Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Exporting Activity Logs for Azure Cloud Resources

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Monitor-009

Ensure that diagnostic settings are enabled for exporting activity logs for your Microsoft Azure cloud resources. Diagnostic settings are available for each individual cloud resource within a subscription. The activity log captures all management activities performed by a cloud resource on the Azure platform.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security
Reliability
Operational
excellence
Cost
optimisation
Performance
efficiency

A diagnostic setting controls how an activity log is exported for a cloud resource. A well configured diagnostic setting should allow your activity logs to be exported to a secure location and stored for a longer period of time in order to be able to perform a better analysis of the recorded activity, useful later for security and compliance auditing.


Audit

To determine if exporting activity logs is enabled for each Azure cloud resource available in a subscription, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.

03 In the blade navigation panel, under Settings, select Diagnostic settings to view the diagnostics settings available for each cloud resource provisioned within your Azure account.

04 From the Subscription filter box, select the Azure subscription that you want to examine.

05 Select the Azure cloud resource that you want to examine and check the diagnostics settings status available in the Diagnostics status column. If the diagnostics settings status is set to Disabled, activity logs are not exported for the selected Microsoft Azure cloud resource.

06 Repeat step no. 5 for each Azure cloud resource provisioned within the selected subscription.

07 Repeat steps no. 5 and 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run resource list command (Windows/macOS/Linux) with custom query filters to list the ID of each Azure cloud resource provisioned in the selected subscription:

az resource list
  --subscription abcdabcd-1234-abcd-1234-abcd1234abcd
  --query '[*].id'

02 The command output should return the requested resource identifiers (IDs):

[
  "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-vault",
  "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/cc-web-storage-account"
]

03 Run monitor diagnostic-settings list command (Windows/macOS/Linux) using the ID of the cloud resource that you want to examine as the identifier parameter and custom query filters to describe the active diagnostics settings available for the specified resource:

az monitor diagnostic-settings list
  --resource "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-vault"
  --query 'value'

04 The command output should return the requested configuration settings:

[]

If the monitor diagnostic-settings list command output returns an empty array, i.e. [], as shown in the example above, there are no diagnostics settings defined, therefore the activity logs are not exported for the selected Microsoft Azure cloud resource.

05 Repeat steps no. 3 and 4 for each Azure cloud resource provisioned in the selected subscription.

06 Repeat step no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To enable exporting activity logs for each Microsoft Azure cloud resource within your Azure subscription, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.

03 In the blade navigation panel, under Settings, select Diagnostic settings to view the diagnostics settings available for each cloud resource created within your Azure account.

04 From the Subscription filter box, select the Azure subscription that you want to access.

05 Click on the name of the Azure cloud resource that you want to reconfigure and choose + Add diagnostic setting. A diagnostic setting specifies a list of categories of platform logs and/or metrics that you want to collect from a cloud resource, and one or more destinations that you would like to stream them to.

06 On the Diagnostic setting setup page, perform the following actions:

  1. Provide a unique name for your new diagnostic setting in the Diagnostic setting name box.
  2. In the Category details section, select the log(s) or metric(s) that you want to use.
  3. In the Destination details section, select one or more destinations to send the logs. For example, choose Archive to a storage account to send the logs to an Azure storage account of your choice. The storage account needs to be in the same region as the resource being monitored if the resource is regional.
  4. Choose Save to apply the changes.

07 Repeat steps no. 5 and 6 for each Azure cloud resource provisioned within the selected subscription.

08 Repeat steps no. 4 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run monitor diagnostic-settings create command (Windows/macOS/Linux) to create a diagnostic setting for the specified Azure cloud resource. For example, the following command request creates a diagnostic setting named "cc-audit-diagnostic-setting" for an Azure Key Vault, that sends the collected logs to a storage account identified by the ID "abcd1234abcd1234abcd1234":

az monitor diagnostic-settings create
  --name "cc-audit-diagnostic-setting"
  --resource "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-vault"
  --storage-account abcd1234abcd1234abcd1234
  --logs '[
    {
      "category": "AuditEvent",
      "enabled": true,
      "retentionPolicy": {
        "enabled": true,
        "days": 365
      }
    }
  ]'

02 The command output should return the metadata available for the new diagnostic setting:

{
  "eventHubAuthorizationRuleId": null,
  "eventHubName": null,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.keyvault/vaults/cc-production-vault/providers/microsoft.insights/diagnosticSettings/cc-audit-diagnostic-setting",
  "identity": null,
  "kind": null,
  "location": null,
  "logAnalyticsDestinationType": null,
  "logs": [
    {
      "category": "AuditEvent",
      "categoryGroup": null,
      "enabled": true,
      "retentionPolicy": {
        "days": 365,
        "enabled": true
      }
    }
  ],
  "metrics": [],
  "name": "cc-audit-diagnostic-setting",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "serviceBusRuleId": null,
  "storageAccountId": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.Storage/storageAccounts/abcd1234abcd1234abcd1234",
  "tags": null,
  "type": "Microsoft.Insights/diagnosticSettings",
  "workspaceId": null
}

03 Repeat steps no. 1 and 2 for each Azure cloud resource provisioned in the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Mar 9, 2022