Azure Monitor

NSG Log Analytics Disabled

Risk Level: Low

Description: 

The Network Security Group logs are forwarded to the Log Analytics workspace with the help of this plugin. By enabling Log Analytics for Network Security Groups, logs are sent to a central repository where they can be searched and audited. In an Azure virtual network, a network security group may be used to restrict network traffic to and from Azure resources. A network security group is a collection of security rules that allow or disallow incoming and outgoing network traffic to and from various Azure services. 

SentinelOne CNS strongly recommends enabling sending of logs to Log Analytics for each Network Security Group resource in the Azure Monitor.

About the Service :

Azure Monitor can help you improve the availability and performance of your apps and services. It provides a complete solution for gathering, evaluating, and responding to telemetry from the cloud and on-premises settings. This data enables you to better understand how your apps are doing and to detect concerns that may harm them or the resources they rely on in the future.

Impact : 

The logging data recorded for potentially unexpected activities occurring in otherwise unused regions is stored and made available later for incident response, investigations, and internal audit by configuring your account Log Profile to export the activity logs from Azure supported regions like Network security groups.

Steps to reproduce :

  1. Sign in to your Azure portal with your Azure account.
    https://portal.azure.com/#home 
  2. Navigate to Azure’s Monitor.
  3. Next, move to Logs.
  4. Check if the log analytics for NSG is enabled or not.
  5. Follow the same steps for other security groups as well.

To check if log analytics are enabled for NSG or not check the Logs in the Monitor Service of Monitor.

Steps for remediation :

  1. Sign in to your Azure portal with your Azure account.
    https://portal.azure.com/#home 
  2. Navigate to Azure’s Monitor.
  3. Next, move to Logs.
  4. Check if the log analytics for NSG is enabled or not.
  5. Now, Navigate to Activity Log and then move to Diagnostics Settings.

  6. Now click on Add diagnostic setting and check Security and then Send to Log Analytics Workspace and click Save.
  7. Follow the same steps for other security groups as well.

References :