Control: Azure > CIS v5.0 > 7 - Networking Services > 7.05 - Ensure that network security group flow log retention days is set to greater than or equal to 90
Configures auditing against a CIS Benchmark item.
Level: 2
Network Security Group Flow Logs should be enabled and the retention period set to greater than or equal to 90 days.
RETIREMENT NOTICE: On September 30, 2027, network security group (NSG) flow logs will be retired. Starting June 30, 2025, it will no longer be possible to create new NSG flow logs. Azure recommends migrating to virtual network flow logs. For virtual network flow logs, consider applying recommendation 8.8 (Ensure that virtual network flow log retention days is set to greater than or equal to 90) in this section.
Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.
By default, Network Security Group Flow Logs are disabled.
Resource Types
This control targets the following resource types:
Policies
This control type relies on these other policies when running actions:
- Azure > CIS v5.0
- Azure > CIS v5.0 > 7 - Networking Services > 7.05 - Ensure that network security group flow log retention days is set to greater than or equal to 90
- Azure > CIS v5.0 > 7 - Networking Services
- Azure > CIS v5.0 > 7 - Networking Services
- Azure > CIS v5.0 > 7 - Networking Services > 7 - Maximum Attestation Duration
Category
In Your Workspace
Developers
- tmod:@turbot/azure-cisv5-0#/control/types/r0705
- tmod:@turbot/cis#/control/categories/v070604
- turbot graphql controls --filter "controlTypeId:tmod:@turbot/azure-cisv5-0#/control/types/r0705"
Get Controls