Plugin Title | Log Profile Retention Policy |
Cloud | AZURE |
Category | Monitor |
Description | Ensures that Log Profiles have a long retention policy. |
More Info | Log retention policies should be configured with sufficient retention to aid in investigation of prior security incidents and for compliance purposes. |
AZURE Link | https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs#export-the-activity-log-with-a-log-profile |
Recommended Action | Ensure that the Activity Log export to Event Hub is configured with a retention policy of at least 365 days. |
- Log into the Microsoft Azure Management Console.
- Select the "Search resources, services, and docs" option at the top and search for Monitor.
- Scroll down the left navigation panel and choose "Activity Log" option in the "Monitor" page.
- On the "Monitor - Activity log" click on the "Export Activity Logs".
- On the "Diagnostics settings" page select the diagnostic setting for which "Retention policy" needs to be verified and click on "Edit setting" option.
- On the "Diagnostics settings" page select the "Storage account" option and check the "retention policy".If log "retention policy" is less than 365 days then it's not as per the Azure Recommendations.
- Repeat steps number 2 - 6 to verify other Azure accounts for "Log Profile Retention Policy".
- Navigate to "Monitor" and click on the "Activity Log" under "Monitor page", click on the "Export Activity Logs" and select the "Diagnostic Setting" on which "Log Profile Retention Policy" needs to be set to at least 365 days.
- Click on the "Edit Setting" option next to the "Diagnostic setting".
- Click on the "Storage Account", select the "Region" and enter the "Retention(days)" to 365 and save the changes.
- Repeat steps number 8 - 10 to ensure that the Activity Log Export Activity Logs is configured with a retention policy of at least 365 days.