Activity Log Retention Should Not Be Set To Less Than 365 Days

A Log Profile controls how your Activity Log is exported and retained. Since the average time to detect a breach is over 200 days, it is recommended to retain your activity log for 365 days or more in order to have time to respond to any incidents.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

Activity Log Retention should not be set to less than 365 days.
JSON Query:
$.resource.*.azurerm_monitor_log_profile size greater than 0 and ( $.resource.*.azurerm_monitor_log_profile[*].*[*].retention_policy size equals 0 or $.resource.*.azurerm_monitor_log_profile[*].*[*].retention_policy[*].enabled anyFalse or $.resource.*.azurerm_monitor_log_profile[*].*[*].retention_policy[?(@.days<365)] size greater than 0 )
Recommendation:
Recommended solution setting Activity Log Retention to greater than or equal 365 day.
It is recommended that Activity Log Retention should not be less than 365 day. Please make sure your template has the "days" under "retention_policy" set to 365 or greater.
For example:
azurerm_monitor_log_profile": [ { "<monitor_log_profile_name>": [ { "name": "default", "retention_policy": [ { "days": 367, "enabled": true } ] } ] } ]

Run Rule Recommendation

If there is no activity log profile exists follow below steps:.
  1. Log in to Azure Portal.
  2. Navigate to Monitor dashboard.
  3. Click on Activity log.
  4. Click on 'Diagnostics Settings'.
  5. Click on Looking for the legacy experience? Click here to launch the 'Export activity log' blade.
  6. Set 'Retention (days)' to '365' and other parameters to as per you requirement.
  7. Click on 'Save'.
    If a log profile already exists we cannot update the retention days through console. Follow below CLI command to update the log profile:
    az monitor log-profiles update --name ${resourceName} --set retentionPolicy.days=365 retentionPolicy.enabled=true location=global
Remediation CLI Command:
az monitor log-profiles update --name ${resourceName} --set retentionPolicy.days=365 retentionPolicy.enabled=true location=global
CLI Command Description:
This CLI command requires 'Microsoft.Insights/LogProfiles/[Read, Write, Delete]' permission. Successful execution will update the Azure monitor log profile retention policy days to 365 days.

Compliance

There are 11 standards that are applicable to this policy:
  • HIPAA
  • NIST CSF
  • CSA CCM v3.0.1
  • CIS v1.1 (Azure)
  • ISO 27001:2013
  • PIPEDA
  • NIST 800-53 Rev4
  • SOC 2
  • HITRUST CSF v9.3
  • PCI DSS v3.2
  • CCPA 2018

Recommended For You