Short log retention periods reduce an organization’s ability to investigate security incidents and perform forensic analysis.
Logging allows operational and security teams to get detailed and real-time feedback on an information system’s events. The logging coverage enables them to quickly react to events, ranging from minor bugs to serious security incidents such as intrusions. Apart from security detection, logging capabilities also directly influence future digital forensic analyses: detailed logs allow investigators to establish a timeline of actions perpetrated by an attacker.
Industry threat reports consistently show that attackers often remain undetected inside compromised systems for weeks or even months before discovery. When the log retention period is shorter than the attacker’s dwell time, the evidence of initial entry, lateral movement, and privilege escalation is automatically destroyed by the infrastructure itself before any investigation begins. This creates a forensic blackout period during which an attacker can operate with complete anonymity, leaving no recoverable trace of their activity.
When logs covering the breach window are gone, investigators cannot establish what the attacker accessed, modified, or exfiltrated. Under regulations such as GDPR or HIPAA, if an organization cannot prove that data was not stolen, regulators and courts will often assume it was — triggering mandatory breach notifications and significant fines even when no actual data loss occurred.
Many modern attacks rely on low-and-slow techniques that only become visible as patterns over time, such as periodic beaconing to a command-and-control server or incremental privilege escalation across multiple sessions. Short log retention destroys the historical window needed to detect these patterns, allowing persistent threats to continue operating undetected.
Without a complete log trail covering the attacker’s full period of activity, security teams cannot reliably identify the initial entry point or every system the attacker touched. As a result, the organization cannot confirm that the attacker has been fully evicted, leaving the original compromise vector open and the risk of reinfection high.
Setting the log retention period to a value sufficient to investigate security incidents allows teams to access historical records when a breach is discovered after the fact.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Network/firewallPolicies",
"apiVersion": "2022-07-01",
"properties": {
"insights": {
"isEnabled": true,
"retentionDays": 7
}
}
}
]
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Network/firewallPolicies",
"apiVersion": "2022-07-01",
"properties": {
"insights": {
"isEnabled": true,
"retentionDays": 30
}
}
}
]
}
For Microsoft Network Network Watchers Flow Logs:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "networkWatchers/example",
"type": "Microsoft.Network/networkWatchers/flowLogs",
"apiVersion": "2022-07-01",
"properties": {
"retentionPolicy": {
"days": 7,
"enabled": true
}
}
}
]
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "networkWatchers/example",
"type": "Microsoft.Network/networkWatchers/flowLogs",
"apiVersion": "2022-07-01",
"properties": {
"retentionPolicy": {
"days": 30,
"enabled": true
}
}
}
]
}
For Microsoft SQL Servers Auditing Settings:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example/default",
"type": "Microsoft.Sql/servers/auditingSettings",
"apiVersion": "2021-11-01",
"properties": {
"retentionDays": 7,
"state": "Enabled"
}
}
]
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example/default",
"type": "Microsoft.Sql/servers/auditingSettings",
"apiVersion": "2021-11-01",
"properties": {
"retentionDays": 30,
"state": "Enabled"
}
}
]
}
Setting the log retention period to a value sufficient to investigate security incidents allows teams to access historical records when a breach is discovered after the fact.
resource firewallPolicy 'Microsoft.Network/firewallPolicies@2022-07-01' = {
properties: {
insights: {
isEnabled: true
retentionDays: 7 // Noncompliant
}
}
}
resource firewallPolicy 'Microsoft.Network/firewallPolicies@2022-07-01' = {
properties: {
insights: {
isEnabled: true
retentionDays: 30
}
}
}
For Microsoft Network Network Watchers Flow Logs:
resource networkWatchersFlowLogs 'Microsoft.Network/networkWatchers/flowLogs@2022-07-01' = {
properties: {
retentionPolicy: {
days: 7 // Noncompliant
enabled: true
}
}
}
resource networkWatchersFlowLogs 'Microsoft.Network/networkWatchers/flowLogs@2022-07-01' = {
properties: {
retentionPolicy: {
days: 30
enabled: true
}
}
}
For Microsoft SQL Servers Auditing Settings:
resource sqlServerAudit 'Microsoft.Sql/servers/auditingSettings@2021-11-01' = {
properties: {
retentionDays: 7 // Noncompliant
}
}
resource sqlServerAudit 'Microsoft.Sql/servers/auditingSettings@2021-11-01' = {
properties: {
retentionDays: 30
}
}