Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Azure Activity Log Profile in Use (Deprecated)

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Status: Deprecated
Please note this rule has been deprecated from the Conformity system and should not be enabled. For more information on rule deprecation, see here. Azure log profile is the legacy method for capturing and storing activity logs and has been superseded by the newer diagnostic settings options. For more information, refer to the documentation on activity logs.

Risk Level: Medium (should be achieved)
Rule ID: Monitor-001

Ensure there is a Log Profile created for each Microsoft Azure account subscription for exporting activity logs. The Azure activity log captures all management activities performed on a subscription. By default, the Azure Portal retains activity logs only for 90 days. To make sure that all activity events recorded for your subscription are retained for a longer duration, you can create and configure a Log Profile to archive the activity log to an Azure storage account or stream it to an Event Hub. Each Microsoft Azure subscription can have only one Log Profile.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security
Reliability

A Log Profile controls how and where an Azure activity log is exported. A well configured Log Profile should allow your activity logs to be exported and stored for a longer period of time in order to be able to perform a better analysis of the activity recorded within your Azure subscription, useful later for security and compliance auditing.

Audit

To determine if there is a Log Profile created for each Microsoft Azure subscription, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.

03 In the navigation panel, select Activity log to access the activity log available in your Azure cloud account.

04 From the Subscription filter box, select the Azure account subscription that you want to examine.

05 On the Activity log page, check for any Log Profiles configured for the selected subscription. If there is no Log Profile currently available, the selected Microsoft Azure subscription does not have a Log Profile configured.

06 Repeat step no. 4 and 5 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run monitor log-profiles list command (Windows/macOS/Linux) using custom query filters to list the name of the Log Profile created for the current Azure subscription: 

az monitor log-profiles list --query '[*].name'

02 The command output should return the requested Log Profile identifier: 

[]

If the monitor log-profiles list command output returns an empty array, as shown in the example above, there is no Log Profile created to export activity logs within the selected Microsoft Azure subscription.

03 Repeat step no. 1 and 2 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To create and configure a Log Profile for each subscription available within your Microsoft Azure account in order to archive your Azure activity logs to a storage account or stream them to an Event Hub, perform the following operations:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.

03 In the navigation panel, select Activity log to access the activity log available within your Azure account.

04 From the Subscription filter box, select the Azure account subscription where you want to create the new Log Profile.

05 On the Activity log page, click on the purple banner to launch the Export activity log setup page (Azure Management Console legacy experience).

06 On the Diagnostic settings page, click Diagnostic settings. Diagnostic settings are used to configure the streaming export of the Azure subscription logs and metrics to the destination of your choice.

07 On the Export activity log panel, perform the following actions:

  1. Select the appropriate subscription from the Subscription dropdown list.
  2. From Regions dropdown list, select the regions with the events to export. It is recommended to select all regions to make sure that you export all the key events recorded, as the Azure activity log is a global (non-regional) log and so most events don’t have a region associated with them.
  3. Select Export to a storage account if you want to write the activity log to an Azure storage account. Click Select a storage account and choose the Azure storage account that will store your log data. Enter the number of days that you need to retain your activity log data in the Retention day(s) box or use the slider control to set the appropriate retention period. A setting of 0 (zero) days retains the logs forever.
  4. Select Export to an event hub if you want to write the activity log to an Azure Event Hub. Click Select a service bus namespace and choose the event hub namespace in which you would like an event hub to be created for streaming your activity log data.
  5. Click Save to complete the setup process for your new Azure Log Profile and return to the Activity log blade.

08 Repeat steps no. 4 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run monitor log-profiles create command (Windows/macOS/Linux) to create a new Log Profile for the selected Microsoft Azure subscription in order to archive all Azure activity logs to a storage account or stream them to an Azure Event Hub. For example, the following command request creates an Azure Log Profile named "cc-log-profile", that writes Delete, Write and Action event-type activity logs to an Azure storage account identified by the ID "/subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/abcd1234abcd1234abcd", available within West Europe region (the command does not produce an output): 

az monitor log-profiles create
	--name cc-log-profile
	--categories "Delete" "Write" "Action"
	--days 365
	--enabled true
	--location "westeurope"
	--locations "westeurope"
	--storage-account-id "/subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/abcd1234abcd1234abcd"

02 Repeat step no. 1 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jul 29, 2019

Related Monitor rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Azure Activity Log Profile in Use (Deprecated)

Risk Level: Medium