Skip to content

Latest commit

 

History

History
32 lines (27 loc) · 3.37 KB

log-profile-archive-data.md

File metadata and controls

32 lines (27 loc) · 3.37 KB
Raw

CloudSploit

AZURE / Monitor / Log Profile Archive Data

Quick Info
Plugin Title Log Profile Archive Data
Cloud AZURE
Category Monitor
Description Ensures the Log Profile is configured to export all activities from the control and management planes in all active locations
More Info Exporting log activity for control plane activity allows for audited access to the Azure account with event data in the case of a security incident.
AZURE Link https://docs.microsoft.com/en-us/azure/azure-monitor/platform/archive-activity-log
Recommended Action Ensure that all activity is logged to the Event Hub or storage account for archiving.

Detailed Remediation Steps

  1. Log into the Microsoft Azure Management Console.
  2. Select the "Search resources, services, and docs" option at the top and search for Log Analytics Workspace.
  3. On the "Log Analytics workspaces" page select the resource accordingly.
  4. On the "Log Analytics workspaces - resource" page, scroll down the left navigation panel and choose "Activity Log".
  5. Click on the "Export to Event Hub" at the top of "Activity Log" page to ensures the "Log Profile" is configured.
  6. Under "Export to Event Hub" page, if there are no Diagnostic settings are defined, then the Log Profile is not configured to export all activities from the control and management planes in all active locations.
  7. Repeat steps number 2 - 6 to verify "Log Profiles" of another Azure account.
  8. Navigate to "Log Analytics Workspace" and select the resource, and choose "Activity Log" from the left navigation panel and click on the "Export to Event Hub".
  9. On the "Export to Event Hub" page, click on the "Add diagnostic setting".
  10. Under the "Diagnostics Setting" page, enter the Name, select the checkbox next to "Archive to a storage account" option and click on the "Configure" under "Storage account".
  11. On the "Storage account" select the "Subscription" and "Storage account" from the respective dropdown and click on "OK" at the bottom of the page.
  12. On the "Diagnostics Settings" page enter the Name, click the checkbox for "Send to Log Analytics", select an existing Log Analytics workspace, or create a workspace and select the log type accordingly.
  13. Click on the "Save" button at the top to make the necessary changes.
  14. Repeat steps number 8 - 13 to ensure that all activity is logged to the Event Hub or storage account for archiving.