Monitor ‘Activity Log Retention’ should be 365 days or greater¶
Description¶
A log profile controls how the activity log is exported and retained. Since the average time to detect a breach is 210 days, the activity log should be retained for 365 days or more in order to have time to respond to any incidents.
Portal Remediation Steps¶
Note that log profiles are now a legacy method for sending the activity log to Azure storage or event hubs.
Navigate to Monitoring > Activity Log.
Click Diagnostic settings and select “Looking for the legacy experience? Click here to launch the ‘Export activity log’ blade.”
Select the subscription.
Set the Retention (days) to 365 or greater, or to 0 to keep logs forever.
PowerShell Remediation Steps¶
To create an activity log that is 365 days or greater, follow the instructions in the Azure documentation:
Add-AzLogProfile -Name
-StorageAccountId
-serviceBusRuleId
-location
-RetentionInDays
-Category
For example:
Add-AzLogProfile -Name my_log_profile -StorageAccountId /subscriptions/s1/resourceGroups/myrg1/providers/Microsoft.Storage/storageAccounts/my_storage -serviceBusRuleId /subscriptions/s1/resourceGroups/Default-ServiceBus-EastUS/providers/Microsoft.ServiceBus/namespaces/mytestSB/authorizationrules/RootManageSharedAccessKey -Location global,westus,eastus -RetentionInDays 365 -Category Write,Delete,Action
To use the Azure CLI, follow the instructions here.
Azure Resource Manager¶
Ensure that a Microsoft.Insights/logprofiles resource contains the following, where
days
is set to365
or greater, or set to0
for indefinite retention:
{
"properties": {
"retentionPolicy": {
"days": 365,
"enabled": true
}
}
}
Example Configuration¶
{
"type": "Microsoft.Insights/logprofiles",
"apiVersion": "2016-03-01",
"properties": {
"retentionPolicy": {
"days": 365,
"enabled": true
}
# other required fields here
}
}