Microsoft AzureOverview
Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days.
Rationale
Flow logs enable the capture of information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.
Impact
This will keep IP traffic logs for longer than 90 days. As a level 2, determine your need to retain data and apply your selection here. As this is data stored for longer, your monthly storage costs will increase depending on your data use.
Default Value
By default, Network Security Group Flow Logs are disabled.
References
- https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview
- https://docs.microsoft.com/en-us/cli/azure/network/watcher/flow-log?view=azure-cli-latest
- https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention
Remediation guidance
Remediate from Azure Portal
- Go to
Network Watcher - Select the
NSG flow logsblade in the Logs section - Select each Network Security Group from the list
- Ensure
Statusis set toOn - Set
Retention (days)to 90 or greater. - Select your storage account in the
Storage accountfield - Select
Save
Remediate from Azure CLI
Enable the NSG flow logs and set the Retention (days) to greater than or equal to 90 days.
az network watcher flow-log configure --nsg <nsgNameOrID> --enabled true --resource-group <resourceGroupName> --retention 90 --storage-account <storageAccountNameOrID>
Multiple Remediation Paths
Azure
SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.
PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.
References for Service-Wide Patterns
- Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
- Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
- Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
Azure NSG Flow Logs with retention shorter than 90 days
Connectors
Covered asset types
Expected check: eq []
{
flowLogs(
where: {
targetResourceID_CONTAINS: "networkSecurityGroups"
retentionPolicyDays_LT: 90
}
) {
...AssetFragment
}
}
