Skip to main content

๐Ÿ›ก๏ธ Azure Network Security Group Flow Logs retention period is less than 90 days๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ Security Group Flow Logs retention period is less than 90 days๐ŸŸข
  • ID: /ce/ca/azure/virtual-network/security-group-flow-logs-retention-period-over-90-days
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logicโ€‹

Similar Policiesโ€‹

Similar Internal Rulesโ€‹

RulePoliciesFlags
โœ‰๏ธ dec-x-e5c05d3e1

Descriptionโ€‹

Open File

Descriptionโ€‹

Consider migrating from network security group flow logs to virtual network flow logs.

Retirement Notice On September 30, 2027, network security group (NSG) flow logs will be retired. Starting June 30, 2025, it will no longer be possible to create new NSG flow logs. Azure recommends migrating to virtual network flow logs. Review https://azure.microsoft.com/en-gb/updates?id=Azure-NSG-flow-logs-Retirement for more information. For virtual network flow logs, consider applying the policy Azure Virtual Network Flow Logs retention period is less than 90 days in this section.

Rationaleโ€‹

Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.

Impactโ€‹

This will keep IP traffic logs for longer than 90 days. First determine your need to retain data, then apply your selection here. As this is data stored for longer, your monthly storage costs will increase depending on your data use.

... see more

Remediationโ€‹

Open File

Remediationโ€‹

Migrate Network Security Group (NSG) Flow Logs to Virtual Network Flow Logsโ€‹

Azure Network Security Group (NSG) flow logs must be migrated to Azure Virtual Network flow logs. This process disables existing NSG flow logs and creates equivalent virtual network flow logs.

Generate Migration Filesโ€‹

  1. In the Azure portal, navigate to Network Watcher.
  2. Under Logs, select Migrate flow logs.
  3. Select the subscriptions and regions containing the NSG flow logs to migrate.
  4. Select Download script and JSON file.

A ZIP file named MigrateFlowLogs.zip is downloaded.

Run the Migration Scriptโ€‹

  1. Extract MigrateFlowLogs.zip locally. The archive contains:

    • MigrationFromNsgToAzureFlowLogging.ps1
    • RegionSubscriptionConfig.json

  2. Run the migration script:

.\MigrationFromNsgToAzureFlowLogging.ps1
  1. Select Run analysis by entering 1.
  2. When prompted, provide the path to the configuration file:
.\RegionSubscriptionConfig.json
  1. Enter the number of threads to use, or press Enter to accept the default value (16).

... see more

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;1922no data
๐Ÿ’ผ CIS Azure v1.3.0 โ†’ ๐Ÿ’ผ 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Level 2 (Automated _ Not supported, requires a manual assessment)11no data
๐Ÿ’ผ CIS Azure v1.4.0 โ†’ ๐Ÿ’ผ 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Level 2 (Automated _ Will be supported in the future)11no data
๐Ÿ’ผ CIS Azure v1.5.0 โ†’ ๐Ÿ’ผ 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Level 2 (Automated)11no data
๐Ÿ’ผ CIS Azure v2.0.0 โ†’ ๐Ÿ’ผ 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Level 2 (Automated)11no data
๐Ÿ’ผ CIS Azure v2.1.0 โ†’ ๐Ÿ’ผ 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Level 2 (Automated)11no data
๐Ÿ’ผ CIS Azure v3.0.0 โ†’ ๐Ÿ’ผ 7.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' (Automated)1no data
๐Ÿ’ผ CIS Azure v4.0.0 โ†’ ๐Ÿ’ผ 8.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' (Automated)1no data
๐Ÿ’ผ CIS Azure v5.0.0 โ†’ ๐Ÿ’ผ 7.5 Ensure that network security group flow log retention days is set to greater than or equal to 90 (Automated)1no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ Logging and Monitoring Configuration72no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-6(9) Log Use of Privileged Functions (M)(H)728no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AU-12 Audit Record Generation (L)(M)(H)270no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ CM-3 Configuration Change Control (M)(H)437no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SI-4(20) Privileged Users (H)4853no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ AU-12 Audit Record Generation (L)(M)(H)70no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-6(9) Log Use of Privileged Functions (M)(H)28no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AU-12 Audit Record Generation (L)(M)(H)70no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ CM-3 Configuration Change Control (M)(H)221no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 5.28 Collection of evidence1421no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 8.6 Capacity management33no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-01: Networks and network services are monitored to find potentially adverse events170no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events95no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events170no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked41no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-6(9) Least Privilege _ Log Use of Privileged Functions1721no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AU-12 Audit Record Generation44770no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ CM-3 Configuration Change Control81737no data