Activity log streamed to Log Analytics
Demonstrate that Azure Activity Logs are configured to stream continuously to a Log Analytics workspace and that the streaming mechanism operates reliably to support security monitoring and incident response capabilities.
Description
What this control does
This control ensures that activity logs from Azure resources are automatically streamed in real-time to Azure Log Analytics workspace for centralized collection, retention, and analysis. The streaming configuration is typically implemented using Azure Diagnostic Settings, which route platform logs (including Activity Logs, Resource Logs, and Azure Active Directory logs) to one or more destinations. This centralization enables security monitoring, forensic investigation, compliance reporting, and alerting across the Azure environment without relying on manual log exports or delayed batch transfers.
Control objective
What auditing this proves
Demonstrate that Azure Activity Logs are configured to stream continuously to a Log Analytics workspace and that the streaming mechanism operates reliably to support security monitoring and incident response capabilities.
Associated risks
Risks this control addresses
- Delayed or absent detection of unauthorized control plane operations such as resource deletion, privilege escalation, or configuration changes
- Inability to conduct forensic investigation following a security incident due to incomplete or missing activity log data
- Adversary performing reconnaissance or lateral movement actions in Azure that go undetected because logs are not centrally monitored
- Compliance violations due to failure to retain audit trails for subscription-level administrative activities as required by regulatory frameworks
- Loss of visibility into subscription or tenant-level changes if diagnostic settings are misconfigured or disabled by unauthorized actors
- Insufficient log retention in source systems leading to evidence spoliation before logs are collected centrally
- Failure to correlate Azure control plane activity with application-layer security events due to lack of centralized log repository
Testing procedure
How an auditor verifies this control
- Identify all Azure subscriptions and management groups in scope for the audit and document the target Log Analytics workspace(s) used for centralized logging.
- Review the Diagnostic Settings configuration for each in-scope subscription by navigating to Azure Monitor > Activity Log > Diagnostic settings or querying via Azure Resource Graph or Azure CLI.
- Verify that at least one diagnostic setting exists for each subscription with Log Analytics workspace configured as a destination and that all relevant Activity Log categories (Administrative, Security, ServiceHealth, Alert, Recommendation, Policy, Autoscale, ResourceHealth) are selected for streaming.
- Query the Log Analytics workspace using KQL to retrieve recent AzureActivity table entries and confirm that events from all in-scope subscriptions are present within the expected ingestion latency window (typically under 5 minutes).
- Select a sample of high-privilege operations from the past 30 days (e.g., role assignments, resource deletions, NSG modifications) and trace each event from the Azure Activity Log UI to corresponding entries in the Log Analytics workspace to validate completeness.
- Review access controls on the diagnostic settings and Log Analytics workspace to confirm that only authorized roles (e.g., Security Admin, Monitoring Contributor) can modify or disable log streaming configurations.
- Examine retention policies configured in the Log Analytics workspace to verify they meet or exceed organizational and regulatory retention requirements for audit logs.
- Test alert rules or detection queries in Log Analytics that depend on Activity Log data to confirm operational integration and that security monitoring capabilities are functioning as intended.
Where this control is tested