Azure Introduction
Azure Pricing
Azure Threats
Security Group Flow Logs Should Be Retained For Longer Duration
More Info:
Ensure that your Microsoft Azure Network Security Groups (NSGs) have a sufficient flow log retention period, i.e. greater than or equal to 90 days, configured for reliability and compliance purposes. The retention period represents the number of days to retain flow log data recorded for your network security groups. Azure Network Security Group (NSG) flow log is a feature of the Network Watcher service, that allows you to view information about inbound and outbound IP traffic through an NSG.
Risk Level
Low
Address
Reliability, Operational Maturity, Security
Compliance Standards
CISAZURE, CBP
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the misconfiguration of Security Group Flow Logs retention for a longer duration in AZURE:
- Log in to the AZURE portal (https://portal.azure.com/).
- Navigate to the “Security Center” from the left-hand menu.
- Click on the “Security policy” option from the “Security Center” menu.
- Click on the “Edit” button to edit the security policy.
- Scroll down to the “Network security group flow logs” section and click on the “Edit” button.
- In the “Retention period” field, enter the desired number of days for which you want to retain the logs.
- Click on the “Save” button to save the changes.
Once you have completed these steps, the Security Group Flow Logs retention period will be updated to the desired duration. It is recommended to retain the logs for a longer duration for security and compliance purposes.
To remediate the misconfiguration of Security Group Flow Logs retention for a longer duration in Azure using Azure CLI, follow the below steps:
-
Open the Azure CLI command prompt.
-
Run the following command to set the retention period for Security Group Flow Logs as per your requirement:
az network watcher flow-log configure --nsg-flow-analytics true --enabled true --storage-account <storage_account_name> --interval 10 --retention 365
In the above command, replace
<storage_account_name>
with the name of the storage account where you want to retain the logs. You can also change the retention period (in days) as per your organization’s requirements. -
Once the command is executed successfully, Security Group Flow Logs will be retained for the specified duration.
Note: Make sure that you have the required permissions to configure Security Group Flow Logs in Azure.
To remediate the misconfiguration of Security Group Flow Logs retention for a longer duration in Azure, you can use the following steps:
- First, you need to log in to your Azure account using the Azure CLI. You can install and authenticate the Azure CLI using the following command:
az login
- Once you are logged in, you need to retrieve the current retention period for Security Group Flow Logs using the following command:
az network watcher flow-log show --resource-group <resource-group-name> --name <flow-log-name> --query retentionEnabled
This command will return the current retention period for Security Group Flow Logs in Azure.
- If the retention period is less than the required duration, you can use the following command to update the retention period:
az network watcher flow-log update --resource-group <resource-group-name> --name <flow-log-name> --retention <retention-duration>
Here, you need to replace <resource-group-name>
with the name of the resource group where the Security Group Flow Logs are stored, <flow-log-name>
with the name of the flow log, and <retention-duration>
with the required retention period in days.
- If you want to automate this process using Python, you can use the Azure SDK for Python. First, you need to install the Azure SDK using the following command:
pip install azure-mgmt-network
- Once the Azure SDK is installed, you can use the following Python code to update the retention period for Security Group Flow Logs:
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.network import NetworkManagementClient
# Replace the variables with your own values
subscription_id = '<subscription-id>'
resource_group_name = '<resource-group-name>'
flow_log_name = '<flow-log-name>'
retention_duration = '<retention-duration>'
# Authenticate using a service principal
credentials = ServicePrincipalCredentials(
client_id='<client-id>',
secret='<client-secret>',
tenant='<tenant-id>'
)
# Create a NetworkManagementClient
network_client = NetworkManagementClient(credentials, subscription_id)
# Get the current retention period
flow_log = network_client.flow_logs.get(resource_group_name, flow_log_name)
current_retention = flow_log.retention_policy.enabled
# Update the retention period if required
if current_retention < retention_duration:
flow_log.retention_policy.enabled = retention_duration
network_client.flow_logs.create_or_update(resource_group_name, flow_log_name, flow_log)
Here, you need to replace the variables with your own values. Once you run this code, it will retrieve the current retention period for Security Group Flow Logs and update it if required.