Diagnostic logs in Search services should be enabled

[BenjaminEngeset]

Rule request

Suggested rule change

Diagnostic logs in Search services should be enabled.

Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.

This is actually an official Defender for Cloud recommendation.

Security pillar for this one.

Applies to the following

The rule applies to the following:

• Resource type: [Microsoft.Search/searchServices]

Additional context

Diagnostic logs in Search services should be enabled Template reference

[BernieWhite]

@bengeset96 I think we need to confirm which diagnostic logs are actually required from an audit perspective. From my look I don't see any events that are specifically audit related, and I think suggesting that a custom should turn on all logs without guidance can increase cost unnecessarily.

If the logs are less audit related then maybe another pillar is better suited for general monitoring.

Another call out is retention setting only applies to storage accounts, and generally for most cases customers should actually use Azure Monitor Logs as the target. Also I think retention is a fairly opinionated thing, really it depends. If we add retention in it should be configurable but I think specific retention may be better suited to the CAF instead of WAF.

https://learn.microsoft.com/azure/search/monitor-azure-cognitive-search-data-reference https://learn.microsoft.com/azure/architecture/framework/security/monitor-logs-alerts#audit-logging