Disclaimer - Per the Executive Order, M-21-31, page 16 states that NSG flow logs are to be captured and lists the retention settings. If you are using the workbook in Sentinel, look at (EL0)>IDS/IPS section to view the call out. This entire series follows that mandate as well as others. Don't forget to navigate with the Maturity Model for Event Log Management (M-21-31) Workbook for Microsoft Sentinel.
Pre-req - Network Watcher and Storage account. I personally would keep the NetworkWatcher and storage account used in this situation under the SOC/Infosec resource group.
I hope I caught your attention with the title. Now that I have your attention, how do we capture the "bad" traffic hitting our environment. We do this by creating an NSG (network security group) Flow Log to Traffic Analyitcs and send them off to Sentinel. This is an important note: You can accomplish NSG Flow Logs & Traffic Anayltics Azure Policy by using "Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics", so use the latter and call it a day. Pre-reqs you will need an azure storage account for the flow logs and to enable NetworkWatcher.
Disclaimer - By default "Retention (days)" on the Flow logs settings is set to 30 with this new policy. Think about how you want to set this, in this case, because I am going to Sentinel I am going to set to 1 day as Sentinel/LAW is my retention.
Configure network security groups to use specific workspace, storage account and flow log retention policy for traffic analytics - by Azure Policy
Some quick notes on the image below. The parameters call for "ID" - you can find this ID by going to the resource, overview tab, resource JSON and pull the ResourceID string). Enter the parameters below and hit next to Remediation tab.
- Parameter 1 - DeployifNotExists
- Parameter 2 - Chose NSG Region. The NSG, NetworkWatcher and storage account need to be same.
- Parameter 3 - Storage ResourceID of the storage account.
- Parameter 4 - Unchecking the "only show parameters" will allow you to pick 10 or (default 60).
- Parameter 5 - Sentinel ResourceID (json view) - obtain the workspace ID for the Sentinel Log Analytics Workspace.
- Parameter 6 - Chose Workspace Region.
- Parameter 7 - Sentinel WorkspaceID - This is Sentinels LAW WorkspaceID NOT ResourceID.
- Parameter 8 - Set the Network Watcher Resource Group where Network Watcher resides.
- Parameter 9 - Set the NAME of the Network Watcher (within the same region in Network Watcher RG).
- Parameter 10 - Set the Number of days to retain flowlogs.
The next step will consist of creating a remediation task. Caveat and pleast take note! In order for this to work the managed identity has to have permissions at the highest tier of what you are setting and sending to Sentinel LAW. I.e., Do not set a one subscription and expect the policy to write on another subscrition where the parameters are set. Once completed, hit review and save.
-
Create a remediation task
-
Create a system assigned managed identity
Verifying Azure Traffic Analytics has made it to Sentinel.
-
Navigate to Sentinel LAW.
-
Type "AzureNetworkAnalytics_CL" as seen below.
-
Please read more detail on Traffic Analytics Schema.
Verifying Azure Traffic Analytics is capturing data and you are receiving proper traffic and visualization.
-
For demo purposes the malicious RED is botnet activity.
