💼 6.1.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it (Manual)
- ID:
/frameworks/cis-azure-v5.0.0/06/01/04
Description
Resource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example, reading or updating a secret from a Key Vault. Currently, 95 Azure resources support Azure Monitoring (See the more information section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps, and CosmosDB. The content of these logs varies by resource type.
A number of back-end services were not configured to log and store Resource Logs for certain activities or for a sufficient length. It is crucial that monitoring is correctly configured to log all relevant activities and retain those logs for a sufficient length of time. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended.
While an automated assessment procedure exists for this recommendation, the assessment status remains manual. Determining whether resource logging should be enabled for specific resources depends on the context and requirements of each organization and environment.
Similar
- Sections
/frameworks/cis-azure-v3.0.0/06/04/frameworks/cis-azure-v4.0.0/07/01/04
Similar Sections (Take Policies From)
Sub Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|
Policies (1)