Azure VNet flow logs retention period shortened
Description
AlphaSOC detected an Azure Network Watcher flow log configuration with an
unusually short retention period. Threat actors may modify flow log retention
policies using the Microsoft.Network/networkWatchers/flowLogs/write action to
set retention periods to less than 7 days. This can indicate misconfiguration or
an attempt by threat actors to maintain the appearance of active logging while
ensuring that network traffic evidence is deleted after a short timeframe,
limiting the window for incident detection and forensic analysis. By shortening
retention without disabling logging entirely, attackers reduce the likelihood of
triggering alerts while effectively impairing defenders’ ability to investigate
historical attack patterns, identify lateral movement, or reconstruct
command-and-control communications.
Impact
Short flow log retention periods significantly reduce an organization’s ability to detect and investigate security incidents. During incident response, investigators rely on weeks or months of flow log data to establish attack timelines, identify compromised systems, and determine the full scope of breaches. Short retention periods force security teams to work within a compressed investigation window, often discovering incidents only after critical forensic evidence has been automatically deleted. This defense evasion technique is particularly effective because it appears less suspicious than completely disabling logging, while still achieving the attacker’s goal of limiting forensic capabilities and reducing detection opportunities.
Severity
| Severity | Condition |
|---|---|
Low | Azure flow logs short retention period |
Investigation and Remediation
Review Azure Activity logs to identify the
Microsoft.Network/networkWatchers/flowLogs/write event and examine the
retention policy configuration in the request body. Verify the retention period
value. Identify the principal (user, service principal, or managed identity)
responsible for the modification and check the source IP address and user agent
to determine whether the activity originated from expected infrastructure or
authorized personnel.
If the retention reduction was unauthorized, immediately restore the flow log retention period to an appropriate duration based on organizational security and compliance requirements. Review the time period when short retention was active to determine what network flow data may have been lost, and correlate with other available log sources such as Azure Activity logs, firewall logs, and endpoint detection tools to compensate for missing network visibility. Disable or rotate credentials for any compromised principals, and review Azure RBAC assignments to ensure least-privilege access to Network Watcher resources. Implement Azure Policy to enforce minimum retention periods for flow logs across all subscriptions, preventing future unauthorized reductions.
Known False Positives
- Cost optimization initiatives reducing retention periods in non-production environments