lacework-global-631
5.1.6 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics (Manual)
Profile Applicability
• Level 2
Description
Ensure that network flow logs are captured and fed into a central log analytics workspace.
Rationale
Network Flow Logs provide valuable insight into the flow of traffic around your network and feed into both Azure Monitor and Azure Sentinel (if in use), permitting the generation of visual flow diagrams to aid with analyzing for lateral movement, etc.
Impact
The impact of configuring NSG Flow logs is primarily one of cost and configuration. If deployed, it will create storage accounts that hold minimal amounts of data on a 5-day lifecycle before feeding to Log Analytics Workspace. This will increase the amount of data stored and used by Azure Monitor.
Audit
From Azure Portal
- Navigate to the
Azure Monitor
Blade - Select
Networks
- Select the
Network Watcher
option - Then
NSG Flow Logs
- For each log you wish to audit select it from this view.
Remediation
From Azure Portal
- Navigate to the
Azure Monitor
Blade - Select
Networking
- Select the
Network Watcher
option - Then
NSG Flow Logs
- Select
+ Create
- Select the desired Subscription.
- Select the
+ NSG
and the network service group for a network. - Select the Storage Account to log and the retention in days to retain the log.
- In
Configurations
keep the default value of v2. If you desire even further analysis selectEnable Traffic Analytics
, then the processing interval, and the Log Analytics Workspace. - Tag as desired, then go to
Create
. Then create.
Warning The remediation policy creates remediation deployment and names them by concatenating the subscription name and the resource group name. The MAXIMUM permitted length of a deployment name is 64 characters. Exceeding this will cause the remediation task to fail.
References
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-4-enable-network-logging-for-security-investigation