RA1101: Access External Network Flow Logs

Summary

ID	RA1101
Brief Description	Make sure you have access to external communication Network Flow logs
Author	@atc_project
Creation Date	2020/05/06
Requirements	MS_border_firewall MS_border_ngfw DN_zeek_conn_log
References	https://en.wikipedia.org/wiki/NetFlow https://www.plixer.com/blog/how-accurate-is-sampled-netflow/
Response Stage	Preparation

Description

Make sure that there is a collection of Network Flow logs for external communication (from corporate assets to the Internet) configured. If there is no option to configure it on a network device, you can install a special software on each endpoint and collect it from them.

Warning:

• There is a feature called "NetFlow Sampling", that eliminates the value of the Network Flow logs for some of the tasks, such as "check if some host communicated to an external IP". Make sure it's disabled or you have an alternative way to collect Network Flow logs