Skip to content

Latest commit

 

History

History
30 lines (25 loc) · 3.08 KB

log-profile-archive-data.md

File metadata and controls

30 lines (25 loc) · 3.08 KB
Raw

CloudSploit

AZURE / Monitor / Log Profile Archive Data

Quick Info
Plugin Title Log Profile Archive Data
Cloud AZURE
Category Monitor
Description Ensures the Log Profile is configured to export all activities from the control and management planes in all active locations
More Info Exporting log activity for control plane activity allows for audited access to the Azure account with event data in the case of a security incident.
AZURE Link https://docs.microsoft.com/en-us/azure/azure-monitor/platform/archive-activity-log
Recommended Action Ensure that all activity is logged to the Event Hub or storage account for archiving.

Detailed Remediation Steps

  1. Log in to the Microsoft Azure Management Console.
  2. Select the "Search resources, services, and docs" option at the top and search for "Log Analytics Workspaces".
  3. On the "Log Analytics Workspaces" page select the resource and click on its Name to reach its configuration page.
  4. On the "Log Analytics Workspaces - resource" page, scroll down the left navigation panel and choose "Activity Log".
  5. Click on the "Export Activity Logs" at the top of "Activity Log" page to ensures the "Log Profile" is configured.
  6. Under "Export Activity Logs" page, if no Diagnostic settings are defined, then the Log Profile is not configured to export all activities from control and management planes in all active locations.
  7. To ensure that all activity is logged to the Event Hub or storage account for archiving, on the "Export Activity Logs" page, click on the "Add diagnostic setting".
  8. Under the "Diagnostics Setting" page, enter the "Diagnostic setting name" and under "Destination details", click the checkbox for "Send to Log Analytics workspace", select a "Subscription" and an existing "Log Analytics workspace".
  9. Next, select the checkbox next to "Archive to a storage account" and select the "Subscription" and "Storage account" from the respective dropdowns.
  10. Choose the categories under "logs" accordingly.
  11. Click on the "Save" button at the top to make the necessary changes.
  12. Repeat steps number 5 - 11 to ensure that all activity is logged to the Event Hub or storage account for archiving.