Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check for Virtual Network Flow Log Retention Period

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Azure Virtual Networks (VNets) have a sufficient flow log retention period, i.e., greater than or equal to 90 days, configured for reliability and compliance purposes. The retention period represents the number of days to retain flow log data recorded for your Virtual Network resources.

Reliability

Flow Logs is a feature of the Azure Network Watcher service that allows you to view information about inbound and outbound IP traffic through a Network Security Group (NSG) or Virtual Network (VNet). Virtual Network flow logs support connecting at the VNet, subnet, and Network Interface (NIC) level. A flow log data retention period of 90 days or more, should allow you to collect the necessary amount of logging data required to check for anomalies and provide details about any potential security breach.

This conformity rule assumes that Azure Network Watcher is active within the required Azure cloud regions and the Flow Logs feature is enabled for the verified Virtual Networks.

Audit

To determine if the flow log retention period configured for your Azure Virtual Networks is greater than or equal to 90 days, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Network Watcher blade available at https://portal.azure.com/#view/Microsoft_Azure_Network/NetworkWatcherMenuBlade/~/overview.

03 In the left navigation panel, under Logs, choose Flow logs.

04 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

05 Choose Add filter, select Flow log type for Filter, Equals for Operator, and Virtual network for Value, then choose Apply to list only the Virtual Network flow logs available in the selected Azure subscription.

06 Click on the name (link) of the active Virtual Network flow log that you want to examine. An active flow log has the Status set to Enabled.

07 In the Storage Account section, check the Retention days setting value to determine the retention period configured for the selected flow log. If the Retention days value is less than 90 and different from 0 (i.e., unlimited retention), the selected Azure Virtual Network flow log is not configured with a sufficient log data retention period.

08 Repeat steps no. 6 and 7 for each active VNet flow log available in the selected subscription.

09 Repeat steps no. 4 – 8 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network watcher flow-log list command (Windows/macOS/Linux) with custom output filters to list the name, status, and target resource for each Network Watcher flow log available in the selected Azure subscription: 

az network watcher flow-log list
	--location westeurope
	--query '[*].[{"name":name,"enabled":enabled,"targetResource":targetResourceId}] | []'

05 The command output should return the requested cloud resource information. An active Virtual Network flow log has "enabled" set to true and "targetResource" set to "/subscriptions/\<subscription-id\>/resourceGroups/\<resource-group-name\>/providers/Microsoft.Network/virtualNetworks/\<vnet-name\>", where \<vnet-name\> is the name of the associated Virtual Network: 

[
	{
		"name": "cc-project5-vnet-cloud-shell-storage-westeurope-flowlog",
		"enabled": true,
		"targetResource": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-vnet"
	},
	{
		"name": "cc-prod-vnet-cloud-shell-storage-westeurope-flowlog",
		"enabled": true,
		"targetResource": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-prod-vnet"
	}
]

06 Run network watcher flow-log show command (Windows/macOS/Linux) with the name of the active Virtual Network flow log that you want to examine as identifier parameter, to get the state and the retention period configured for the selected VNet flow log: 

az network watcher flow-log show
	--location westeurope
	--name cc-project5-vnet-cloud-shell-storage-westeurope-flowlog
	--query 'retentionPolicy'

07 The command output should return the retention policy state and the number of days to retain flow log data: 

{
	"enabled": true,
	"days": 7
}

If "enabled" is set to true and the "days" attribute value is less than 90 and different from 0 (i.e., unlimited log retention), as shown in the example above, the selected Azure Virtual Network flow log is not configured with a sufficient log data retention period.

08 Repeat steps no. 6 and 7 for each active VNet flow log available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To extend the flow log data retention period for your Azure Virtual Networks (VNets), perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Network Watcher blade available at https://portal.azure.com/#view/Microsoft_Azure_Network/NetworkWatcherMenuBlade/~/overview.

03 In the left navigation panel, under Logs, choose Flow logs.

04 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

05 Choose Add filter, select Flow log type for Filter, Equals for Operator, and Virtual network for Value, then choose Apply to list only the Virtual Network flow logs available in the selected Azure subscription.

06 Click on the name (link) of the active Virtual Network flow log that you want to configure. An active flow log has the Status set to Enabled.

07 In the Storage Account section, use the Retention days configuration box to set the number of days to retain log data for the selected flow log to 90 days or more (up to 365 days, inclusive). Choose Save to apply the changes.

08 Repeat steps no. 6 and 7 for each active VNet flow log that you want to configure, available in the selected subscription.

09 Repeat steps no. 4 – 8 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network watcher flow-log update command (Windows/macOS/Linux) with the name of the active Virtual Network flow log that you want to configure as the identifier parameter, to extend the retention period for the log data recorded by the selected Virtual Network flow log. For compliance, set the retention period to 90 days or more (up to 365 days, inclusive). As an example, the following command sets the flow log data retention period to 90 days: 

az network watcher flow-log update
	--location westeurope
	--name cc-project5-vnet-cloud-shell-storage-westeurope-flowlog
	--retention 90

05 The command output should return the information available for the modified flow log resource: 

{
	"enabled": true,
	"enabledFilteringCriteria": "",
	"flowAnalyticsConfiguration": {
		"networkWatcherFlowAnalyticsConfiguration": {
			"enabled": false,
			"trafficAnalyticsInterval": 0
		}
	},
	"format": {
		"type": "JSON",
		"version": 2
	},
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westeurope/flowLogs/cc-project5-vnet-cloud-shell-storage-westeurope-flowlog",
	"location": "westeurope",
	"name": "cc-project5-vnet-cloud-shell-storage-westeurope-flowlog",
	"provisioningState": "Succeeded",
	"resourceGroup": "NetworkWatcherRG",
	"retentionPolicy": {
		"days": 90,
		"enabled": true
	},
	"storageId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/project5storageaccount",
	"tags": {},
	"targetResourceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-vnet",
	"type": "Microsoft.Network/networkWatchers/flowLogs"
}

06 Repeat steps no. 4 and 5 for each active VNet flow log that you want to configure, available in the selected subscription.

07 Repeat steps no. 3 – 6 for each subscription created within your Microsoft Azure cloud account.

References

Publication date May 7, 2025

Related Network rules