Skip to main content

๐Ÿ›ก๏ธ Azure Network Security Group Flow Logs retention period is less than 90 days๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ Security Group Flow Logs retention period is less than 90 days๐ŸŸข
  • ID: /ce/ca/azure/virtual-network/security-group-flow-logs-retention-period-over-90-days
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logicโ€‹

Similar Policiesโ€‹

Similar Internal Rulesโ€‹

RulePoliciesFlags
โœ‰๏ธ dec-x-e5c05d3e1

Descriptionโ€‹

Open File

Descriptionโ€‹

Network Security Group Flow Logs should be enabled and the retention period set to greater than or equal to 90 days.

Retirement Notice On September 30, 2027, network security group (NSG) flow logs will be retired. Starting June 30, 2025, it will no longer be possible to create new NSG flow logs. Azure recommends migrating to virtual network flow logs. Review https://azure.microsoft.com/en-gb/updates?id=Azure-NSG-flow-logs-Retirement for more information. For virtual network flow logs, consider applying the recommendation Ensure that virtual network flow log retention days is set to greater than or equal to 90 in this section.

Rationaleโ€‹

Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.

Impactโ€‹

This will keep IP traffic logs for longer than 90 days. As a level 2, first determine your need to retain data, then apply your selection here. As this is data stored for longer, your monthly storage costs will increase depending on your data use.

... see more

Remediationโ€‹

Open File

Remediationโ€‹

From Azure Portalโ€‹

  1. Go to Network Watcher.
  2. Select NSG flow logs blade in the Logs section.
  3. Select each Network Security Group from the list.
  4. Ensure Status is set to On.
  5. Ensure Retention (days) setting greater than 90 days.
  6. Select your storage account in the Storage account field.
  7. Select Save.

From Azure CLIโ€‹

Enable the NSG flow logs and set the Retention (days) to greater than or equal to 90 days:

az network watcher flow-log configure --nsg <NameorID of the Network Security Group> --enabled true --resource-group <resourceGroupName> --retention 91 --storage-account <NameorID of the storage account to save flow logs>

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;1922no data
๐Ÿ’ผ CIS Azure v1.3.0 โ†’ ๐Ÿ’ผ 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Level 2 (Automated _ Not supported, requires a manual assessment)11no data
๐Ÿ’ผ CIS Azure v1.4.0 โ†’ ๐Ÿ’ผ 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Level 2 (Automated _ Will be supported in the future)11no data
๐Ÿ’ผ CIS Azure v1.5.0 โ†’ ๐Ÿ’ผ 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Level 2 (Automated)11no data
๐Ÿ’ผ CIS Azure v2.0.0 โ†’ ๐Ÿ’ผ 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Level 2 (Automated)11no data
๐Ÿ’ผ CIS Azure v2.1.0 โ†’ ๐Ÿ’ผ 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Level 2 (Automated)11no data
๐Ÿ’ผ CIS Azure v3.0.0 โ†’ ๐Ÿ’ผ 7.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' (Automated)1no data
๐Ÿ’ผ CIS Azure v4.0.0 โ†’ ๐Ÿ’ผ 8.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' (Automated)1no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ Logging and Monitoring Configuration65no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-6(9) Log Use of Privileged Functions (M)(H)726no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AU-12 Audit Record Generation (L)(M)(H)265no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ CM-3 Configuration Change Control (M)(H)425no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SI-4(20) Privileged Users (H)4851no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ AU-12 Audit Record Generation (L)(M)(H)65no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-6(9) Log Use of Privileged Functions (M)(H)26no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AU-12 Audit Record Generation (L)(M)(H)65no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ CM-3 Configuration Change Control (M)(H)219no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 5.28 Collection of evidence1421no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 8.6 Capacity management33no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-01: Networks and network services are monitored to find potentially adverse events145no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events85no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events142no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked31no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-6(9) Least Privilege _ Log Use of Privileged Functions1719no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AU-12 Audit Record Generation44765no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ CM-3 Configuration Change Control81725no data