last sync: 2021-May-05 13:56:08 UTC

Azure Policy definition

Resource logs in App Services should be enabled

Name Resource logs in App Services should be enabled
Azure Portal
Id 91a78b24-f231-4a8a-8da9-02c35b2b6510
Version 1.0.0
details on versioning
Category App Service
Microsoft docs
Description Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-02-17 14:28:42 add 91a78b24-f231-4a8a-8da9-02c35b2b6510
Used in Initiatives none
JSON
{
  "properties": {
    "displayName": "Resource logs in App Services should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.",
    "metadata": {
      "version": "1.0.0",
      "category": "App Service"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      },
      "requiredRetentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Required retention (days)",
          "description": "The required resource logs retention in days"
        },
        "defaultValue": "365"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "kind",
            "notContains": "functionapp"
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "existenceCondition": {
            "count": {
            "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
              "where": {
                "anyOf": [
                  {
                    "allOf": [
                      {
                      "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                          "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
                            "equals": "0"
                          },
                          {
                          "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
                          "greaterOrEquals": "[parameters('requiredRetentionDays')]"
                          }
                        ]
                      },
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                        "equals": "true"
                      },
                      {
                        "anyOf": [
                          {
                          "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                            "notEquals": "true"
                          },
                          {
                            "field": "Microsoft.Insights/diagnosticSettings/storageAccountId",
                            "exists": false
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            },
            "greaterOrEquals": 1
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/91a78b24-f231-4a8a-8da9-02c35b2b6510",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "91a78b24-f231-4a8a-8da9-02c35b2b6510"
}