Monitor audit profile should log all activities


The log profile should be configured to export all activities from the control/management plane. A log profile controls how the activity log is exported. Configuring the log profile to collect logs for the categories “write”, “delete” and “action” ensures that all the control/management plane activities performed on the subscription are exported.

Remediation Steps

Azure Portal

  • When you create a log profile using the Azure Portal, the write, delete, and action categories are selected by default. However, if you created the log profile via the command line, remediation is not possible via the portal.

Azure CLI

  • To log all activities, follow the Azure documentation to create a log profile and set the desired flags, including --categories "Delete" "Write" "Action":

az monitor log-profiles create --categories
                               --enabled {false, true}


Example Configuration

resource "azurerm_monitor_log_profile" "example" {
  name = "default"

  categories = [
  # other required fields here