Skip to main content

lacework-global-631

Capture Network Security Group (NSG) Flow logs and send to Log Analytics (Manual)

Profile Applicability

• Level 2

Description

Capture network flow logs and feed them into a central log analytics workspace.

Rationale

Network Flow Logs provide valuable insight into the flow of traffic around your network and feed into both Azure Monitor and Azure Sentinel (if in use), permitting the generation of visual flow diagrams to aid with analyzing for lateral movement, etc.

Impact

The impact of configuring NSG Flow logs is primarily one of cost and configuration. If deployed, it will create storage accounts that hold minimal amounts of data on a 5-day lifecycle before feeding to Log Analytics Workspace. This will increase the amount of data stored and used by Azure Monitor.

Audit

From Azure Portal

  1. Navigate to the Azure Monitor Blade
  2. Select Networks
  3. Select the Network Watcher option
  4. Then NSG Flow Logs
  5. For each log you wish to audit select it from this view.

Remediation

From Azure Portal

  1. Navigate to Network Watcher.
  2. Select NSG flow logs.
  3. Select + Create.
  4. Select the desired Subscription.
  5. Select + Select NSG.
  6. Select a network security group.
  7. Click Confirm selection.
  8. Select or create a new Storage Account.
  9. Input the retention in days to retain the log.
  10. Click Next.
  11. Under Configuration, select Version 2.
  12. If you require rich analytics, select Enable Traffic Analytics, a processing interval, and a Log Analytics Workspace.
  13. Select Next.
  14. Optionally add Tags.
  15. Select Review + create.
  16. Select Create.

Warning The remediation policy creates remediation deployment and names them by concatenating the subscription name and the resource group name. The MAXIMUM permitted length of a deployment name is 64 characters. Exceeding this causes the remediation task to fail.

References

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-4-enable-network-logging-for-security-investigation