Log Profile is not provisioned
Enable Log Profile for exporting activity logs
Enable Log Profile for exporting activity logs
A log profile controls how the activity log is exported and retained. Since the average time to detect a breach is 210 days, the activity log should be retained for 365 days or more in order to have time to respond to any incidents.
A log profile controls how the activity log is exported. Configuring the log profile to collect logs for the categories 'write', 'delete' and 'action' ensures that all the control/management plane activities performed on the subscription are exported.
Configure the log profile to export activities from all Azure supported regions/locations including global.
Allowing public access to activity log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.
Configuring the storage account with the activity log export container to use BYOK (Use Your Own Key) provides additional confidentiality controls on log data as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.
Monitoring for create policy assignment events gives insight into changes done in 'azure policy - assignments' and may reduce the time it takes to detect unsolicited changes.
Monitoring for Delete policy assignment events gives insight into changes done in 'azure policy - assignments' and may reduce the time it takes to detect unsolicited changes.
Monitoring for 'Create' or 'Update Network Security Group' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.
Monitoring for 'Delete Network Security Group' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.
Monitoring for 'Create' or 'Update Network Security Group Rule' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.
Monitoring for 'Delete Network Security Group Rule' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.
Monitoring for 'Create' or 'Update Security Solution' events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.
Monitoring for 'Delete Security Solution' events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.
Monitoring for 'Create' or 'Update SQL Server Firewall Rule' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.
Monitoring for 'Delete SQL Server Firewall Rule' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.
Monitoring for 'Create' or 'Update Security Policy' events gives insight into changes to security policy and may reduce the time it takes to detect suspicious activity.
Monitoring for 'Delete Security Policy' events gives insight into changes to security policy and may reduce the time it takes to detect suspicious activity.
Ensure that an Azure activity log alert is fired whenever 'Create Virtual Machine' or 'Update Virtual Machine' events are triggered in your Microsoft Azure cloud account. Activity log alerts get triggered when a new activity log event that matches the condition specified in the alert configuration occurs. The matched condition is Whenever the Administrative Activity Log 'Create or Update Virtual Machine (Microsoft.Compute/virtualMachines)' has 'any' level, with 'any' status and event is initiated by 'any'
Ensure that a Microsoft Azure activity log alert is fired whenever a 'Power Off Virtual Machine' event is triggered within your cloud account. An Azure activity log alert fires each time the action event that matches the condition defined in the alert configuration is triggered. The alert condition that this conformity rule checks for is `Whenever the Administrative Activity Log 'Power Off Virtual Machine (Microsoft.Compute/virtualMachines)' has 'any' level, with 'any' status and event is initiated by 'any'`
Ensure that a Microsoft Azure activity log alert is fired whenever a 'Delete Virtual Machine' event is triggered within your cloud account. An Azure activity log alert fires each time the action event that matches the condition specified in the alert configuration is triggered. The alert condition that this rule searches for is `Whenever the Administrative Activity Log 'Delete Virtual Machine (Microsoft.Compute/virtualMachines)' has 'any' level, with 'any' status and event is initiated by 'any'`
Ensure that a Microsoft Azure activity log alert is fired whenever Update Key Vault event is triggered inside your Microsoft Azure cloud account.
Ensure that a Microsoft Azure activity log alert is fired whenever Delete Key Vault event is triggered inside your Microsoft Azure cloud account.