Virtual Network security group flow log retention period should be set to 90 days or greater

Description

Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.

Remediation Steps

Azure Portal

  • Navigate to Network Watcher.

  • In the left navigation under Logs, select NSG flow logs.

  • Select the Network Security Group.

  • Under Flow Log settings, select On.

  • Set the Retention (days) to greater than 90 days.

  • In the Storage account field, select your storage account.

  • Click Save.

Azure CLI

  • To enforce a retention period greater than 90 days:

az network watcher flow-log configure --nsg <NameorID of the Network Security Group> --enabled true --resource-group <resourceGroupName> --retention 91 --storage-account <NameorID of the storage account to save flow logs>

Azure Resource Manager

{
  "properties": {
    "retentionPolicy": {
     "days": 120,
     "enabled": true
    }
  }
}

Example Configuration

{
  "type": "Microsoft.Network/networkWatchers/flowLogs",
  "apiVersion": "2021-03-01",
  "properties": {
    "retentionPolicy": {
      "days": 120,
      "enabled": true
    }
  # other required fields here
  }
}

Terraform

Example Configuration

resource "azurerm_network_watcher_flow_log" "example" {
  retention_policy {
      enabled = true
      days    = 90
  }
  # other required fields here
}