lacework-global-632
5.1.7 Enable logging for Azure AppService 'HTTP logs' (Manual)
Profile Applicability
• Level 2
Description
Enable AppServiceHTTPLogs diagnostic log category for Azure App Service instances to capture and centrally log all http requests.
Rationale
Capturing web requests can be important supporting information for security analysts performing monitoring and incident response activities. Once logging, these logs can be ingested into SIEM or other central aggregation point for the organization.
Impact
Log consumption and processing will incur additional cost.
Audit
From Azure Portal
- Go to
App Services
For each App Service:
- Go to
Diagnostic Settings - Ensure that 'AppServiceHTTPLogs' is configured to log to a destination aligned to your environments approach to log consumption (event hub, storage account, etc. dependent on what is consuming the logs such as SIEM or other log aggregation utility).
Remediation
From Azure Portal
- Go to App Services.
For each App Service:
- Go to Diagnostic Settings.
- Click Add Diagnostic Setting.
- Select the checkbox next to 'HTTP logs'.
- Configure a destination based on your specific logging consumption capability (for example Stream to an event hub and then consuming with Security Information and Event Management (SIEM) integration for Event Hub logging).
References
https://docs.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation