For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-tcb.md. A documentation index is available at /llms.txt.

Azure subscriptions should have a diagnostic setting for activity logs

azure

Description

Ensure that a subscription-scoped diagnostic setting exists for exporting activity logs. Diagnostic settings control how activity logs are exported and retained beyond the default 90-day period, enabling long-term security analysis of subscription-level control-plane events.

Remediation

Create a diagnostic setting at the subscription level that forwards activity logs to a destination such as a Log Analytics workspace, storage account, or event hub. Select the appropriate log categories for your environment. See Diagnostic settings in Azure Monitor.