Detections
Analytics

Ensure Azure log retention is set at least 90 days for Azure Log Analytics Workspace

MEDIUM

Description

Azure Log Analytics Workspace should have a retention period set to ensure logs are retained accordance with industry standards as well as common compliance and regulatory guidance. The most common timeframe cited with regards to retention periods is 90 days or more.

Remediation

In Azure Console -

  1. Open the Azure Portal and go to Log Analytics workspaces.
  2. Select the workspace you wish to edit.
  3. Under Overview, select Manage costs.
  4. Select the Data Retention button and set the number of days to a value greater than 90.
  5. Click Ok.

In Terraform -

  1. In the azurerm_log_analytics_workspace resource, set retention_in_days to a value greater than 90.

References:
https://learn.microsoft.com/en-us/azure/azure-monitor/
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace#retention_in_days

Policy Details

Rule Reference ID: AC_AZURE_0147
CSP: Azure
Remediation Available: Yes
Domain: Logging and Monitoring
Resource: azurerm_log_analytics_workspace
Resource Category: Analytics
Resource Type: Log Analytics Workspace

Frameworks