πΌ 6.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it (Manual)
- Contextual name: πΌ 6.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it (Manual)
- ID:
/frameworks/cis-azure-v3.0.0/06/04 - Located in: πΌ 6 Logging and Monitoring
Descriptionβ
Resource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example, reading or updating a secret from a Key Vault. Currently, 95 Azure resources support Azure Monitoring (See the more information section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps, and CosmosDB. The content of these logs varies by resource type.
A number of back-end services were not configured to log and store Resource Logs for certain activities or for a sufficient length. It is crucial that monitoring is correctly configured to log all relevant activities and retain those logs for a sufficient length of time. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended.
Similarβ
Sub Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|
Policies (1)β
| Policy | Logic Count | Flags |
|---|---|---|
| π Azure Diagnostic Setting is not enabled for all services that support it π’ | π’ x3 |