Skip to main content

More Info:

A log profile controls how the activity log is exported and retained. Since the average time to detect a breach is 210 days, the activity log should be retained for 365 days or more in order to have time to respond to any incidents.

Risk Level

Low

Address

Security, Operational Maturity

Compliance Standards

HIPAA, ISO27001

Triage and Remediation

  • Remediation

Remediation

Using Console

To remediate the misconfiguration “Ensure activity log retention is set for 365 days or greater” in Azure using Azure console, follow the below steps:
  1. Login to the Azure portal (https://portal.azure.com/).
  2. Click on the “Azure Active Directory” icon from the left-hand side menu.
  3. Select the “Activity log” option from the left-hand side menu.
  4. Click on the “Export settings” option from the top menu.
  5. In the “Export settings” page, select the “Retention (days)” option.
  6. Enter “365” or greater in the “Retention (days)” field.
  7. Click on the “Save” button to save the changes.
Once the retention period is set to 365 days or greater, all the activity logs will be retained for the specified period, and the misconfiguration will be remediated.

To remediate the misconfiguration of activity log retention for Azure using Azure CLI, follow the below steps:Step 1: Open the Azure CLI command prompt.Step 2: Run the following command to set the activity log retention to 365 days or greater:
az monitor log-profiles create --name Default --location <location> --categories Write --days 365
Note: Replace <location> with the location where you want to create the log profile.Step 3: Verify the configuration by running the following command:
az monitor log-profiles show --name Default
This command will show the details of the log profile that you just created.Step 4: Once verified, you can close the Azure CLI command prompt.By following these steps, you have successfully remediated the misconfiguration of activity log retention for Azure using Azure CLI.
To remediate the misconfiguration of activity log retention for Azure using Python, you need to use the Azure SDK for Python. Here are the steps to remediate the issue:
  1. Install the Azure SDK for Python by running the following command in the terminal:
pip install azure-mgmt-monitor
  1. Import the necessary modules in your Python script:
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.monitor import MonitorManagementClient
  1. Set the credentials for your Azure account by creating a Service Principal and assigning it the appropriate permissions. You will need to provide the following details in your script:
  • Tenant ID
  • Client ID
  • Client Secret
  • Subscription ID
credentials = ServicePrincipalCredentials(
    client_id='<client-id>',
    secret='<client-secret>',
    tenant='<tenant-id>'
)

subscription_id = '<subscription-id>'
  1. Create a MonitorManagementClient object using the credentials and subscription ID:
monitor_client = MonitorManagementClient(
    credentials=credentials,
    subscription_id=subscription_id
)
  1. Retrieve the current retention period for activity logs:
retention_period = monitor_client.activity_log_alerts.list()[0].retention_policy.enabled
  1. If the retention period is less than 365 days, update the retention policy:
if retention_period < 365:
    monitor_client.activity_log_alerts.update_retention_policy(
        enabled=True,
        days=365
    )
  1. Run the script to remediate the misconfiguration.
This will ensure that activity log retention is set for 365 days or greater in Azure.

Additional Reading: