Activity Log All Activities

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that the Log Profile created for your Azure cloud activity log is configured to collect logs for all the control & management activity categories, i.e. "Write", "Delete" and "Action" for security and compliance purposes. A Log Profile controls how the activity log is exported and retained within your Microsoft Azure cloud account.

Security

By configuring your account Log Profile to collect logs for "Write", "Delete" and "Action" event categories ensures that all the control and management activities performed on your Azure subscription are exported. These logs can be extremely useful for security and compliance auditing.

Note: When the Azure Log Profile is created using Microsoft Azure Management Console (Azure Portal), by default it is configured to export all activity log event categories. However, when the Log Profile is created using the Azure Command Line Interface (CLI), the user can explicitly choose which of the event categories to export.


Audit

To determine if your Azure Log Profile is configured to export logs for all activities, perform the following actions:

Note: Verifying Azure Log Profile configuration for event categories to export using Microsoft Azure Management Console is not currently supported.

Using Azure CLI

01 Run monitor log-profiles list command (Windows/macOS/Linux) using custom query filters to get the name of the event categories to export, configured for the Log Profile available in the current Azure subscription. If there is no Log Profile currently available, follow the steps outlined in this conformity rule to create one. Each Azure subscription has only one Log Profile:

az monitor log-profiles list
	--query '[*].categories[]'

02 The command output should return the requested configuration information, i.e. the activity log event categories to export:

[
  "Action"
]

If the monitor log-profiles list command output does not return an array with all activity log event categories, i.e. "Write", "Delete" and "Action", the configuration of the Log Profile created to export activity logs within the selected Microsoft Azure subscription is not compliant.

03 Repeat step no. 1 and 2 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To configure your Microsoft Azure Log Profiles to export logs for all activities (i.e. "Write", "Delete" and "Action"), perform the following actions:

Note: Configuring Azure Log Profile to export logs for all available activities using Microsoft Azure Management Console is not currently supported.

Using Azure CLI

01 Run monitor log-profiles list command (Windows/macOS/Linux) using custom query filters to get the name of the Log Profile available in the current Azure subscription. Each Microsoft Azure subscription has only one Log Profile:

az monitor log-profiles list
	--query '[*].name'

02 The command output should return the name of the requested Azure Log Profile:

[
  "cc-activity-log-profile"
]

03 Run monitor log-profiles update command (Windows/macOS/Linux) using the name of the Azure Log Profile returned at the previous step as identifier parameter to configure the selected profile to export logs for all the activities/operations performed within the current Microsoft Azure subscription, i.e. "Write", "Delete" and "Action" (the command does not produce an output):

az monitor log-profiles update
	--name cc-activity-log-profile
	--set categories=["Delete","Write","Action"]

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jul 29, 2019

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Activity Log All Activities

Risk level: Medium