Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Activity Log Retention (Deprecated)

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Status: Deprecated
Please note this rule has been deprecated from the Conformity system and should not be enabled. For more information on rule deprecation, see here.

This recommendation is no longer valid due to changes in the retention configuration options for Activity Log. Activity log events are now retained in Azure for 90 days and then deleted by default. For more functionality, create a diagnostic setting to send the activity log to one or more of these locations for the following reasons:

  • Send to Azure Monitor Logs for more complex querying and alerting and for longer retention, up to two years.
  • Send to Azure Event Hubs to forward outside of Azure.
  • Send to Azure Storage for cheaper, long-term archiving.


Log profiles are the legacy method for sending the activity log to storage or event hubs. If you're using this method, consider transitioning to diagnostic settings, which provide better functionality and consistency with resource logs. To follow audit and remediation steps for exporting logs via diagnostic settings, refer to this rule.

Risk Level: Medium (should be achieved)
Rule ID: Monitor-002

Ensure that the Log Profile created for your Azure activity log has a retention period of 365 days or more, configured for reliability and compliance purposes. A Log Profile controls how the activity log is exported and retained within your Azure cloud account. The retention period represents the number of days to retain activity logs for a Microsoft Azure cloud subscription.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Reliability

A retention period of 365 days or more should allow you to collect the necessary amount of activity log data useful to find any anomalies and potential security breaches. Because the average time to detect a breach is 210 days, your Azure activity log should be retained for 365 days or more in order to give you enough time to respond efficiently to any incidents.

Audit

To determine if your Azure Log Profile has a sufficient retention period configured for activity log data, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.

03 In the navigation panel, select Activity log to access the activity log available in your Azure cloud account.

04 From the Subscription filter box, select the Azure account subscription that you want to examine.

05 On the Activity log page, click Export to Event Hub to access your Azure Log profile configuration settings. If there is no Log Profile currently available, follow the steps outlined in this conformity rule to create and configure one. If there is a Log Profile available, check the value set for the Retention (days) setting. If this value is less than 365 and different from 0 (retain data forever), the Log Profile created for the selected Azure subscription does not have a sufficient retention period configured.

06 Repeat step no. 4 and 5 for each subscription created in your Microsoft Azure cloud account.

Using Azure PowerShell

01 Run monitor log-profiles list command (Windows/macOS/Linux) using custom query filters to get the retention period configured for the Log Profile available in the current Azure subscription. If there is no Log Profile currently available, follow the steps outlined in this conformity rule to create one. Each Azure subscription has only one Log Profile: 

az monitor log-profiles list
   --query '[*].retentionPolicy'

02 The command output should return the requested configuration information (i.e. the number of days to retain activity log data): 

90

If the number (days) returned by the monitor log-profiles list command output is less than 365 and different from 0 (unlimited retention), as shown in the example above, the verified Azure Log Profile does not have a sufficient activity log data retention period configured.

03 Repeat step no. 1 and 2 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To extend activity log data retention period for your Microsoft Azure account subscriptions, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.

03 In the navigation panel, select Activity log to access the activity log available in your Azure cloud account.

04 From the Subscription filter box, select the Azure account subscription that you want to update.

05 On the Activity log page, click Export to Event Hub to access your Azure Log Profile configuration settings.

06 On the Export activity log panel, set the number of days to retain activity log data for the selected Azure subscription in the Retention (days) box to 365 or 0, or use the slider control to set the right value. A setting of 0 (zero) days retains the activity logs forever. Click Save to apply the configuration changes.

07 Repeat steps no. 4 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run monitor log-profiles update command (Windows/macOS/Linux) using the name of the Azure Log Profile that you want to reconfigure as identifier parameter to extend the retention period for activity log data recorded for the selected Azure subscription. For compliance, the activity log data retention period can be set to 365 and 0 (unlimited retention) days. For example, the following command request sets a retention period of 365 days for the activity log recorded within the current Microsoft Azure subscription (the command does not produce an output): 

az monitor log-profiles update
	--name cc-activity-log-profile
	--set retentionPolicy.days=365

02 Repeat step no. 1 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jul 29, 2019

Related Monitor rules