Verify that Network Security Group Flow Log retention period is 'greater than 90 days'

Framework Reference: A.5.33 Integration: Azure – Network Watcher (NSG Flow Logs)

Why this matters
Network Security Group (NSG) flow logs capture information about inbound and outbound IP traffic and are critical for monitoring, forensic analysis, and identifying anomalous activity. A retention period of fewer than 90 days may result in insufficient historical data for post-incident investigations or compliance audits. Keeping flow logs for at least 90 days supports detection of long-term threats and fulfills regulatory requirements in many frameworks.


What this check does
This Auto Check verifies that NSG Flow Logs are enabled and the retention period is set to greater than or equal to 90 days.

Check Logic:
Passes if:

  • Flow logging is enabled for the NSG
  • Retention period is β‰₯ 90 days

Fails if:

  • Logging is disabled
    OR
  • Retention is set to < 90 days

How to fix it

Azure Portal:

  1. Go to Network Watcher
  2. Select NSG Flow Logs under the Logs section
  3. Select each Network Security Group
  4. Set Status to On
  5. Set Retention (days) to greater than 90
  6. Choose a Storage account to store the logs
  7. Click Save

Azure CLI:

az network watcher flow-log configure \  --nsg <nsg-name-or-id> \  --enabled true \  --resource-group <resource-group-name> \  --retention 91 \  --storage-account <storage-account-name-or-id>

PowerShell:

PowerShell command not explicitly provided in the CIS Benchmark for this check. Use the Azure CLI or Portal for enforcement.


Exceptions
No standard exceptions are defined. For cost optimization, organizations may set a higher threshold but should document business justification if retention is less than 90 days before June 30, 2025.


Was this article helpful?