Azure Monitor
      Back to home
      1. CNS Policies
      2. Azure Knowledge Base
      3. Azure Monitor

       Log Profile Low Retention Time

      Risk Level: Low

      Description:

      This plugin ensures that Log Profiles have a longer retention time than the specified value. To aid in the investigation of previous security incidents and for compliance considerations, log retention rules should be configured with appropriate retention. The retention period represents the number of days to retain activity logs for a Microsoft Azure cloud subscription.

      Recommended Action:  Ensure that the Activity Log export to Event Hub is configured with a retention policy of at least configured number of days.

      Configuration Parameter

      Minimum Log Profile Retention In Days: The retention period represents the number of days to retain activity logs for a Microsoft Azure cloud subscription. An alert is generated if the log profile retention is lower than this value.

      By default the value is set to 365, therefore if the log profile retention is lower than its default value vulnerability is generated.

      About the Service :

      Azure Monitor can help you improve the availability and performance of your apps and services. It provides a complete solution for gathering, evaluating, and responding to telemetry from the cloud and on-premises settings. This data enables you to better understand how your apps are doing and to detect concerns that may harm them or the resources they rely on in the future.

      Impact: 

      The insufficient log retention period will lead to an insufficient amount of necessary activity log data and we may face difficulty in finding any anomalies and potential security breaches.

      Steps to Reproduce( Using Azure CLI ) :

      1. Sign in to Azure CLI.
      2. Run the command: “ az monitor log-profiles list ”. 
      3. In the output check the retention policy, check for the number of days. If it is less than the configured days or enabled is set to false, the vulnerability exists.
         
      4. Repeat steps for other subscriptions in your Microsoft Azure accounts.

      Steps for Remediation( Using Azure CLI ) :

      1. Sign in to Azure Management Console.
      2. Update the log profile for recommended retention period using the following command : az monitor log-profiles update --name MyLogProfile --set retentionPolicy.days=<number_of_days>
      3. Repeat steps for other misconfigured log profiles.

      References: