Title Access external network flow logs
ID RA1101
Description Make sure you have access to external communication Network Flow logs
Author @atc_project
Creation Date 2020/05/06
Category Network
Stage RS0001: Preparation
  • MS_border_firewall
  • MS_border_ngfw
  • DN_zeek_conn_log


Make sure that there is a collection of Network Flow logs for external communication (from corporate assets to the Internet) configured.
If there is no option to configure it on a network device, you can install a special software on each endpoint and collect it from them.


  • There is a feature called "NetFlow Sampling", that eliminates the value of the Network Flow logs for some of the tasks, such as "check if some host communicated to an external IP". Make sure it's disabled or you have an alternative way to collect Network Flow logs