Control: Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.05 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
Configures auditing against a CIS Benchmark item.
Level: 2
Ensure that network flow logs are captured and fed into a central log analytics workspace.
RETIREMENT NOTICE: On September 30, 2027, network security group (NSG) flow logs will be retired. Starting June 30, 2025, it will no longer be possible to create new NSG flow logs. Azure recommends migrating to virtual network flow logs. For virtual network flow logs, consider applying the recommendation Ensure that virtual network flow logs are captured and sent to Log Analytics in this section.
Network Flow Logs provide valuable insight into the flow of traffic around your network and feed into both Azure Monitor and Azure Sentinel (if in use), permitting the generation of visual flow diagrams to aid with analyzing for lateral movement, etc.
Resource Types
This control targets the following resource types:
Policies
This control type relies on these other policies when running actions:
- Azure > CIS v5.0
- Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.05 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
- Azure > CIS v5.0 > 6 - Management and Governance Services
Category
In Your Workspace
Developers
- tmod:@turbot/azure-cisv5-0#/control/types/r06010105
- tmod:@turbot/cis#/control/categories/v071208
- turbot graphql controls --filter "controlTypeId:tmod:@turbot/azure-cisv5-0#/control/types/r06010105"
Get Controls