Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 5.1.6 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics

Description

Ensure that network flow logs are captured and fed into a central log analytics workspace.

Network Flow Logs provide valuable insight into the flow of traffic around your network and feed into both Azure Monitor and Azure Sentinel (if in use), permitting the generation of visual flow diagrams to aid with analyzing for lateral movement, etc.

Remediation

From Azure Portal

  1. Navigate to the Azure Monitor Blade
  2. Select Networking
  3. Select the Network Watcher option
  4. Then NSG Flow Logs
  5. Select + Create
  6. Select the desired Subscription.
  7. Select the + NSG and the network service group for a network.
  8. Select the Storage Account to log and the retention in days to retain the log.
  9. In Configurations keep the default value of v2. If you desire even further analysis select Enable Traffic Analytics, then the processing interval, and the Log Analytics Workspace.
  10. Tag as desired, then go to Create. Then create.

Warning: The remediation policy creates remediation deployment and names them by concatenating the subscription name and the resource group name. The MAXIMUM permitted length of a deployment name is 64 characters. Exceeding this will cause the remediation task to fail.

Default Value

By default Network Security Group logs are not sent to Log Analytics.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v150_5_1_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v150_5_1_6 --share

SQL

This control uses a named query:

with nsg_network_watcher_flow_log as (
  select
    subscription_id,
    count(*) as nsg_flow_log_count
  from
    azure_network_watcher_flow_log
  where
    traffic_analytics -> 'workspaceId' is not null
    and target_resource_id like '%/Microsoft.Network/networkSecurityGroups/%'
  group by
    subscription_id
)
select
  sub.id resource,
  case
    when nsg_flow_log_count > 0  then 'ok'
    else 'alarm'
  end as status,
  case
    when nsg_flow_log_count > 0 then sub.display_name || ' has ' || nsg_flow_log_count || ' NSG flow log(s) captured and sent to log analytics.'
    else sub.display_name || ' has no NSG flow log captured and sent to log analytics.'
  end as reason
  , display_name as subscription
from
  azure_subscription as sub
  left join nsg_network_watcher_flow_log as nsg_flow_log on nsg_flow_log.subscription_id = sub.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 5.1.6
cis_level = 2
cis_section_id = 5.1
cis_type = manual
cis_version = v1.5.0
plugin = azure
service = Azure/KeyVault