Monitor audit profile should log all activities¶
Description¶
The log profile should be configured to export all activities from the control/management plane. A log profile controls how the activity log is exported. Configuring the log profile to collect logs for the categories “write”, “delete” and “action” ensures that all the control/management plane activities performed on the subscription are exported.
Remediation Steps¶
Azure Portal¶
When you create a log profile using the Azure Portal, the write, delete, and action categories are selected by default. However, if you created the log profile via the command line, remediation is not possible via the portal.
Azure CLI¶
To log all activities, follow the Azure documentation to create a log profile and set the desired flags, including
--categories "Delete" "Write" "Action":
az monitor log-profiles create --categories
--days
--enabled {false, true}
--location
--locations
--name
[--service-bus-rule-id]
[--storage-account-id]
[--subscription]
[--tags]
Azure Resource Manager¶
Ensure that a Microsoft.Insights/logprofiles resource contains the following:
{
"properties": {
"categories": [
"Action",
"Delete",
"Write"
]
}
# other required fields here
}
Example Configuration¶
{
"type": "Microsoft.Insights/logprofiles",
"apiVersion": "2016-03-01",
"name": "TestLogProfile",
"properties": {
"categories": [
"Action",
"Delete",
"Write"
]
}
# other required fields here
}
Terraform¶
Ensure that an azurerm_monitor_log_profile contains the following:
categories= [“Action”, “Delete”, “Write”,]
Example Configuration¶
resource "azurerm_monitor_log_profile" "example" {
name = "default"
categories = [
"Action",
"Delete",
"Write",
]
# other required fields here
}