Network Watcher has flow logs enabled and sent to a Log Analytics workspace
network_flow_log_captured_sent
Azure Network Watcher has NSG flow logs enabled and configured to forward traffic records to a centralized Log Analytics workspace
Risk
Missing or disabled flow logging blinds visibility into network behavior, hindering detection of:
- Lateral movement and internal scanning
- C2 beacons and exfiltration patterns This degrades incident response and correlation, impacting confidentiality and integrity.
prowler azure --checks network_flow_log_captured_sent
Recommendation
Enable and centrally aggregate NSG flow logs to a Log Analytics workspace.
- Enforce least privilege on log data
- Define retention and secure storage
- Use layered monitoring (e.g., Traffic Analytics)
- Ensure coverage across regions/subscriptions and critical NSGs
Remediation
az network watcher flow-log create --location <REGION> --name <FLOW_LOG_NAME> --resource-group <RESOURCE_GROUP> --nsg <NSG_NAME> --storage-account <STORAGE_ACCOUNT_NAME> --enabled true --workspace <LOG_ANALYTICS_WORKSPACE_ID>
- In Azure portal, go to Network Watcher > Flow logs
- Click + Create (or Create flow log)
- Select the target NSG and region
- Set Status to On
- Select a Storage account
- Enable Traffic analytics, then select your Log Analytics workspace
- Click Review + create, then Create
Source Code
Resource Type
microsoft.network/networkwatchers