IG2 IG3

Collect Network Traffic Flow Logs

Control Group: 13. Network Monitoring and Defense

Asset Type: Network

Security Function: Detect

Description

Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.

Implementation Checklist

1

Deploy detection tools or enable detection capabilities

2

Configure alerting thresholds and notification channels

3

Establish monitoring schedule and review process

4

Test detection capabilities with simulated events

5

Document detection procedures and escalation paths

6

Enable logging on all in-scope systems

7

Configure log forwarding to centralized SIEM

8

Define log retention periods per policy

9

Establish log review schedule and procedures

Tool Recommendations

Splunk Enterprise Security Gartner MQ Leader, SIEM 2024

SIEM platform with log management, threat detection, investigation, and compliance reporting across enterprise data sources

Cisco (Splunk) · Ingest-based or workload-based

Microsoft Sentinel Gartner MQ Leader, SIEM 2024

Cloud-native SIEM and SOAR with AI-driven analytics, automated threat response, and native Azure/M365 integration

Microsoft · Pay-as-you-go (per GB ingested)

Darktrace DETECT + RESPOND Gartner MQ Visionary, NDR 2024; Forrester Wave Leader, NDR 2024

AI-driven network detection and response with self-learning threat analysis and autonomous response

Darktrace · Enterprise subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Covert Data Exfiltration via Unusual Traffic Patterns

Confidentiality

An attacker slowly exfiltrates sensitive data using low-and-slow techniques over legitimate ports, and the abnormal traffic volume goes unnoticed because network flow logs are not collected or analyzed.

Undetected Reconnaissance Scanning of Internal Network

Confidentiality

An attacker conducts port scans and service enumeration across the internal network after initial compromise, and the scanning activity is invisible because no network traffic flow logging is in place.

Unauthorized Communication to Known Malicious Infrastructure

Integrity

A compromised system communicates with known threat actor infrastructure, but the outbound connections are never flagged because network flow data is not captured for threat intelligence correlation.

Vulnerabilities (When Safeguard Absent)

No Network Flow Visibility

Without collecting NetFlow or equivalent traffic flow logs, security teams cannot identify abnormal communication patterns, traffic volumes, or unauthorized connections between internal and external systems.

Inability to Perform Retrospective Network Analysis

Absence of historical network traffic flow data prevents forensic investigation of when compromise began, what systems communicated with attacker infrastructure, and what data may have been exfiltrated.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Detection tool deployment evidence (dashboard screenshots, agent status)	Captured monthly
Technical	Sample alert/detection output demonstrating capability	Captured quarterly
Technical	SIEM dashboard showing log sources and collection status	Captured monthly
Record	Log review records and findings	Per review cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Network Security Policy

Control 12, Control 13

Network Monitoring Policy

Control 13

Related Safeguards in Control 13

13.1 Centralize Security Event Alerting

13.2 Deploy a Host>Based Intrusion Detection Solution

13.3 Deploy a Network Intrusion Detection Solution

13.4 Perform Traffic Filtering Between Network Segments

13.5 Manage Access Control for Remote Assets

13.7 Deploy a Host>Based Intrusion Prevention Solution

13.8 Deploy a Network Intrusion Prevention Solution

13.9 Deploy Port>Level Access Control

13.10 Perform Application Layer Filtering

13.11 Tune Security Event Alerting Thresholds