Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 6.1.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics

Description

Ensure that network flow logs are captured and fed into a central log analytics workspace.

Retirement Notice

On September 30, 2027, network security group (NSG) flow logs will be retired. As of June 30, 2025, creating new NSG flow logs is no longer possible. Azure recommends migrating to virtual network flow logs. Review https://azure.microsoft.com/enus/updates?id=Azure-NSG-flow-logs-Retirement for more information. For virtual network flow logs, consider applying the recommendation, Ensure that virtual network flow logs are captured and sent to Log Analytics, from this section.

Remediation

As of June 30, 2025, creating new NSG flow logs is no longer possible. Azure recommends migrating to virtual network flow logs. Consider applying the recommendation, Ensure that virtual network flow logs are captured and sent to Log Analytics, from this section.

Default Value

By default Network Security Group logs are not sent to Log Analytics.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_6_1_1_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_6_1_1_5 --share

SQL

This control uses a named query:

with nsg_network_watcher_flow_log as (
  select
    subscription_id,
    count(*) as nsg_flow_log_count
  from
    azure_network_watcher_flow_log
  where
    traffic_analytics -> 'workspaceId' is not null
    and target_resource_id like '%/Microsoft.Network/networkSecurityGroups/%'
  group by
    subscription_id
)
select
  sub.id resource,
  case
    when nsg_flow_log_count > 0  then 'ok'
    else 'alarm'
  end as status,
  case
    when nsg_flow_log_count > 0 then sub.display_name || ' has ' || nsg_flow_log_count || ' NSG flow log(s) captured and sent to log analytics.'
    else sub.display_name || ' has no NSG flow log captured and sent to log analytics.'
  end as reason
  , display_name as subscription
from
  azure_subscription as sub
  left join nsg_network_watcher_flow_log as nsg_flow_log on nsg_flow_log.subscription_id = sub.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 6.1.1.5
cis_level = 2
cis_section_id = 6.1.1
cis_type = manual
cis_version = v5.0.0
plugin = azure
service = Azure/Monitor