πΌ 7.1.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it (Manual)
- Contextual name: πΌ 7.1.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it (Manual)
- ID:
/frameworks/cis-azure-v4.0.0/07/01/04
- Located in: πΌ 7.1 Logging and Monitoring
Descriptionβ
Resource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example, reading or updating a secret from a Key Vault. Currently, 95 Azure resources support Azure Monitoring (See the more information section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps, and CosmosDB. The content of these logs varies by resource type.
A number of back-end services were not configured to log and store Resource Logs for certain activities or for a sufficient length. It is crucial that monitoring is correctly configured to log all relevant activities and retain those logs for a sufficient length of time. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended.
Similarβ
- Sections
/frameworks/cis-azure-v3.0.0/06/04
Similar Sections (Take Policies From)β
Similar Sections (Give Policies To)β
Sub Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|
Policies (1)β