Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Activity Log All Regions (Deprecated)

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Status: Deprecated
Please note this rule has been deprecated from the Conformity system and should not be enabled. For more information on rule deprecation, see here.

Log profiles are the legacy method for sending the activity log to storage or event hubs. If you're using this method, consider transitioning to diagnostic settings, which provide better functionality and consistency with resource logs. To follow audit and remediation steps for exporting logs via diagnostic settings, refer to this rule.

Risk Level: Medium (should be achieved)
Rule ID: Monitor-004

Ensure that the Log Profile created for your Azure cloud activity log is configured to export activities from all supported regions including global. A Log Profile controls how the activity log is exported and retained within your Microsoft Azure cloud account.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

By configuring your account Log Profile to export the activity logs from all Azure supported regions, the logging data recorded for potentially unexpected activities occurring in otherwise unused regions are stored and made available later for incident response, investigations and internal audit. Including global region in the Azure Log Profile locations ensures all events from the account control & management console are also exported, as many events in the activity log are global events.


Audit

To determine if your Log Profile is configured to export activity logs from all Azure regions, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.

03 In the navigation panel, select Activity log to access the activity log available in your Azure cloud account.

04 From the Subscription filter box, select the Azure account subscription that you want to examine.

05 On the Activity log page, click Export to Event Hub to access your Azure Log profile configuration settings. If there is no Log Profile currently available, follow the steps outlined in this conformity rule to create and configure one. If there is a Log Profile available, check the Regions dropdown list. If the Select All option from the Region dropdown list is not checked, the Log Profile created for the selected Azure subscription is not configured to export activities from all supported Azure regions/locations (including global), thus the configuration is not compliant.

06 Repeat step no. 4 and 5 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list-locations command (Windows/macOS/Linux) using custom query filters to get the number of regions supported by the Microsoft Azure cloud:

az account list-locations
	--query '[*].displayName' | grep -P '\w+' | wc -l

02 The command output should return the current number of Azure cloud supported regions (excluding global):

34

03 Run monitor log-profiles list command (Windows/macOS/Linux) using custom query filters to get the number of Azure cloud regions configured for your Azure Log Profile. Each Azure subscription has only one Log Profile. If there is no Log Profile currently available, follow the steps outlined in this conformity rule to create one:

az monitor log-profiles list
	--query '[*].locations' | grep -P '\w+' | wc -l

04 The command output should return the number of Azure regions configured for the selected Log Profile + 1 (i.e. global region):

5

If the number of regions returned by the monitor log-profiles list command output is less than the number returned at step no. 2 + 1 (global region), e.g. 35, the Log Profile available for the selected Azure subscription is not configured to export activities from all supported Azure regions/locations (including global), therefore the Log Profile configuration is not compliant.

05 Repeat steps no. 1 – 4 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

Since many events in the Azure activity log are global events it is highly recommended to include all Azure regions (locations) within the Log Profile configuration. To configure your Azure Log Profile to capture activity logs for all supported regions (including global region), perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.

03 In the navigation panel, select Activity log to access the activity log available in your Azure cloud account.

04 From the Subscription filter box, select the Azure account subscription that you want to update.

05 On the Activity log page, click Export to Event Hub to access your Azure Log Profile configuration settings.

06 On the Export activity log panel, click on the Select All option from the Region dropdown list to configure the selected Azure Log Profile to export activities from all Azure supported regions/locations (including global region). Click Save to apply the configuration changes.

07 Repeat steps no. 4 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run monitor log-profiles list command (Windows/macOS/Linux) using custom query filters to get the name of the Log Profile available in the current Azure subscription. Each Microsoft Azure subscription has only one Log Profile:

az monitor log-profiles list
	--query '[*].name'

02 The command output should return the name of the requested Azure Log Profile:

[
  "cc-azure-log-profile"
]

03 Run monitor log-profiles update command (Windows/macOS/Linux) using the name of the Azure Log Profile returned at the previous step as identifier parameter to configure the selected Log Profile to capture activity logs for all Microsoft Azure supported regions (including global). To configure your Log Profile to include all supported regions, define a comma-separated list of regions for which you would like to collect Azure activity log events. You can view a list of all regions for your subscription using az account list-locations --query '[*].name' command. The following command request does not produce an output:

az monitor log-profiles update
	--name cc-azure-log-profile
	--set locations=["global","eastasia","southeastasia","centralus","eastus","eastus2","westus","northcentralus","southcentralus","northeurope","westeurope","japanwest","japaneast","brazilsouth","australiaeast","australiasoutheast","southindia","centralindia","westindia","canadacentral","canadaeast","uksouth","ukwest","westcentralus","westus2","koreacentral","koreasouth","francecentral","francesouth","australiacentral","australiacentral2","uaecentral","uaenorth","southafricanorth","southafricawest"]

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 16, 2019