Skip to main content

πŸ“ Azure Virtual Network Flow Logs retention period is less than 90 days 🟒

  • Contextual name: πŸ“ Virtual Network Flow Logs retention period is less than 90 days 🟒
  • ID: /ce/ca/azure/virtual-network/virtual-network-flow-logs-retention-period-over-90-days
  • Located in: πŸ“ Azure Virtual Network

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY
    • RELIABILITY

Logic​

Description​

Open File

Description​

Ensure that virtual network flow logs are retained for greater than or equal to 90 days.

Rationale​

Virtual network flow logs provide critical visibility into traffic patterns. Logs can be used to check for anomalies and give insight into suspected breaches.

Impact​

  • Virtual network flow logs are charged per gigabyte of network flow logs collected and come with a free tier of 5 GB/month per subscription.
  • If traffic analytics is enabled with virtual network flow logs, traffic analytics pricing applies at per gigabyte processing rates.
  • The storage of logs is charged separately, and the cost will depend on the amount of logs and the retention period.

Audit​

This policy flags an Azure Network Watcher Flow Log for Virtual Networks as INCOMPLIANT if any of these conditions are true:

  • Retention Policy Status is not set toβ€―Enabled.
  • Retention Policy Days is less thanβ€―90 daysβ€―and not equal toβ€―0β€―(unlimited).

A Flow Log is marked asΒ INAPPLICABLEΒ if either:

  • Log Status is not set toβ€―Enabled.

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Navigate to Network Watcher.
  2. Under Logs, select Flow logs.
  3. Click Add filter.
  4. From the Filter drop-down menu, select Flow log type.
  5. From the Value drop-down menu, check Virtual network only.
  6. Click Apply.
  7. Click the name of a virtual network flow log.
  8. Under Storage Account, set Retention days to 0, 90, or a number greater than 90. If Retention days is set to 0, the logs are retained indefinitely with no retention policy.
  9. Repeat steps 7 and 8 for each virtual network flow log requiring remediation.

From Azure CLI​

Run the following command update the retention policy for a flow log in a network watcher, setting retention to 0, 90, or a number greater than 90:

az network watcher flow-log update --location <location> --name <flow-log> --retention <number-of-days>

Repeat for each virtual network flow log requiring remediation.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS Azure v4.0.0 β†’ πŸ’Ό 8.8 Ensure that virtual network flow log retention days is set to greater than or equal to 90 (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration59