Ensure the activity retention log is set to at least a year
The average time to detect a breach is up to 210 days, to ensure that all the information required for an effective investigation is available, the retention period should allow for delayed starts to investigating.
Impact
Short life activity logs can lead to missing records when investigating a breach
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
-
Log into the Microsoft Azure Management Console.
-
Select the “Search resources, services, and docs” option at the top and search for Monitor.
-
Scroll down the left navigation panel and choose “Activity Log” option in the “Monitor” page.
-
On the “Monitor - Activity log” click on the “Export Activity Logs”.
-
On the “Diagnostics settings” page select the diagnostic setting for which “Retention policy” needs to be verified and click on “Edit setting” option.
-
On the “Diagnostics settings” page select the “Storage account” option and check the “retention policy”.If log “retention policy” is less than 365 days then it’s not as per the Azure Recommendations.
-
Repeat steps number 2 - 6 to verify other Azure accounts for “Log Profile Retention Policy”.
-
Navigate to “Monitor” and click on the “Activity Log” under “Monitor page”, click on the “Export Activity Logs” and select the “Diagnostic Setting” on which “Log Profile Retention Policy” needs to be set to at least 365 days.
-
Click on the “Edit Setting” option next to the “Diagnostic setting”.
-
Click on the “Storage Account”, select the “Region” and enter the “Retention(days)” to 365 and save the changes.
-
Repeat steps number 8 - 10 to ensure that the Activity Log Export Activity Logs is configured with a retention policy of at least 365 days.