iCompaas Support

Description:

Network Security Group (NSG) Flow Logs capture information about inbound and outbound IP traffic for NSGs. These logs support threat detection, forensics, traffic analysis, and compliance monitoring. To maintain sufficient visibility, the retention period for NSG Flow Logs must be configured to more than 90 days. Retention periods shorter than 90 days limit long-term investigation capability and may fail to meet compliance requirements. This check ensures that NSG Flow Logs for all NSGs are configured with a retention period greater than 90 days.

Rationale:

If NSG Flow Logs have a retention period of 90 days or less, important traffic history may be lost. Many threat investigations require data spanning months, and regulatory frameworks frequently mandate extended retention. Ensuring a retention period greater than 90 days supports effective forensic analysis, compliance audits, and long-term security monitoring.

Impact:

• Increases audit readiness and supports long-term forensic investigations.

• Enhances detection of advanced threats that evolve over longer periods.

• Reduces compliance risk with regulatory standards requiring extended log storage.

• Ensures security teams can analyze historical network traffic patterns and anomalies.

Default Value:

Retention period may default to 0 days (indefinite) or be set to 90 days or less, depending on configuration. Azure does not enforce minimum retention.

Pre-Requisites:

• Network Watcher must be enabled in the target region

• Permissions to manage NSG Flow Logs

• Storage Account accessible for retention configuration

Test Plan:

1. Sign in to the Azure Portal https://portal.azure.com

2. Search for Network Watcher.

3. Under Logs, select Flow logs.

4. Review each Network Security Group with flow logs enabled.

5. Check the configured Retention (days) value.

6. Verify the retention period is greater than 90 days or set to 0 (unlimited).

7. If the retention period is 90 days or less, or flow logs are disabled, follow the implementation steps.

Implementation Steps:

1. Sign in to the Azure Portal

2. Search for Network Watcher

3. Under the logs section, select NSG Flow Logs

4. Open the NSG needing updates.

5. Click Edit settings.

6. Set Retention period Greater than 90 days (example: 120 days).

7. Save the configuration.

Backout Plan:

1. Sign in to the Azure Portal https://portal.azure.com

2. Search for Network Watcher.

3. Under Logs, select Flow logs.

4. Select the Network Security Group where the retention setting was changed.

5. Click Edit settings.

6. Change the Retention (days) value back to the previous approved setting if required.

7. Save the configuration.

Reference:

• https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsgflow-logging-overview

• https://docs.microsoft.com/en-us/cli/azure/network/watcher/flow-log?view=azurecli-latest

• https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-6-configure-log-storage-retention