lacework-global-816
This policy exists in addition to lacework-global-634. See Adjusted Controls - 6.6 Ensure that Network Watcher is 'Enabled' for details.
6.6 Ensure that Network Watcher is 'Enabled' (excludes Reserved access regions) (Automated)
Description
Enable Network Watcher for physical regions in Azure subscriptions which are not subject to restricted access.
Remediation
Opting out of Network Watcher automatic enablement is a permanent change. Once you opt-out, you cannot opt-in without contacting support.
To manually enable Network Watcher in each region where you want to use Network Watcher capabilities, follow the steps below.
From Azure Portal:
Go to Network Watcher.
Click Create.
Select a Region from the drop-down menu.
Click Add.
From Azure CLI:
az network watcher configure --locations <region> --enabled true --resource-group <resource_group>
References
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-overview
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-create?tabs=portal
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-4-enable-network-logging-for-security-investigation
https://azure.microsoft.com/en-gb/explore/global-infrastructure/products-by-region/?products=network-watcher®ions=all&rar=true
https://azure.microsoft.com/en-ca/pricing/details/network-watcher/