Azure Introduction
Azure Pricing
Azure Threats
Ensure log profile is configured to export all activities
More Info:
A log profile controls how the activity log is exported. Configuring the log profile to collect logs for the categories ‘write’, ‘delete’ and ‘action’ ensures that all the control/management plane activities performed on the subscription are exported.
Risk Level
Low
Address
Security, Operational Maturity
Compliance Standards
GDPR, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration of ensuring log profile is configured to export all activities in Azure, you can follow the below steps:
- Login to Azure portal (https://portal.azure.com/)
- In the left navigation pane, click on “Log Analytics workspaces”
- Select the workspace that you want to configure for exporting all activities
- In the workspace, click on “Log Analytics” in the left navigation pane
- Click on “Export” in the top navigation bar
- Click on “Add Export” button
- In the “Add Export” blade, select the following options:
- “Destination”: “Storage Account”
- “Storage Account”: Select an existing storage account or create a new one
- “Container”: Enter the name of the container where the logs will be exported
- “Path”: Enter the path where the logs will be exported
- “Format”: Select “JSON” or “CSV” format for the exported logs
- “Schedule”: Select “Continuous Export” to export logs continuously
- “Status”: Select “Enabled” to enable the export
- Click on “Save” button to save the export configuration
Once you have completed these steps, all activities in your Azure environment will be exported to the specified storage account and container in the specified format. You can then use this data for analysis, auditing and compliance purposes.
To remediate the misconfiguration “Ensure log profile is configured to export all activities” in Azure using Azure CLI, follow the below steps:
Step 1: Open the Azure CLI on your system or use Azure Cloud Shell.
Step 2: Run the following command to create a log profile:
az monitor log-profiles create --name <log-profile-name> --locations <location-name> --categories Write --enabled true
Here, replace <log-profile-name>
with a name for the log profile and <location-name>
with the location where you want to create the log profile.
Step 3: Verify the log profile is created successfully by running the following command:
az monitor log-profiles show --name <log-profile-name>
This command will show the details of the log profile that you created.
Step 4: Once the log profile is created, you can configure it to export all activities by running the following command:
az monitor diagnostic-settings create --name <diagnostic-settings-name> --resource <resource-id> --logs '[{"category": "Write", "enabled": true}]' --metrics '[{"category": "AllMetrics", "enabled": true}]' --storage-account <storage-account-id>
Here, replace <diagnostic-settings-name>
with a name for the diagnostic settings, <resource-id>
with the ID of the resource for which you want to configure the log profile, and <storage-account-id>
with the ID of the storage account where you want to export the logs.
Step 5: Verify the diagnostic settings are created successfully by running the following command:
az monitor diagnostic-settings show --name <diagnostic-settings-name> --resource <resource-id>
This command will show the details of the diagnostic settings that you created.
Once you have completed these steps, the log profile will be configured to export all activities, and you will be able to view the logs in the specified storage account.
To remediate the misconfiguration “Ensure log profile is configured to export all activities” for Azure using Python, you can use the Azure SDK for Python. Here are the step-by-step instructions:
- Install the Azure SDK for Python using pip:
pip install azure-mgmt-monitor
- Authenticate to your Azure account using the Azure SDK for Python. You can use the following code snippet:
from azure.identity import DefaultAzureCredential
from azure.mgmt.monitor import MonitorManagementClient
credential = DefaultAzureCredential()
subscription_id = "<your-subscription-id>"
resource_group_name = "<your-resource-group-name>"
workspace_name = "<your-workspace-name>"
monitor_client = MonitorManagementClient(credential, subscription_id)
- Get the existing log profile for the workspace using the
monitor_client.log_profiles.get
method:
log_profile = monitor_client.log_profiles.get(resource_group_name, workspace_name)
- Update the log profile to export all activities using the
monitor_client.log_profiles.create_or_update
method:
log_profile.categories = ["Write", "Delete", "Action"]
log_profile.locations = ["/"]
log_profile.retention_policy.enabled = True
log_profile.retention_policy.days = 365
monitor_client.log_profiles.create_or_update(resource_group_name, workspace_name, log_profile)
This will update the log profile for the specified workspace to export all activities. You can customize the log profile settings as per your requirements.