GRCWatch
Sign inStart free trial

CIS Control 13.6: Collect Network Traffic Flow Logs

Network traffic flow logs are your visibility layer into what's moving across your infrastructure. CIS Control 13.6 requires continuous collection and analysis of network traffic to detect anomalies, investigate incidents, and prove compliance to auditors.

What this means

This control mandates that your organization collect and retain network traffic flow data from routers, switches, firewalls, and other network devices. Flow logs record the source and destination of traffic, protocols used, and data volumes—creating an audit trail that reveals both normal operations and suspicious activity. Unlike packet-level deep packet inspection, flow logs provide lightweight, scalable visibility without capturing sensitive payload data.

How to comply

  1. 1.Enable NetFlow, sFlow, or IPFIX on all network devices including routers, switches, and firewalls
  2. 2.Configure flow log exporters to send data to a centralized collection point or SIEM
  3. 3.Define retention policies (minimum 90 days recommended; adjust based on risk profile)
  4. 4.Establish alerting rules for suspicious patterns: unusual ports, data exfiltration indicators, geographic anomalies
  5. 5.Document flow log sources, retention schedules, and alert thresholds in your network security policy
  6. 6.Test log collection and alert mechanisms quarterly to confirm data quality and completeness

Evidence auditors look for

  • NetFlow/IPFIX configuration export showing active flow collection on all network borders
  • SIEM dashboard or log aggregation platform displaying real-time flow data ingestion
  • Alert logs showing detection and response to suspicious traffic patterns
  • Network device running configuration printouts confirming flow exporter settings
  • Retention policy documentation matching your data lifecycle requirements
  • Query results from your log archive proving 90+ days of searchable flow data

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates flow log validation by confirming collection is active on required devices, alerting when gaps occur, and generating evidence reports showing log volume and retention compliance.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS 8.1 — Establish and Maintain a Data Recovery ProcessCIS 13.1 — Maintain an Inventory of Network-Connected Information AssetsCIS 8.5 — Protect Information Systems During and After Maintenance, Monitoring and Diagnostics