Skip to main content

πŸ“ Azure Network Security Group Flow Logs retention period is less than 90 days 🟒

  • Contextual name: πŸ“ Security Group Flow Logs retention period is less than 90 days 🟒
  • ID: /ce/ca/azure/virtual-network/security-group-flow-logs-retention-period-over-90-days
  • Located in: πŸ“ Azure Virtual Network

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-e5c05d3e1

Logic​

Description​

Open File

Description​

Network Security Group Flow Logs should be enabled and the retention period set to greater than or equal to 90 days.

Retirement Notice On September 30, 2027, network security group (NSG) flow logs will be retired. Starting June 30, 2025, it will no longer be possible to create new NSG flow logs. Azure recommends migrating to virtual network flow logs. Review https://azure.microsoft.com/en-gb/updates?id=Azure-NSG-flow-logs-Retirement for more information. For virtual network flow logs, consider applying the recommendation Ensure that virtual network flow log retention days is set to greater than or equal to 90 in this section.

Rationale​

Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.

Impact​

This will keep IP traffic logs for longer than 90 days. As a level 2, first determine your need to retain data, then apply your selection here. As this is data stored for longer, your monthly storage costs will increase depending on your data use.

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Go to Network Watcher.
  2. Select NSG flow logs blade in the Logs section.
  3. Select each Network Security Group from the list.
  4. Ensure Status is set to On.
  5. Ensure Retention (days) setting greater than 90 days.
  6. Select your storage account in the Storage account field.
  7. Select Save.

From Azure CLI​

Enable the NSG flow logs and set the Retention (days) to greater than or equal to 90 days:

az network watcher flow-log configure --nsg <NameorID of the Network Security Group> --enabled true --resource-group <resourceGroupName> --retention 91 --storage-account <NameorID of the storage account to save flow logs>

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;1922
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Level 2 (Automated _ Not supported, requires a manual assessment)11
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Level 2 (Automated _ Will be supported in the future)11
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Level 2 (Automated)11
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Level 2 (Automated)11
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Level 2 (Automated)11
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 7.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' (Automated)1
πŸ’Ό CIS Azure v4.0.0 β†’ πŸ’Ό 8.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration59
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)726
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)265
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)425
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(20) Privileged Users (H)4851
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)65
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)26
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)65
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)219
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.28 Collection of evidence1421
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.6 Capacity management33
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events115
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events81
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events134
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked28
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(9) Least Privilege _ Log Use of Privileged Functions1719
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44765
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3 Configuration Change Control81725