Azure Log Analytics – Best Practices and Microsoft Recommendations
This article describes security best practices for Log Analytics workspace and azure logging. This recommendations are not limited to Azure but can also apply to other cloud platforms like AWS or GCP.
The best practices are based on Azure recommendations as well as my experience in Azure. Because technologies can change over time, there will be some additional recommendations and will try to update KB to reflect those changes. Azure have a set of best practices that are designed to help protect your workloads to keep them safe from constantly evolving threats. This blog will share the most important security best practices to help protect your resources.
•Consolidate all logs to region specific “central” log analytics workspace.
•Avoid bandwidth costs by creating “regional” workspaces so that the Azure resource and workspace will be in the same Azure region.
•Use ARM templates/Terraform to deploy your Azure resources so that diagnostic can be enable for all resources to store logs in region specific Log Analytics
•Enable Activity log to track all operations performed in cloud.
•Enable flow log for every network security group
•Select appropriate data collection for each resource (Link)
•Enable security and Activity logs on Azure AD
•ITSM Connector – Used for integration of Log Analytics with 3.party ITSM tools. Used to automatically create incidents or work items when Alerts are created within Log Analytics. Such as System Center Service Manager or Service Now.
•MS Defender for cloud – Threat detection and also collect Security Events from Machines as part of the configuration.
•Set alerts for all critical events/logs and integrate it with Service now.
•Define maximum data retention based on the security requirement for all critical activity and audit logs.
•Data collect- Action