Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Activity Log All Activities

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Monitor-003

Ensure that the Log Profile created for your Azure cloud activity log is configured to collect logs for all the control and management activity categories, i.e. "Write", "Delete" and "Action", for security and compliance purposes. A Log Profile controls how the activity log is exported and retained within your Microsoft Azure cloud account.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

By configuring your account Log Profile to collect logs for "Write", "Delete" and "Action" event categories, ensures that all the control and management activities performed on your Azure subscriptions are exported. These logs can be extremely useful for security and compliance auditing.

Note: When the Azure Log Profile is created using Microsoft Azure Management Console (Azure Portal), by default it is configured to export all activity log event categories. However, when the Log Profile is created using the Azure Command Line Interface (CLI), the user can explicitly choose which of the event categories to export.

Audit

To determine if your Azure Log Profile is configured to export logs for all the supported activities, perform the following operations:

Note: Checking Azure Log Profile configuration for event categories to export using Microsoft Azure Management Console is not currently supported.

Using Azure CLI

01 Run monitor log-profiles list command (Windows/macOS/Linux) using custom query filters to describe the name of the Log Profile created within the current subscription. Each Azure subscription has one Log Profile: 

az monitor log-profiles list
  --query '[*].name'

02 The command output should return the name of the requested Azure Log Profile: 

[
  "cc-activity-log-profile"
]

03 Run monitor log-profiles show command (Windows/macOS/Linux) using the name of the Azure Log Profile returned at the previous step as the identifier parameter and custom query filters to describe the names of the event categories to export, configured for the existing Log Profile: 

az monitor log-profiles show
  --name "cc-activity-log-profile"
  --query 'categories[]'

04 The command output should return the requested configuration information, i.e. the activity log event categories to export: 

[
  "Action"
]

If the monitor log-profiles show command output does not return an array with all the activity log event categories, i.e. "Write", "Delete" and "Action", the configuration of the Azure Log Profile created to export activity logs within the selected subscription is not compliant.

05 Repeat steps no. 1 and 2 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To configure your Microsoft Azure Log Profile to export logs for all the supported activities (i.e. "Write", "Delete" and "Action"), perform the following operations:

Note: Configuring Azure Log Profile to export logs for all available activities using Microsoft Azure Management Console is not currently supported.

Using Azure CLI

01 Run monitor log-profiles update command (Windows/macOS/Linux) using the name of the Azure Log Profile created for your subscription as the identifier parameter, to configure the profile to export logs for all the supported activities/operations performed within the current Azure subscription, i.e. "Write", "Delete" and "Action" activities (the command does not produce an output): 

az monitor log-profiles update
  --name "cc-activity-log-profile"
  --set categories=["Delete","Write","Action"]

02 Repeat step no. 1 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jul 29, 2019

Related Monitor rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Activity Log All Activities

Risk Level: Medium