Ensure that Diagnostic Logs are enabled for all the supported Azure resources in order to make sure that the interactions within your cloud resources are logged. With resource-level Diagnostic Logs you can gain insight into the operations that were performed within that resource itself, for example, getting a secret from an Azure Key Vault. To follow security best practices, your Azure subscriptions should log every access request and operation made to your cloud resources. Diagnostic Logs should be sent to a storage account and a Log Analytics Workspace or an equivalent third-party system. The log files should be kept in readily accessible storage for a minimum of one year, and then moved to inexpensive cold storage for a longer duration of time (for security and compliance auditing).
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
excellence
optimisation
efficiency
Ensure that your Azure cloud logging systems are correctly configured to log all relevant activities and retain the logs for a sufficient length of time. By default, Diagnostic Logs are not enabled for your cloud resources. Without Diagnostic Logs, the visibility into your Azure data plane is greatly reduced and therefore your organization's ability to detect potential attacks, unauthorized requests, or other malicious activity is diminished. For example, without Diagnostic Logs it would be impossible to tell which entities had accessed a data store that was breached. In addition, alerts for failed attempts to access APIs for Azure web and database services are only possible when diagnostic logging is enabled.
Audit
To determine if Diagnostic Logs are enabled for all the supported Azure cloud resources, perform the following operations:
Remediation / Resolution
To enable and configure the Diagnostic Logs feature for the supported Azure cloud resources, perform the following operations:
References
- Azure Official Documentation
- Azure security logging and auditing
- Azure Activity log
- Azure Key Vault logging
- az monitor diagnostic-settings
- Overview of Azure platform logs
- Common and service-specific schemas for Azure resource logs
- Diagnostic logs - Azure Content Delivery Network
- LT-4: Enable logging for Azure resources
- LT-5: Centralize security log management and analysis
- Azure Command Line Interface (CLI) Documentation
- az resource list
- az monitor diagnostic-settings list
- az monitor diagnostic-settings create