Verify that logging for Azure AppService 'HTTP logs' is enabled

Subtitle: Framework Reference: A.8.15 Integration: Azure App Service – Diagnostic Settings

Why this matters

Capturing HTTP logs for Azure App Services ensures that all incoming requests are centrally recorded. These logs are essential for security operations such as incident response, anomaly detection, and audit reviews. Without HTTP log capture, security teams lack visibility into application-level traffic.

What this check does

This Auto Check verifies whether each Azure App Service has an active diagnostic setting that includes HTTP logs as a logging category and sends logs to a valid destination (Log Analytics, Event Hub, or Storage Account).

Check Logic:

• For every App Service:

• A diagnostic setting exists, and

• The setting includes HTTP Logs (resource-level diagnostic logs), and

• Logs are routed to a supported destination

Pass Criteria:

• At least one diagnostic setting exists per App Service

• That setting includes the category "HTTP logs" (enabled = true)

• A log destination is configured (Log Analytics Workspace, Event Hub, or Storage Account)

How to fix it

Remediate via Azure Portal

1. Go to App Services in the Azure Portal

2. For each App Service:

3. Under Monitoring, open Diagnostic settings

4. If a diagnostic setting exists, click Edit setting

5. Otherwise, click + Add diagnostic setting

6. Provide a name for the setting

7. Check the box for HTTP logs

8. Select a destination (Log Analytics, Event Hub, or Storage Account)

9. Click Save

Exceptions

No exceptions recommended by the benchmark. All App Services should have HTTP log capture enabled unless explicitly documented and justified.

Further resources

• Enable logging for Azure App Services

• Azure Security Benchmark: Logging & Threat Detection

• Azure Policy Definition: App Service apps should have resource logs enabled