Enable logs for Azure AI services resources. This enables you to recreate activity trails for investigation purposes, when a security incident occurs or your network is compromised
The Policy is available in AzureUSGovernment cloud. Version: '1.*.*'
Assessment(s)
Assessments count: 1 Assessment Id: dea5192e-1bb3-101b-b70c-4646546f5e1e DisplayName: Diagnostic logs in Azure AI services resources should be enabled Description: Enable logs for Azure AI services resources. This enables you to recreate activity trails for investigation purposes, when a security incident occurs or your network is compromised. Remediation description: To enable diagnostic logs for Azure AI services resources:
In the Azure portal, open Azure AI Services.
Select the relevant resource.
From the left-side bar, under "Monitoring", select "Diagnostic settings".
Click "+ Add diagnostic setting".
Choose the relevant categories you would like to log.
Select one of the destination options to store the diagnostics logs and insert relevant details.
Enter a Diagnostic setting name.
Click "Save".
Make sure your diagnostic setting has a Diagnostic Settings Retention Rule for 1 year, or create one (see note below)
Note: It is recommended to set retention of 1 year for the logs. If you select the storage account option, make sure to set the retention to 1 year via the storage account lifecycle management. Learn more at:https://aka.ms/storage/lifecycle-management If you select the log analytics option, make sure you set the retention to 1 year via the usage and estimated costs. Learn more at:https://aka.ms/log-analytics/data-retention Categories: Compute Severity: Low User impact: Low Implementation effort: Low Threats: DataExfiltration, ThreatResistance
The following 3 compliance controls are associated with this Policy definition 'Diagnostic logs in Azure AI services resources should be enabled' (1b4d1c4e-934c-4703-944c-27c82c06bebb)
**Security Principle:**
Enable logging for your cloud resources to meet the requirements for security incident investigations and security response and compliance purposes.
**Azure Guidance:**
Enable logging capability for resources at the different tiers, such as logs for Azure resources, operating systems and applications inside in your VMs and other log types.
Be mindful about different type of logs for security, audit, and other operation logs at the management/control plane and data plane tiers. There are three types of the logs available at the Azure platform:
- Azure resource log: Logging of operations that are performed within an Azure resource (the data plane). For example, getting a secret from a key vault or making a request to a database. The content of resource logs varies by the Azure service and resource type.
- Azure activity log: Logging of operations on each Azure resource at the subscription layer, from the outside (the management plane). You can use the Activity Log to determine the what, who, and when for any write operations (PUT, POST, DELETE) taken on the resources in your subscription. There is a single Activity log for each Azure subscription.
- Microsoft Entra logs: Logs of the history of sign-in activity and audit trail of changes made in the Microsoft Entra ID for a particular tenant.
You can also use Microsoft Defender for Cloud and Azure Policy to enable resource logs and log data collecting on Azure resources.
**Implementation and additional context:**
Understand logging and different log types in Azure:
https://docs.microsoft.com/azure/azure-monitor/platform/platform-logs-overview
Understand Microsoft Defender for Cloud data collection:
https://docs.microsoft.com/azure/security-center/security-center-enable-data-collection
Enable and configure antimalware monitoring:
https://docs.microsoft.com/azure/security/fundamentals/antimalware#enable-and-configure-antimalware-monitoring-using-powershell-cmdlets
Operating systems and application logs inside in your compute resources:
https://docs.microsoft.com/azure/azure-monitor/agents/data-sources#operating-system-guest
Risk analysis & information system security policies
n/a
Responsibility for ensuring the security of network and information system lies, to a great extent, with essential and important entities. A culture of risk management, involving risk assessments and the implementation of cybersecurity risk-management measures appropriate to the risks faced, should be promoted and developed.
In order to avoid imposing a disproportionate financial and administrative burden on essential and important entities, the cybersecurity risk-management measures should be proportionate to the risks posed to the network and information system concerned, taking into account the state-of-the-art of such measures, and, where applicable, relevant European and international standards, as well as the cost for their implementation.