Skip to main content

πŸ“ Azure Network Security Group Flow Logs retention period is less than 90 days 🟒

  • Contextual name: πŸ“ Security Group Flow Logs retention period is less than 90 days 🟒
  • ID: /ce/ca/azure/virtual-network/security-group-flow-logs-retention-period-over-90-days
  • Located in: πŸ“ Azure Virtual Network

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-e5c05d3e1

Logic​

Description​

Open File

Description​

Network Security Group Flow Logs should be enabled and the retention period set to greater than or equal to 90 days.

Rationale​

Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.

Impact​

This will keep IP traffic logs for longer than 90 days. As a level 2, first determine your need to retain data, then apply your selection here. As this is data stored for longer, your monthly storage costs will increase depending on your data use.

Audit​

From Azure Portal​
  1. Go to Network Watcher.
  2. Select NSG flow logs blade in the Logs section.
  3. Select each Network Security Group from the list.
  4. Ensure Status is set to On.
  5. Ensure Retention (days) setting greater than 90 days.
From Azure CLI​
az network watcher flow-log show --resource-group <resourceGroup> --nsg <NameorID of the NetworkSecurityGroup> --query 'retentionPolicy'

Ensure that enabled is set to true and days is set to greater then or equal to 90.

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Go to Network Watcher.
  2. Select NSG flow logs blade in the Logs section.
  3. Select each Network Security Group from the list.
  4. Ensure Status is set to On.
  5. Ensure Retention (days) setting greater than 90 days.
  6. Select your storage account in the Storage account field.
  7. Select Save.

From Azure CLI​

Enable the NSG flow logs and set the Retention (days) to greater than or equal to 90 days:

az network watcher flow-log configure --nsg <NameorID of the Network Security Group> --enabled true --resource-group <resourceGroupName> --retention 91 --storage-account <NameorID of the storage account to save flow logs>

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;1821
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Level 2 (Automated _ Not supported, requires a manual assessment)11
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Level 2 (Automated _ Will be supported in the future)11
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Level 2 (Automated)11
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Level 2 (Automated)11
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' - Level 2 (Automated)11
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 7.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration49
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)723
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)247
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)421
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(20) Privileged Users (H)4648
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)23
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)217
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.28 Collection of evidence1415
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.6 Capacity management33
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events83
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events59
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events89
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked24
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(9) Least Privilege _ Log Use of Privileged Functions1516
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44547
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3 Configuration Change Control81521