Ensure the log profile captures activity logs for all regions including global

Risk Level: Low
Cloud Entity: Log Profile
CloudGuard Rule ID: D9.AZU.LOG.02
Covered by Spectral: Yes
Category: Global

GSL LOGIC

LogProfile should have properties.locations length()>=65

REMEDIATION

From Portal

1. Go to Activity log
2. Click on Export
3. Select Subscription
4. In Regions dropdown list, check Select all
5. Select Save

From TF
Set the 'locations' arguments under 'azurerm_monitor_log_profile' as all the location in your subscription and 'global'.:

resource "azurerm_monitor_log_profile" "example" {
	..
	locations = [
	"LIST_OF_REGIONS",
	..
	..
	"global",
	]
	..
}

From Command Line
Run

az monitor log-profiles create --categories CATEGORY --days NUMBEROFDAYS --enabled true --location LOCATION --locations LIST_OF_REGIONS --name MYLOGPROFILE --storage-account-id STORAGEACCOUNTID

NOTE : To get the list of supported regions for the current subscription run :

az account list-locations --query '[*].name'

References

1. https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell#work-with-legacy-settings
2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_log_profile
3. https://learn.microsoft.com/en-us/cli/azure/account?view=azure-cli-latest#az-account-list-locations
4. https://learn.microsoft.com/en-us/cli/azure/monitor/log-profiles?view=azure-cli-latest#az-monitor-log-profiles-create

Log Profile

The Azure activity log captures control/management activities performed on a subscription. By default, the Azure Portal retains activity logs only for 90 days. The Log Profile defines the type of events that are stored or streamed and the outputs���storage account and/or event hub. The Log Profile, if configured properly, can ensure that all activity logs are retained for longer dur

Compliance Frameworks

• Azure CIS Foundations v. 1.1.0
• Azure CloudGuard Best Practices
• Azure HITRUST v9.5.0
• Azure ITSG-33
• CloudGuard Azure All Rules Ruleset