Activity log retention is set to less than 365 days
Description
A log profile controls how the activity log is exported and retained. Since the average time to detect a breach is 210 days, the activity log should be retained for 365 days or more, providing time to respond to any incidents.
We recommend you set activity log retention for 365 days or greater.
Fix - Runtime
Azure Portal
To change the policy using the Azure Portal, follow these steps:
- Log in to the Azure Portal at https://portal.azure.com.
- Navigate to the Activity log.
- Select Export.
- Set Retention (days) to 365 or 0.
- Click Save.
CLI Command
To set Activity log Retention (days) to 365 or greater, use the following command:
az monitor log-profiles update
--name <logProfileName>
--set retentionPolicy.days=<number of days> retentionPolicy.enabled=true
To store logs for fo
Terrarever (indefinitely), use the following command:
az monitor log-profiles update
--name <logProfileName>
--set retentionPolicy.days=0 retentionPolicy.enabled=false
Fix - Buildtime
Terraform
- Resource: azurerm_monitor_log_profile
- Argument: retention policy
Option 1
resource "azurerm_monitor_log_profile" "example" {
name = "default"
categories = [
"Action",
"Delete",
"Write",
]
locations = [
"westus",
"global",
]
+ retention_policy {
+ enabled = true
+ days = 365
}
}
Option 2
resource "azurerm_monitor_log_profile" "example" {
name = "default"
categories = [
"Action",
"Delete",
"Write",
]
locations = [
"westus",
"global",
]
+ retention_policy {
+ enabled = false
+ days = 0
}
}