Skip to main content

More Info:

Enable Network Security Group recommendations for virtual machines.

Risk Level

Low

Address

Security, Operational Maturity

Compliance Standards

SOC2, HIPAA

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Monitor Network Security Group setting is not enabled” in AZURE using AZURE console, follow the below steps:
  1. Log in to the AZURE portal (https://portal.azure.com/).
  2. Navigate to the “Security Center” tab from the left-hand side menu.
  3. Click on the “Policy” option under the “Security Center” tab.
  4. Under the Policy tab, click on “Security Policy” and then click on the “Edit” button.
  5. Scroll down to the “Network Security Groups should be configured to log to storage account” policy and click on it.
  6. Click on the “Remediation” button and then click on the “Enable” option.
  7. Click on the “Save” button to save the changes.
Once the above steps are completed, the “Monitor Network Security Group setting is not enabled” misconfiguration will be remediated in AZURE.

To remediate the misconfiguration “Monitor Network Security Group setting is not enabled” for Azure using Azure CLI, follow the below steps:Step 1: Open Azure CLI and login to your Azure account using the command:
az login
Step 2: Once you are logged in, set the subscription where your Network Security Group is located using the command:
az account set --subscription <subscription_id>
Step 3: Now, enable the Network Security Group flow logs using the below command:
az network watcher flow-log configure --enabled true --nsg <nsg_name> --storage-account <storage_account_id> --resource-group <resource_group_name>
Here, replace the <nsg_name> with the name of the Network Security Group that you want to enable flow logs for, <storage_account_id> with the ID of the storage account to which the flow logs should be stored, and <resource_group_name> with the name of the resource group where the Network Security Group is located.Step 4: Once the above command is executed successfully, you can verify the configuration by running the below command:
az network watcher flow-log show --nsg <nsg_name> --resource-group <resource_group_name>
This will display the details of the flow log configuration for the specified Network Security Group.By following the above steps, you can remediate the misconfiguration “Monitor Network Security Group setting is not enabled” for Azure using Azure CLI.
To remediate the “Monitor Network Security Group setting is not enabled” misconfiguration in Azure using Python, you can use the Azure SDK for Python. Here are the steps to enable the setting:
  1. Import the necessary libraries:
from azure.identity import AzureCliCredential
from azure.mgmt.network import NetworkManagementClient
  1. Authenticate using the Azure CLI:
credential = AzureCliCredential()
  1. Instantiate the NetworkManagementClient:
network_client = NetworkManagementClient(credential, subscription_id)
Note: Replace subscription_id with your Azure subscription ID.
  1. Get the network security group (NSG) that needs to be remediated:
nsg_name = "my-nsg" # Replace with the name of your NSG
nsg = network_client.network_security_groups.get(resource_group_name, nsg_name)
Note: Replace resource_group_name with the name of the resource group where your NSG is located.
  1. Enable the “Monitor Network Security Group setting” by updating the NSG:
nsg.enable_flow_log = True
network_client.network_security_groups.create_or_update(resource_group_name, nsg_name, nsg)
  1. Verify that the setting has been enabled by checking the NSG’s properties:
nsg = network_client.network_security_groups.get(resource_group_name, nsg_name)
print(nsg.enable_flow_log)
This should output True, indicating that the “Monitor Network Security Group setting” has been enabled.Note: Make sure that you have the necessary permissions to perform these actions.