Description:
Network Security Group (NSG) Flow Logs capture detailed information about traffic that is allowed or denied by the Network Security Groups (NSGs) in your Azure virtual networks. These logs are valuable for monitoring network traffic, security auditing, and troubleshooting. Ensuring that the retention period for NSG Flow Logs is set to greater than 90 days ensures that sufficient historical data is available for analysis and compliance purposes.
Rationale:
By retaining NSG Flow Logs for more than 90 days, your organization ensures that security data is available for a longer period. This is useful for:
Investigating historical security incidents.
Compliance and regulatory requirements that mandate a longer retention period.
Network troubleshooting over extended periods.
Ensuring visibility into traffic patterns for a prolonged time.
Impact:
Increasing the retention period to greater than 90 days may incur additional storage costs, depending on the volume of flow log data generated. However, this is typically outweighed by the enhanced security visibility and compliance benefits.
Default Value:
By default, NSG Flow Log retention is typically set to 30 days. You need to manually configure the retention period to be greater than or equal to 90 days.
Pre-requisites:
Azure subscription.
Azure Network Watcher enabled in the required region.
Storage account to store the flow logs.
The user must have Owner, Contributor, or Network Contributor role permissions.
Audit:
Sign in to Azure portal as a Global Administrator or Network Contributor.
Navigate to Network Watcher.
Verify that NSG Flow Log retention period is set to greater than 90 days.
Implementation Steps(Automated):
Sign in to Azure portal:
Use an account with Owner, Contributor, or Network Contributor permissions.
Navigate to Network Watcher:
In the Azure portal, search for Network Watcher and select it from the search results.
Access NSG Flow Log Configuration:
In Network Watcher, go to Flow Logs under the Monitoring section.
Review the Flow Logs settings for Network Security Groups.
Configure the Retention Period:
For each NSG Flow Log configuration, ensure that the retention period is set to greater than 90 days.
In the Flow Log configuration panel, select the Retention option and set the value to at least 90 days.
Use Azure CLI for Automated Configuration: To automate this configuration using Azure CLI, you can run the following commands:
Ensure that you are logged into Azure CLI and have the necessary permissions.
To configure the NSG Flow Log retention period, run the following command:
az network watcher flow-log configure \ --resource-group <Resource-Group-Name> \ --network-watcher-name <Network-Watcher-Name> \ --enabled true \ --storage-account <Storage-Account-ID> \ --retention 90
Replace <Resource-Group-Name>, <Network-Watcher-Name>, and <Storage-Account-ID> with your actual resource group, network watcher name, and storage account ID.
Verify that the NSG Flow Log retention period has been updated to 90 days using the following command:
az network watcher flow-log show \ --resource-group <Resource-Group-Name> \ --network-watcher-name <Network-Watcher-Name>
Monitor Retention and Storage:
After configuring the retention period, regularly monitor your Storage Account to ensure logs are being stored for the configured retention period (greater than 90 days).
Check the Network Watcher dashboard in Azure Monitor to confirm that logs are being retained and accessible within the configured timeframe.
Review Flow Log Data:
Use Azure Monitor or Log Analytics to query the stored NSG Flow Logs and confirm that the log data is available for more than 90 days.
Create custom queries to analyze network traffic patterns, security incidents, or other network events from the logs.
Backout Plan (Automated):
Sign in to Azure portal:
Use an account with Owner, Contributor, or Network Contributor permissions.
Navigate to Network Watcher:
Go to Network Watcher in the Azure portal.
Disable Flow Log Retention or Adjust Retention Period**:
In the Flow Logs configuration panel, reduce the retention period back to the default (30 days) or as required.
Alternatively, you can disable Flow Log retention entirely if needed.
Use Azure CLI to Revert Changes: To revert the retention period back to the default using Azure CLI, run the following command:
az network watcher flow-log configure \ --resource-group <Resource-Group-Name> \ --network-watcher-name <Network-Watcher-Name> \ --enabled true \ --storage-account <Storage-Account-ID> \ --retention 30
Verify the Reverted Retention Period:
Check the Flow Log configuration again in the Azure portal or use Azure CLI to ensure that the retention period is now set back to 30 days.
Monitor Storage:
After modifying the retention period, monitor the storage account to ensure that old flow logs are deleted according to the new retention policy.