Ensure the activity retention log is set to at least a year
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | monitor |
| Provider | Azure |
| Vulnerability Type | misconfiguration |
Description#
The log retention period for Azure activity logs is set to less than one year, which means older log data may be deleted before investigations can begin or complete. This configuration reduces the ability to perform effective forensic analysis after a security incident.
Impact#
If a breach is discovered after the short retention window, critical log records may be missing, hindering the ability to trace attacker actions, determine the scope of compromise, and comply with regulatory requirements. This can delay response, obscure root cause analysis, and increase organizational risk.
Resolution#
Set a retention period that will allow for delayed investigation