πΌ 6.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it (Manual)
- Contextual name: πΌ 6.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it (Manual)
- ID:
/frameworks/cis-azure-v3.0.0/06/04
- Located in: πΌ 6 Logging and Monitoring
Descriptionβ
Resource Logs capture activity to the data access plane while the Activity log is a
subscription-level log for the control plane. Resource-level diagnostic logs provide insight into
operations that were performed within that resource itself; for example, reading or updating a
secret from a Key Vault. Currently, 95 Azure resources support Azure Monitoring (See the more
information section for a complete list), including Network Security Groups, Load Balancers,
Key Vault, AD, Logic Apps, and CosmosDB. The content of these logs varies by resource type.
A number of back-end services were not configured to log and store Resource Logs for certain
activities or for a sufficient length. It is crucial that monitoring is correctly configured to
log all relevant activities and retain those logs for a sufficient length of time. Given that
the mean time to detection in an enterprise is 240 days, a minimum retention period of two years
is recommended.
Similarβ
- Sections
/frameworks/cis-azure-v2.1.0/05/04/frameworks/cis-azure-v4.0.0/07/01/04
Similar Sections (Take Policies From)β
Similar Sections (Give Policies To)β
Sub Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|
Policies (1)β