🛡️ Azure Virtual Network Flow Logs retention period is less than 90 days🟢

• Contextual name: 🛡️ Virtual Network Flow Logs retention period is less than 90 days🟢
• ID: /ce/ca/azure/virtual-network/virtual-network-flow-logs-retention-period-over-90-days
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY, RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure Network Watcher Flow Log
  • 🔌 Azure Network Watcher Flow Log - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Ensure that virtual network flow logs are retained for greater than or equal to 90 days.

Rationale

Virtual network flow logs provide critical visibility into traffic patterns. Logs can be used to check for anomalies and give insight into suspected breaches.

Impact

• Virtual network flow logs are charged per gigabyte of network flow logs collected and come with a free tier of 5 GB/month per subscription.
• If traffic analytics is enabled with virtual network flow logs, traffic analytics pricing applies at per gigabyte processing rates.
• The storage of logs is charged separately, and the cost will depend on the amount of logs and the retention period.

Audit

This policy flags an Azure Network Watcher Flow Log for Virtual Networks as INCOMPLIANT if any of these conditions are true:

• Retention Policy Status is not set to Enabled.
• Retention Policy Days is less than 90 days and not equal to 0 (unlimited).

A Flow Log is marked as INAPPLICABLE if either:

• Log Status is not set to Enabled.

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Navigate to Network Watcher.
2. Under Logs, select Flow logs.
3. Click Add filter.
4. From the Filter drop-down menu, select Flow log type.
5. From the Value drop-down menu, check Virtual network only.
6. Click Apply.
7. Click the name of a virtual network flow log.
8. Under Storage Account, set Retention days to 0, 90, or a number greater than 90. If Retention days is set to 0, the logs are retained indefinitely with no retention policy.
9. Repeat steps 7 and 8 for each virtual network flow log requiring remediation.

From Azure CLI

Run the following command update the retention policy for a flow log in a network watcher, setting retention to 0, 90, or a number greater than 90:

az network watcher flow-log update --location <location> --name <flow-log> --retention <number-of-days>

Repeat for each virtual network flow log requiring remediation.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v4.0.0 → 💼 8.8 Ensure that virtual network flow log retention days is set to greater than or equal to 90 (Automated)			1		no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			60		no data