Logging and Defender Gaps

Description

Missing diagnostics/activity logs and disabled Microsoft Defender for Cloud plans reduce detection and response capability across Azure resources. Lack of Log Analytics workspaces, short retention, and missing data plane logs (e.g., Key Vault, Storage) create blind spots for investigations.

Examples

Check Diagnostic Settings

az monitor diagnostic-settings list --resource <resourceId>
az monitor diagnostic-settings categories list --resource <resourceId>
az monitor log-analytics workspace list -g <rg>

Defender Plans

az security pricing list

Remediation

Enable diagnostics to Log Analytics/Event Hub/Storage with long retention.
Turn on Defender plans for critical resource types (Servers, App Services, Storage, SQL, Key Vault, Containers); configure recommendations/alerts.
Enforce via Azure Policy
- Require diagnostic settings across resource types; set minimum retention; ensure activity logs export to a central workspace.

Haxoris Wiki

Logging and Defender Gaps

Description

Examples

Check Diagnostic Settings

Defender Plans

Remediation