Skip to content

capture-all-activities

Explanation

Log profiles should capture all categories to ensure that all events are logged

Possible Impact

Log profile must capture all activity to be able to ensure that all relevant information possible is available for an investigation

Suggested Resolution

Configure log profile to capture all activities

Insecure Example

The following example will fail the azure-monitor-capture-all-activities check.

resource "azurerm_monitor_log_profile" "bad_example" {
  name = "bad_example"

  categories = []

  retention_policy {
    enabled = true
    days    = 7
  }
}

Secure Example

The following example will pass the azure-monitor-capture-all-activities check.

resource "azurerm_monitor_log_profile" "good_example" {
  name = "good_example"

  categories = [
      "Action",
      "Delete",
      "Write",
  ]

  retention_policy {
    enabled = true
    days    = 365
  }
}