Control: Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
Description
Ensure that network flow logs are captured and fed into a central log analytics workspace.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.nsg_network_watcher_flow_log_send_to_log_analytics
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.nsg_network_watcher_flow_log_send_to_log_analytics --share
SQL
This control uses a named query:
with nsg_network_watcher_flow_log as ( select subscription_id, count(*) as nsg_flow_log_count from azure_network_watcher_flow_log where traffic_analytics -> 'workspaceId' is not null and target_resource_id like '%/Microsoft.Network/networkSecurityGroups/%' group by subscription_id)select sub.id resource, case when nsg_flow_log_count > 0 then 'ok' else 'alarm' end as status, case when nsg_flow_log_count > 0 then sub.display_name || ' has ' || nsg_flow_log_count || ' NSG flow log(s) captured and sent to log analytics.' else sub.display_name || ' has no NSG flow log captured and sent to log analytics.' end as reason , display_name as subscriptionfrom azure_subscription as sub left join nsg_network_watcher_flow_log as nsg_flow_log on nsg_flow_log.subscription_id = sub.subscription_id;