Objective
Add a new scanner rule to detect Network Security Groups where flow logs are not enabled, leaving network traffic unmonitored and unauditable.
Background
NSG flow logs record all inbound and outbound IP traffic through a Network Security Group. Without them there is no visibility into network traffic patterns, making it impossible to detect lateral movement, data exfiltration, or suspicious connections after the fact.
Real-World Breach Scenario
In several cloud breach investigations, forensic teams were unable to reconstruct attacker movement because NSG flow logs were disabled. The absence of logs allowed attackers to operate undetected for weeks with no audit trail left behind.
Compliance Mapping
- CIS Azure Benchmark: 6.5
- NIST CSF: DE.CM-1
- ISO 27001: A.12.4.1
- SOC 2: CC7.2
Deliverables
Severity
MEDIUM
Category
Network
Objective
Add a new scanner rule to detect Network Security Groups where flow logs are not enabled, leaving network traffic unmonitored and unauditable.
Background
NSG flow logs record all inbound and outbound IP traffic through a Network Security Group. Without them there is no visibility into network traffic patterns, making it impossible to detect lateral movement, data exfiltration, or suspicious connections after the fact.
Real-World Breach Scenario
In several cloud breach investigations, forensic teams were unable to reconstruct attacker movement because NSG flow logs were disabled. The absence of logs allowed attackers to operate undetected for weeks with no audit trail left behind.
Compliance Mapping
Deliverables
scanner/rules/az_net_012.py— scan() function using Azure SDKplaybooks/cli/fix_az_net_012.sh— enable NSG flow logscompliance/frameworks/cis_azure_benchmark.json— add AZ-NET-012 entrycompliance/frameworks/nist_csf.json— add AZ-NET-012 entrycompliance/frameworks/iso27001.json— add AZ-NET-012 entrycompliance/frameworks/soc2.json— add AZ-NET-012 entrySeverity
MEDIUM
Category
Network