Monitor audit profile should log all activities

Description

The log profile should be configured to export all activities from the control/management plane. A log profile controls how the activity log is exported. Configuring the log profile to collect logs for the categories “write”, “delete” and “action” ensures that all the control/management plane activities performed on the subscription are exported.

Portal Remediation Steps

  • When you create a log profile using the Azure Portal, the write, delete, and action categories are selected by default. However, if you’ve created the log profile via the command line, remediation is not possible via the portal.

CLI Remediation Steps

  • To log all activities, follow the Azure documentation to create a log profile and set the desired flags, including --categories "Delete" "Write" "Action":

az monitor log-profiles create --categories
                               --days
                               --enabled {false, true}
                               --location
                               --locations
                               --name
                               [--service-bus-rule-id]
                               [--storage-account-id]
                               [--subscription]
                               [--tags]