Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'

Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.

Risk Level: Low
Cloud Entity: Network security group
CloudGuard Rule ID: D9.AZU.NET.32
Covered by Spectral: Yes
Category: Networking & Content Delivery


NetworkSecurityGroup should have nsgFlowLog.properties.retentionPolicy.days > 90


az network watcher flow-log configure --nsg <NetworkSecurityGroupName> --enabled true --resource-group <resourceGroupName> --retention 91 --storage-account <StorageAccountName>
By default, Network Watcher is disabled.


  1. https://docs.microsoft.com/en-us/cli/azure/network/watcher/flow-log?view=azure-cli-latest

Network security group

You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.

Compliance Frameworks

  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset