Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for NSG Flow Log Retention Period

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Network-004

Ensure that your Microsoft Azure Network Security Groups (NSGs) have a sufficient flow log retention period, i.e. greater than or equal to 90 days, configured for reliability and compliance purposes. The retention period represents the number of days to retain flow log data recorded for your network security groups. Azure Network Security Group (NSG) flow log is a feature of the Network Watcher service, that allows you to view information about inbound and outbound IP traffic through an NSG.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Reliability

Flow logs capture information about IP traffic flowing in and out of Azure Network Security Groups. A flow log data retention period of 90 days or more, should allow you to collect the necessary amount of logging data required to check for anomalies and provide details about any potential security breach.

Note: This conformity rule assumes that the Network Watcher is active within the required Azure regions and the flow log feature is enabled for the verified NSGs.


Audit

To determine if the flow log retention period configured for your Azure NSGs is greater than or equal to 90 days, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Network Watcher blade at https://portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/overview.

03 In the navigation panel, under Logs, click NSG flow logs to access all Azure NSG flow logs.

04 On the NSG flow logs page, choose the Azure subscription that you want to examine from the Subscription dropdown list.

05 Click on the active Network Security Group flow log that you want to examine to access the flow log configuration details. An active NSG flow log has the STATUS set to Enabled.

06 On the selected NSG flow log settings page, check the Retention (days) setting value. If this value (days) is less than 90 and different from 0 (unlimited retention), the flow log associated with the selected Azure Network Security Group does not have a sufficient log data retention period configured.

07 Repeat steps no. 5 and 6 for each active NSG flow log available in the current subscription.

08 Repeat steps no. 4 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run network nsg list command (Windows/macOS/Linux) using custom query filters to list the names of all network security groups and their associated resource groups, available in the current Azure subscription:

az network nsg list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return a table with requested resource information:

Name                ResourceGroup
-----------------   ------------------------------
cc-production-nsg   cloud-shell-storage-westeurope
cc-sec-ops-nsg      cloud-shell-storage-westeurope

03 Run network watcher flow-log show command (Windows/macOS/Linux) command using the name of the network security group that you want to examine as identifier parameter and custom query filters to get the status and the retention period configured for the flow log associated with the selected Azure NSG:

az network watcher flow-log show
	--nsg cc-production-nsg
	--resource-group cloud-shell-storage-westeurope
	--query 'retentionPolicy'

04 The command output should return the feature status and the number of days to retain flow log data:

{
  "enabled": true,
  "days": 7
}

If "enabled" is set to true and the "days" number returned by the network watcher flow-log show command output is less than 90 and different from 0 (unlimited retention), as shown in the example above, the selected Network Security Group (NSG) flow log does not have a sufficient log data retention period currently configured.

05 Repeat step no. 3 and 4 for each NSG flow log enabled within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To extend flow log data retention period for your Microsoft Azure Network Security Groups, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Network Watcher blade at https://portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/overview.

03 In the navigation panel, under Logs, click NSG flow logs to access all Azure NSG flow logs.

04 On the NSG flow logs page, choose the Azure subscription that you want to access from the Subscription dropdown list.

05 Click on the active Network Security Group flow log that you want to reconfigure (see Audit section part I to identify the right log). An active Network Security Group flow log has the STATUS set to Enabled.

06 On the selected flow log settings page, set the number of days to retain flow log data for the specified NSG in the Retention (Days) box to 90 days or more, or use the slider control to set the right value. Click Save to apply the retention period changes.

07 Repeat steps no. 5 and 6 for each active NSG flow log that you want to reconfigure, available in the current subscription.

08 Repeat steps no. 4 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run network watcher flow-log configure command (Windows/macOS/Linux) using the name of the associated NSG and the name of the required resource group as identifier parameter (see Audit section part II to identify the right NSG resource), to extend the retention period for flow log data recorded for the selected Azure Network Security Group. For example, the following command request sets a retention period of 140 days for any flow logs recorded under the specified NSG:

az network watcher flow-log configure
	--nsg cc-production-nsg
	--resource-group cloud-shell-storage-westeurope
	--enabled true
	--retention 120
	--storage-account abcdabcdabcdabcdabcd
	--workspace cc-log-analytics-workspace

02 The command output should return the modified NSG flow log configuration metadata:

{
  "enabled": true,
  "flowAnalyticsConfiguration": {
    "networkWatcherFlowAnalyticsConfiguration": {
      "enabled": true,
      "workspaceRegion": "westeurope",
      "workspaceResourceId": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.OperationalInsights/workspaces/cc-log-analytics-workspace"
    }
  },

  ...

  "retentionPolicy": {
    "days": 140,
    "enabled": true
  },
  "storageId": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/abcdabcdabcdabcdabcd",
  "targetResourceId": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-production-nsg"
}

03 Repeat step no. 1 and 2 for each active NSG flow log that you want to reconfigure, available in the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Apr 2, 2020