App Service web app has HTTP logs enabled in diagnostic settings
app_http_logs_enabled
Azure App Service web apps diagnostic settings include HTTP request logging when the AppServiceHTTPLogs category (or the allLogs group) is enabled to capture web access events.
Risk
Without HTTP access logs, visibility into requests is lost, hindering detection of brute force, probing, and injection attempts. This weakens forensics and reduces confidentiality and integrity by masking data access paths and blocking reliable incident timelines.
prowler azure --checks app_http_logs_enabled
Recommendation
Enable diagnostic settings with AppServiceHTTPLogs (or allLogs) and route logs to a centralized store. Enforce least privilege, retention, and tamper-resistant storage. Integrate with a SIEM for analytics and alerting, and periodically verify logging coverage across all apps and regions.
Remediation
az monitor diagnostic-settings create --name <example_resource_name> --resource /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Web/sites/<APP_NAME> --workspace <LOG_ANALYTICS_WORKSPACE_RESOURCE_ID> --logs '[{"category":"AppServiceHTTPLogs","enabled":true}]'
- In Azure Portal, go to your App Service > Monitoring > Diagnostic settings
- Click + Add diagnostic setting
- Under Logs, check AppServiceHTTPLogs (or select the allLogs category group)
- Choose a destination (Log Analytics workspace, Storage account, or Event Hub)
- Click Save
Source Code
Resource Type
microsoft.web/sites