Pipeline: 6.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
Description
Ensure that network flow logs are captured and fed into a central log analytics workspace.
Network Flow Logs provide valuable insight into the flow of traffic around your network and feed into both Azure Monitor and Azure Sentinel (if in use), permitting the generation of visual flow diagrams to aid with analyzing for lateral movement, etc.
Remediation
From Azure Portal
- Navigate to
Network Watcher
. - Under
Logs
, selectFlow logs
. - Select
+ Create
. - Select the desired Subscription.
- For
Flow log type
, selectNetwork security group
. - Select
+ Select target resource
. - Select
Network security group
. - Select a network security group.
- Click
Confirm selection
. - Select or create a new Storage Account.
- If using a v2 storage account, input the retention in days to retain the log.
- Click
Next
. - Under
Analytics
, forFlow log version
, selectVersion 2
. - Check the box next to
Enable traffic analytics
. - Select a processing interval.
- Select a
Log Analytics Workspace
. - Select
Next
. - Optionally add Tags.
- Select
Review + create
. - Select
Create
.
Warning The remediation policy creates remediation deployment and names them by concatenating the subscription name and the resource group name. The MAXIMUM permitted length of a deployment name is 64 characters. Exceeding this will cause the remediation task to fail.
Default Value
By default Network Security Group logs are not sent to Log Analytics.
Run the pipeline
To run this pipeline from your terminal:
flowpipe pipeline run azure_cis.pipeline.cis_v300_6_1_5
Use this pipeline
To call this pipeline from your pipeline, use a step:
step "pipeline" "step_name" { pipeline = azure_cis.pipeline.cis_v300_6_1_5 }
Params
Name | Type | Required | Description | Default |
---|---|---|---|---|
database | connection.steampipe | Yes | Database connection string. | connection.steampipe.default |
notifier | notifier | Yes | The name of the notifier to use for sending notification messages. | notifier.default |
notification_level | string | Yes | The verbosity level of notification messages to send. Valid options are 'verbose', 'info', 'error'. | info |
approvers | list(notifier) | Yes | List of notifiers to be used for obtaining action/approval decisions. | notifier.default |
Outputs
This pipeline has no outputs.