Monitor ‘Activity Log Retention’ should be 365 days or greater

Description

A log profile controls how the activity log is exported and retained. Since the average time to detect a breach is 210 days, the activity log should be retained for 365 days or more in order to have time to respond to any incidents.

Portal Remediation Steps

Note that log profiles are now a legacy method for sending the activity log to Azure storage or event hubs.

  • Navigate to Monitoring > Activity Log.

  • Click Diagnostic settings and select “Looking for the legacy experience? Click here to launch the ‘Export activity log’ blade.”

  • Select the subscription.

  • Set the Retention (days) to 365 or greater, or to 0 to keep logs forever.

PowerShell Remediation Steps

  • To create an activity log that is 365 days or greater, follow the instructions in the Azure documentation:

Add-AzLogProfile -Name
                 -StorageAccountId
                 -serviceBusRuleId
                 -location
                 -RetentionInDays
                 -Category
  • For example:

Add-AzLogProfile -Name my_log_profile -StorageAccountId /subscriptions/s1/resourceGroups/myrg1/providers/Microsoft.Storage/storageAccounts/my_storage -serviceBusRuleId /subscriptions/s1/resourceGroups/Default-ServiceBus-EastUS/providers/Microsoft.ServiceBus/namespaces/mytestSB/authorizationrules/RootManageSharedAccessKey -Location global,westus,eastus -RetentionInDays 365 -Category Write,Delete,Action

To use the Azure CLI, follow the instructions here.

Azure Resource Manager

  • Ensure that a Microsoft.Insights/logprofiles resource contains the following, where days is set to 365 or greater, or set to 0 for indefinite retention:

{
  "properties": {
    "retentionPolicy": {
      "days": 365,
      "enabled": true
    }
  }
}

Example Configuration

{
  "type": "Microsoft.Insights/logprofiles",
  "apiVersion": "2016-03-01",
  "properties": {
    "retentionPolicy": {
      "days": 365,
      "enabled": true
    }
  # other required fields here
  }
}