Virtual Network security group flow log retention period should be set to 90 days or greater¶
Description¶
Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.
Remediation Steps¶
Azure Portal¶
Navigate to Network Watcher.
In the left navigation under Logs, select NSG flow logs.
Select the Network Security Group.
Under Flow Log settings, select On.
Set the Retention (days) to greater than 90 days.
In the Storage account field, select your storage account.
Click Save.
Azure CLI¶
To enforce a retention period greater than 90 days:
az network watcher flow-log configure --nsg <NameorID of the Network Security Group> --enabled true --resource-group <resourceGroupName> --retention 91 --storage-account <NameorID of the storage account to save flow logs>
Azure Resource Manager¶
Ensure that a Microsoft.Network/networkWatchers/flowLogs resource contains the following, where
retentionPolicy
is enabled anddays
is set to >=90
:
{
"properties": {
"retentionPolicy": {
"days": 120,
"enabled": true
}
}
}
Example Configuration¶
{
"type": "Microsoft.Network/networkWatchers/flowLogs",
"apiVersion": "2021-03-01",
"properties": {
"retentionPolicy": {
"days": 120,
"enabled": true
}
# other required fields here
}
}
Terraform¶
Ensure that an azurerm_network_watcher_flow_log contains the following:
retention_policy.enabled
= trueretention_policy.days
>= 90
Example Configuration¶
resource "azurerm_network_watcher_flow_log" "example" {
retention_policy {
enabled = true
days = 90
}
# other required fields here
}