Description
Ensure that virtual network flow logs are retained for greater than or equal to 90 days.
Rationaleβ
Virtual network flow logs provide critical visibility into traffic patterns. Logs can be used to check for anomalies and give insight into suspected breaches.
Impactβ
- Virtual network flow logs are charged per gigabyte of network flow logs collected and come with a free tier of 5 GB/month per subscription.
- If traffic analytics is enabled with virtual network flow logs, traffic analytics pricing applies at per gigabyte processing rates.
- The storage of logs is charged separately, and the cost will depend on the amount of logs and the retention period.
Auditβ
This policy flags an Azure Network Watcher Flow Log for Virtual Networks as INCOMPLIANT if any of these conditions are true:
Retention Policy Statusis not set toβ―Enabled.Retention Policy Daysis less thanβ―90 daysβ―and not equal toβ―0β―(unlimited).
A Flow Log is marked asΒ INAPPLICABLEΒ if either:
Log Statusis not set toβ―Enabled.- The Flow Log is not associated with a
Virtual Network.
Default Valueβ
When a virtual network flow log is created using the Azure CLI, retention days is set to 0 by default. When creating via the Azure Portal, retention days must be specified by the creator.
Referencesβ
- https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-portal
- https://learn.microsoft.com/en-us/cli/azure/network/watcher/flow-log
Additional Informationβ
As network security group flow logs are on the retirement path, Azure recommends migrating to virtual network flow logs.