Monitor log profile should have activity logs for global services and all regions

Description

Configure the log profile to export activities from all Azure supported regions/locations including global. This rule is evaluated against all resource locations that Fugue has permission to scan.

Remediation Steps

Azure Portal

• Note this rule applies to the legacy experience for Azure Activity log.

• Navigate to Activity log.

• Select Diagnostics setting.

• Click Looking for the legacy experience? Click here to launch the ‘Export activity log’ blade.

• From the Regions drop-down, check Select all.

• Click Save.

Azure CLI

• To enable activity logs for global services and all regions:

az monitor log-profiles update --name default

Azure Resource Manager

• Ensure that a Microsoft.Insights/logprofiles resource contains the following, where locations includes global and the regions of all declared resources:

{
  "properties": {
    "locations": [
      "global"
    ]
  }
}

Example Configuration

{
  "type": "Microsoft.Insights/logprofiles",
  "apiVersion": "2016-03-01",
  "properties": {
    "locations": [
      "global"
    ]
  }
}

Terraform

• Ensure that an azurerm_monitor_log_profile contains the following:

  • locations = [<list of every Azure region storing resources and “global”>]

Example Configuration

resource "azurerm_monitor_log_profile" "example" {
  name = "default"

  locations = [
      "centralus",
      "eastus",
      "northcentralus",
      "southcentralus",
      "westus",
      "francecentral",
      "germanynorth",
      "swedencentral",
      "global",
      # All regions containing Azure resources
  ]
  # other required fields here
}

Documentation Links

Runtime

• Create Diagnostic Settings to Send Platform Logs and Metrics to Different Destinations

• CLI: az monitor log-profiles update

Azure Resource Manager

• Microsoft.Insights/logprofiles

Terraform

• Resource: azurerm_monitor_log_profile

  • Field: locations