LOW
Source
CloudSploit
ID
log-profile-archive-data

Log Profile Archive Data

Ensures the Log Profile is configured to export all activities from the control and management planes in all active locations

Exporting log activity for control plane activity allows for audited access to the Azure account with event data in the case of a security incident.

Follow the appropriate remediation steps below to resolve the issue.

  1. Log in to the Microsoft Azure Management Console.

  2. Select the “Search resources, services, and docs” option at the top and search for “Log Analytics Workspaces”. Step

  3. On the “Log Analytics Workspaces” page select the resource and click on its Name to reach its configuration page.Step

  4. On the “Log Analytics Workspaces - resource” page, scroll down the left navigation panel and choose “Activity Log”.Step

  5. Click on the “Export Activity Logs” at the top of “Activity Log” page to ensures the “Log Profile” is configured.Step

  6. Under “Export Activity Logs” page, if no Diagnostic settings are defined, then the Log Profile is not configured to export all activities from control and management planes in all active locations. Step

  7. To ensure that all activity is logged to the Event Hub or storage account for archiving, on the “Export Activity Logs” page, click on the “Add diagnostic setting”.Step

  8. Under the “Diagnostics Setting” page, enter the “Diagnostic setting name” and under “Destination details”, click the checkbox for “Send to Log Analytics workspace”, select a “Subscription” and an existing “Log Analytics workspace”. Step

  9. Next, select the checkbox next to “Archive to a storage account” and select the “Subscription” and “Storage account” from the respective dropdowns.Step

  10. Choose the categories under “logs” accordingly.Step

  11. Click on the “Save” button at the top to make the necessary changes. Step

  12. Repeat steps number 5 - 11 to ensure that all activity is logged to the Event Hub or storage account for archiving.