Ensure Flow-Logs Retention Policy is greater than 90 days

Ensure Flow-Logs Retention Policy is greater than 90 days. To keep the logs forever pass a value of 0 to the retention parameter.

Risk Level: Low
Cloud Entity: Network Security Group flow logs
CloudGuard Rule ID: D9.AZU.NET.60
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

NsgFlowLog should have properties.retentionPolicy.enabled=true and ( properties.retentionPolicy.days=0 or properties.retentionPolicy.days>=90 )

REMEDIATION

With Azure CLI:
Keep Flow-Logs forever:
az network watcher flow-log configure -g MyResourceGroup --nsg MyNsg --retention 0
Keep Flow-Logs for a specific period of time (100 days):
az network watcher flow-log configure -g MyResourceGroup --nsg MyNsg --retention 100

References
https://docs.microsoft.com/en-us/cli/azure/network/watcher/flow-log?view=azure-cli-latest#az_network_watcher_flow_log_configure

Network Security Group flow logs

Network security group (NSG) flow logs is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through an NSG. Flow data is sent to Azure Storage accounts from where you can access it as well as export it to any visualization tool, SIEM, or IDS of your choice.

Compliance Frameworks

  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset