Control: 8.8 Ensure that virtual network flow log retention days is set to greater than or equal to 90
Description
Ensure that virtual network flow logs are retained for greater than or equal to 90 days.
Virtual network flow logs provide critical visibility into traffic patterns. Logs can be used to check for anomalies and give insight into suspected breaches.
Remediation
From Azure Portal
- Go to
Network Watcher. - Under
Logs, selectFlow logs. - Click
Add filter. - From the
Filterdrop-down menu, selectFlow log type. - From the
Valuedrop-down menu, checkVirtual networkonly. - Click
Apply. - Click the name of a virtual network flow log.
- Under
Storage Account, setRetention daysto0,90, or a number greater than 90. IfRetention daysis set to0, the logs are retained indefinitely with no retention policy. - Repeat steps 7 and 8 for each virtual network flow log requiring remediation.
From Azure CLI
Run the following command update the retention policy for a flow log in a network watcher, setting retention to 0, 90, or a number greater than 90:
az network watcher flow-log update --location <location> --name <flow-log> --retention <number-of-days>Repeat for each virtual network flow log requiring remediation.
Default Value
When a virtual network flow log is created using the Azure CLI, retention days is set to 0 by default. When creating via the Azure Portal, retention days must be specified by the creator.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v400_8_8Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v400_8_8 --shareSQL
This control uses a named query:
SELECT fl.id AS resource, CASE WHEN fl.enabled AND (fl.retention_policy_days >= 90 OR fl.retention_policy_days = 0) THEN 'ok' ELSE 'alarm' END AS status, CASE WHEN NOT fl.enabled THEN fl.name || ' flow log is not enabled.' WHEN fl.retention_policy_days = 0 THEN fl.name || ' flow log retention is set to indefinite.' WHEN fl.retention_policy_days >= 90 THEN fl.name || ' flow log retention is set to ' || fl.retention_policy_days || ' days.' ELSE fl.name || ' flow log retention is set to ' || fl.retention_policy_days || ' days.' END AS reason, fl.subscription_id, fl.regionFROM azure_network_watcher_flow_log fl;