Azure Network Watcher Network Security Group (NSG) Flow Logs Retention Is Less Than 90 Days

This policy identifies Azure Network Security Groups (NSG) for which flow logs retention period is 90 days or less. To perform this check, enable this action on the Azure Service Principal: 'Microsoft.Network/networkWatchers/queryFlowLogStatus/action'. NSG flow logs, a feature of the Network Watcher app, enable you to view information about ingress and egress IP traffic through an NSG. The flow logs include information such as: - Outbound and inbound flows on a per-rule basis. - Network interface to which the flow applies. - 5-tuple information about the flow (source/destination IP, source/destination port, protocol). - Whether the traffic was allowed or denied. As a best practice, enable NSG flow logs and set the log retention period to at least 90 days.

Policy Details

Policy Subtype
Run, Build
Template Type

Build Rules

Azure Network Watcher Network Security Group (NSG) flow logs retention is less than 90 days.
JSON Query:
$.resource.*.azurerm_network_security_group size greater than 0 and ($.resource.*.azurerm_network_watcher_flow_log size equals 0 or $.resource.*.azurerm_network_watcher_flow_log[*].*[*].enabled anyNull or $.resource.*.azurerm_network_watcher_flow_log[*].*[*].enabled anyFalse or $.resource.*.azurerm_network_watcher_flow_log[*].*[*].retention_policy[*].enabled anyFalse or $.resource.*.azurerm_network_watcher_flow_log[*].*[*].retention_policy[?( @.days<90 )] size greater than 0)
Recommended solution for having Network Security Group (NSG) flow logs retention to be more 90 days.
It is recommended that Azure Network Watcher Network Security Group (NSG) flow logs retention should be more than 90 days. Please make sure if your "azurerm_network_watcher_flow_log" template has "days" set to anything greater than 90 under "retention_policy" block.
For example:
"azurerm_network_watcher_flow_log": [ { "<network_watcher_flow_log_name>": [ { "enabled": true, "network_security_group_id": "${}", "network_watcher_name": "${}", "resource_group_name": "${}", "retention_policy": [ { "days": 100, "enabled": true } ] } ] }]

Run Rule Recommendation

To enable Flow Logs:.
  1. Log in to the Azure portal.
  2. Select 'Network Watcher'.
  3. Select 'NSG flow logs'.
  4. Select the NSG for which you need to modify the flow log settings.
  5. Set the Flow logs 'Status' to 'On'.
  6. Select the destination 'Storage account'.
  7. Set the 'Retention (days)' to 90 days or greater.
  8. 'Save' your changes.


There is 1 standard that is applicable to this policy:
  • CIS v1.1 (Azure)

Recommended For You