Azure NSG Flow Logs (Network Watcher)

m365-azureNetwork TrafficCloud Admin PortalSIEM / Log Aggregator

Location

Azure Portal > Network Watcher > NSG Flow Logs (stored in Storage Account as JSON)

Description

Network Security Group flow logs recording allowed and denied network flows through Azure NSGs. Version 2 logs include byte counts, packet counts, and flow state (begin/continue/end) in addition to the 5-tuple connection data.

Forensic Value

NSG flow logs provide network-level visibility for Azure virtual networks equivalent to on-premises NetFlow. They record every allowed and denied connection attempt through NSGs with source/destination IPs, ports, and protocol. Large outbound byte counts to external IPs indicate data exfiltration from Azure VMs. Denied flows reveal reconnaissance and lateral movement attempts blocked by NSG rules. Traffic Analytics integration provides enriched insights including geographic and threat intelligence context.

Tools Required

Azure PortalLog Analytics (KQL)Traffic AnalyticsAzure Network Watcher

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical