Azure Network Watcher

NSG Flow Logs Retention Period

Risk Level: Low

Description

This module guarantees that Azure Network Security Groups (NSGs) have an adequate flow log retention period. A flow log information maintenance time of the configured days or more permits you to gather the essential measure of logging information needed to check for oddities and give insights regarding any potential security break.

Configuration Parameters

NSG Flow Log Retention Period: This parameter denotes the adequate flow log retention period. An alert is generated if a low retention period is set.

By default, the retention period is set for 90 days, so it will show vulnerability if the retention period is less than 90 days.

About the Service

Azure Network Watcher:

Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Network Watcher is designed to monitor and repair the network health of IaaS (Infrastructure-as-a-Service) products which includes Virtual Machines, Virtual Networks, Application Gateways, Load balancers, etc. Note: It is not intended for and will not work for PaaS monitoring or Web analytics. For more information, click here.

Impact

The Flow logs catch data and information about IP traffic streaming all through Azure Network Security Groups, that is, in and out. A flow log information retention time of the configured days or more, ought to permit you to gather the fundamental measure of logging information needed to check for abnormalities and give insights concerning any potential security break.

Steps to Reproduce

In order to determine, if the flow log retention period configured for Azure NSG is equal to or greater than the configured number of days, follow the steps given below:


Using Azure Console-

  1. Firstly, sign in to the Azure Management Console with your registered organization email address.
  2. Under Azure Services, choose Subscriptions.
  3. A new Subscription page will be opened up. Choose the subscription for which the issue has to be examined.
  4. Now, under All Services option, select Networking nav link.
  5. Under Networking, select Network Watcher services.
  6. In the navigation panel, under Logs, select NSG Flow Logs option.
  7. A list of all Azure NSG flow logs will be showed up. Choose the active Network Security Group Flow log which you want to examine. The active NSG Flow log has Status set to be Enabled.
  8. A new Flow Logs Settings Page will appear. Check for the Retention (days) setting value. If the value is set to be less than the specified number of days and different from 0 (which is for an unlimited retention period), then the selected NSG doesn’t have an adequate log data retention period.
  9. Follow the steps above, for other NSG flow logs in the current subscription as well as in other subscriptions in your Azure Cloud.

Steps for Remediation

In order to extend the flow log retention period configured for Azure NSG, follow the steps given below:


Using Azure Console-

  1. Firstly, sign in to the Azure Management Console with your registered organization email address.
  2. Under Azure Services, choose Subscriptions.
  3. A new Subscription page will be opened up. Choose the subscription for which the issue has to be examined.
  4. Now, under All Services option, select Networking nav link.
  5. Under Networking, select Network Watcher services.
  6. In the navigation panel, under Logs, select NSG Flow Logs option.
  7. A list of all Azure NSG flow logs will be showed up. Choose the active Network Security Group Flow log which you want to examine. The active NSG Flow log has Status set to be Enabled.
  8. A new Flow Logs Settings Page will appear. Check for the Retention (days) setting value. If the value is set to be less than the configured number of days and different from 0 (which is for an unlimited retention period), then the selected NSG doesn’t have an adequate log data retention period.
  9. Change the Retention Period by clicking on the Retention (days) box and set the number of days to be more than the one specified at the CNS Dashboard. 
  10. Now, click on the Save button to save your current settings.
  11. Follow the steps above, for other NSG flow logs in the current subscription as well as in other subscriptions in your Azure Cloud.