Status: Deprecated
Log profiles are the legacy method for sending the activity log to storage or event hubs. If you're using this method, consider transitioning to diagnostic settings, which provide better functionality and consistency with resource logs. To follow audit and remediation steps for exporting logs via diagnostic settings, refer to this rule.
Ensure that the Log Profile created for your Azure cloud activity log is configured to export activities from all supported regions including global. A Log Profile controls how the activity log is exported and retained within your Microsoft Azure cloud account.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
By configuring your account Log Profile to export the activity logs from all Azure supported regions, the logging data recorded for potentially unexpected activities occurring in otherwise unused regions are stored and made available later for incident response, investigations and internal audit. Including global region in the Azure Log Profile locations ensures all events from the account control & management console are also exported, as many events in the activity log are global events.
Audit
To determine if your Log Profile is configured to export activity logs from all Azure regions, perform the following actions:
Remediation / Resolution
Since many events in the Azure activity log are global events it is highly recommended to include all Azure regions (locations) within the Log Profile configuration. To configure your Azure Log Profile to capture activity logs for all supported regions (including global region), perform the following actions:
References
- Azure Official Documentation
- Overview of Azure Activity log
- Export Azure Activity log to storage or Azure Event Hubs
- CIS Microsoft Azure Foundations
- Azure Command Line Interface (CLI) Documentation
- az monitor log-profiles
- az account list-locations
- az monitor log-profiles list
- az monitor log-profiles update