Defining a short log retention duration is security-sensitive

intentionality - complete

security

Security Hotspot

MajorSonarSource default severity
click to learn more

Defining a short log retention duration can reduce an organization’s ability to backtrace the actions of malicious actors in case of a security incident.

Logging allows operational and security teams to get detailed and real-time feedback on an information system’s events. The logging coverage enables them to quickly react to events, ranging from the most benign bugs to the most impactful security incidents, such as intrusions.

Apart from security detection, logging capabilities also directly influence future digital forensic analyses. For example, detailed logging will allow investigators to establish a timeline of the actions perpetrated by an attacker.

Ask Yourself Whether

This component is essential for the information system infrastructure.
This component is essential for mission-critical functions.
Compliance policies require traceability for a longer duration.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Increase the log retention period to an amount of time sufficient enough to be able to investigate and restore service in case of an incident.

Sensitive Code Example

For Azure Firewall Policy:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Network/firewallPolicies",
      "apiVersion": "2022-07-01",
      "properties": {
        "insights": {
          "isEnabled": true,
          "retentionDays": 7
        }
      }
    }
  ]
}

resource firewallPolicy 'Microsoft.Network/firewallPolicies@2022-07-01' = {
  properties: {
    insights: {
      isEnabled: true
      retentionDays: 7  // Sensitive
    }
  }
}

For Microsoft Network Network Watchers Flow Logs:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "networkWatchers/example",
      "type": "Microsoft.Network/networkWatchers/flowLogs",
      "apiVersion": "2022-07-01",
      "properties": {
        "retentionPolicy": {
          "days": 7,
          "enabled": true
        }
      }
    }
  ]
}

resource networkWatchersFlowLogs 'Microsoft.Network/networkWatchers/flowLogs@2022-07-01' = {
  properties: {
    retentionPolicy: {
      days: 7
      enabled: true
    }
  }
}

For Microsoft SQL Servers Auditing Settings:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example/default",
      "type": "Microsoft.Sql/servers/auditingSettings",
      "apiVersion": "2021-11-01",
      "properties": {
        "retentionDays": 7,
        "state": "Enabled"
      }
    }
  ]
}

resource sqlServerAudit 'Microsoft.Sql/servers/auditingSettings@2021-11-01' = {
  properties: {
    retentionDays: 7    // Sensitive
  }
}

This rule also applies to log retention periods that are too short, on the following resources:

Microsoft.DBforMariaDB/servers/securityAlertPolicies - for Microsoft DB for MariaDB Servers Security Alert Policies
Microsoft.Sql/servers/databases/securityAlertPolicies - for Microsoft Sql Servers Databases Security Alert Policies
Microsoft.Sql/servers/auditingPolicies - for Microsoft Sql Servers Auditing Policies
Microsoft.Synapse/workspaces/auditingSettings - for Microsoft Synapse Workspaces Auditing Settings
Microsoft.Synapse/workspaces/sqlPools/securityAlertPolicies - for Microsoft Synapse Workspaces Sql Pools Security Alert Policies

Compliant Solution

For Azure Firewall Policy:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Network/firewallPolicies",
      "apiVersion": "2022-07-01",
      "properties": {
        "insights": {
          "isEnabled": true,
          "retentionDays": 30
        }
      }
    }
  ]
}

resource firewallPolicy 'Microsoft.Network/firewallPolicies@2022-07-01' = {
  properties: {
    insights: {
      isEnabled: true
      retentionDays: 30
    }
  }
}

For Microsoft Network Network Watchers Flow Logs:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "networkWatchers/example",
      "type": "Microsoft.Network/networkWatchers/flowLogs",
      "apiVersion": "2022-07-01",
      "properties": {
        "retentionPolicy": {
          "days": 30,
          "enabled": true
        }
      }
    }
  ]
}

resource networkWatchersFlowLogs 'Microsoft.Network/networkWatchers/flowLogs@2022-07-01' = {
  properties: {
    retentionPolicy: {
      days: 30
      enabled: true
    }
  }
}

For Microsoft SQL Servers Auditing Settings:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example/default",
      "type": "Microsoft.Sql/servers/auditingSettings",
      "apiVersion": "2021-11-01",
      "properties": {
        "retentionDays": 30,
        "state": "Enabled"
      }
    }
  ]
}

resource sqlServerAudit 'Microsoft.Sql/servers/auditingSettings@2021-11-01' = {
  properties: {
    retentionDays: 30
  }
}

Above code also applies to other types defined in previous paragraph.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted