow logs.
  3. Select + Create.Select the desired Subscription.
  4. Select + Select NSG. Select a network security group.
  5. Click Confirm selection.Select or create a new Storage Account.
  6. Input the retention in days to retain the log.Click Next.
  7. Under Configuration, select Version 2. If rich analytics are required, select Enable Traffic Analytics, a processing interval, and a Log Analytics Workspace.Select Next.
  8. Optionally add Tags.Select Review + create.
  9. Select Create.

From TF
Set the 'enabled' argument under 'azurerm_network_watcher_flow_log' as below:

resource "azurerm_network_watcher_flow_log" "example" {
	...
	enabled = "true"
	...
}

Note: In order to create NSG Flow log, there will be other configurations required please follow the link in references.

From Command Line
Run

az network watcher flow-log create --resource-group RESOURCEGROUPNAME --enabled true --nsg NSGNAME --storage-account STORAGEACCOUNTNAME --location LOCATION --format JSON --log-version 2

References

  1. https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
  2. https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-cli
  3. https://docs.microsoft.com/en-us/cli/azure/postgres/server/configuration?view=azure-cli-latest#az-postgres-server-configuration-set

Network Security Group flow logs

Network security group (NSG) flow logs is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through an NSG. Flow data is sent to Azure Storage accounts from where you can access it as well as export it to any visualization tool, SIEM, or IDS of your choice.

Compliance Frameworks

  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset

Updated 7 months ago