Ensure audit profile captures all the activities

The log profile should be configured to export all activities from the control/management plane.

Risk Level: Low
Cloud Entity: Log Profile
CloudGuard Rule ID: D9.AZU.LOG.08
Covered by Spectral: Yes
Category: Global

GSL LOGIC

LogProfile should have properties.categories contain [$='Write'] and properties.categories contain[$='Delete'] and properties.categories contain[$='Action'] and properties.categories length() = 3

REMEDIATION

From Portal
On Azure portal there is no provision to check or set categories.

From TF
Set the 'categories' arguments under 'azurerm_monitor_log_profile' as below:

resource "azurerm_monitor_log_profile" "example" {
	..
	categories = [
	"Action",
	"Delete",
	"Write",
	]
	..
}

From Command Line
Run

az monitor log-profiles create --categories "Delete" "Write" "Action" --days NUMBEROFDAYS --enabled true --location LOCATION --locations LIST_OF_REGIONS --name MYLOGPROFILE --storage-account-id STORAGEACCOUNTID

References

  1. https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell#work-with-legacy-settings
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_log_profile#categories
  3. https://learn.microsoft.com/en-us/cli/azure/monitor/log-profiles?view=azure-cli-latest#az-monitor-log-profiles-create

Log Profile

The Azure activity log captures control/management activities performed on a subscription. By default, the Azure Portal retains activity logs only for 90 days. The Log Profile defines the type of events that are stored or streamed and the outputs���storage account and/or event hub. The Log Profile, if configured properly, can ensure that all activity logs are retained for longer dur

Compliance Frameworks

  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure ITSG-33
  • CloudGuard Azure All Rules Ruleset