Description:

Network Security Group Flow Logs should be enabled and the retention period set to greater than or equal to 90 days.


Rationale:

Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.


Impact:

This will keep IP traffic logs for longer than 90 days. As a level 2, first determine your need to retain data, then apply your selection here. As this is data stored for longer, your monthly storage costs will increase depending on your data use.


Audit:


From Azure Portal

1. Go to Network Watcher

2. Select NSG flow logs blade in the Logs section

3. Select each Network Security Group from the list

4. Ensure Status is set to On

5. Ensure Retention (days) setting greater than 90 days


From Azure CLI

az network watcher flow-log show --resource-group <resourceGroup> --nsg

<NameorID of the NetworkSecurityGroup> --query 'retentionPolicy'

Ensure that enabled is set to true and days is set to greater then or equal to 90.


Remediation:


From Azure Portal

1. Go to Network Watcher

2. Select NSG flow logs blade in the Logs section

3. Select each Network Security Group from the list

4. Ensure Status is set to On

5. Ensure Retention (days) setting greater than 90 days

6. Select your storage account in the Storage account field

7. Select Save


From Azure CLI

Enable the NSG flow logs and set the Retention (days) to greater than or equal to 90 days.

az network watcher flow-log configure --nsg <NameorID of the Network Security

Group> --enabled true --resource-group <resourceGroupName> --retention 91 --

storage-account <NameorID of the storage account to save flow logs>


Default Value:

By default, Network Security Group Flow Logs are disabled.


References:

1. https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsgflow-logging-overview

2. https://docs.microsoft.com/en-us/cli/azure/network/watcher/flow-log?view=azurecli-latest

3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-6-configure-log-storage-retention