Description:

Resource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example,

reading or updating a secret from a Key Vault. Currently, 95 Azure resources support Azure Monitoring (See the more information section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps, and CosmosDB.

The content of these logs varies by resource type. A number of back-end services were not configured to log and store Resource Logs for

certain activities or for a sufficient length. It is crucial that monitoring is correctly configured to log all relevant activities and retain those logs for a sufficient length of time. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended.


Rationale:

A lack of monitoring reduces the visibility into the data plane, and therefore an organization's ability to detect reconnaissance, authorization attempts or other malicious activity. Unlike Activity Logs, Resource Logs are not enabled by default. Specifically,

without monitoring it would be impossible to tell which entities had accessed a data store that was breached. In addition, alerts for failed attempts to access APIs for Web Services or Databases are only possible when logging is enabled.


Impact:

Costs for monitoring varies with Log Volume. Not every resource needs to have logging

enabled. It is important to determine the security classification of the data being

processed by the given resource and adjust the logging based on which events need to

be tracked. This is typically determined by governance and compliance requirements.


Audit:


From Azure Portal

The specific steps for configuring resources within the Azure console vary depending on resource, but typically the steps are:

1. Go to the resource

2. Click on Diagnostic settings

3. In the blade that appears, click "Add diagnostic setting"

4. Configure the diagnostic settings

5. Click on Save


From Azure CLI

List all resources for a subscription

az resource list --subscription <subscription id>

For each resource run the following

az monitor diagnostic-settings list --resource <resource ID>

An empty result means a diagnostic settings is not configured for that resource. An error message means a diagnostic settings is not supported for that resource.


From PowerShell

Get a list of resources in a subscription context and store in a variable

    

 $resources = Get-AzResource

Loop through each resource to determine if a diagnostic setting is configured or not.

foreach ($resource in $resources) {$diagnosticSetting = GetAzDiagnosticSetting -ResourceId $resource.id -ErrorAction "SilentlyContinue";

if ([string]::IsNullOrEmpty($diagnosticSetting)) {$message = "Diagnostic

Settings not configured for resource: " + $resource.Name;Write-Output

$message}else{$diagnosticSetting}}

A result of Diagnostic Settings not configured for resource: <resource name>

means a diagnostic settings is not configured for that resource. Otherwise, the output

of the above command will show configured Diagnostic Settings for a resource.


Remediation:

Azure Subscriptions should log every access and operation for all resources. Logs should be sent to Storage and a Log Analytics Workspace or equivalent third-party system. Logs should be kept in readily-accessible storage for a minimum of one year,

and then moved to inexpensive cold storage for a duration of time as necessary. If retention policies are set but storing logs in a Storage Account is disabled (for example, if only Event Hubs or Log Analytics options are selected), the retention policies have no

effect. Enable all monitoring at first, and then be more aggressive moving data to cold storage if the volume of data becomes a cost concern.


From Azure Portal

The specific steps for configuring resources within the Azure console vary depending on resource, but typically the steps are:

1. Go to the resource

2. Click on Diagnostic settings

3. In the blade that appears, click "Add diagnostic setting"

4. Configure the diagnostic settings

5. Click on Save


From Azure CLI

For each resource, run the following making sure to use a resource appropriate JSON encoded category for the --logs option.

az monitor diagnostic-settings create --name <diagnostic settings name> --

resource <resource ID> --logs "[{category:<resource specific

category>,enabled:true,rentention-policy:{enabled:true,days:180}}]" --metrics

"[{category:AllMetrics,enabled:true,retentionpolicy:{enabled:true,days:180}}]" <[--event-hub <event hub ID> --event-hubrule <event hub auth rule ID> | --storage-account <storage account ID> |--

workspace <log analytics workspace ID> | --marketplace-partner-id <full

resource ID of third-party solution>]>


From PowerShell

Create the log settings object

$logSettings = @()

$logSettings += New-AzDiagnosticSettingLogSettingsObject -Enabled $true -

RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category <resource

specific category>

$logSettings += New-AzDiagnosticSettingLogSettingsObject -Enabled $true -

RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category <resource

specific category number 2>

Create the metric settings object

$metricSettings = @()

$metricSettings += New-AzDiagnosticSettingMetricSettingsObject -Enabled $true

-RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category AllMetrics

Create the diagnostic setting for a specific resource

New-AzDiagnosticSetting -Name "<diagnostic settings name>" -ResourceId <resource ID> -Log $logSettings -Metric $metricSettings


Default Value:

By default, Azure Monitor Resource Logs are 'Disabled' for all resources.


References:

1. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3- logging-threat-detection#lt-3-enable-logging-for-security-investigation

2. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3- logging-threat-detection#lt-5-centralize-security-log-management-and-analysis

3. https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/monitor-azureresource

4. Supported Log Categories: https://docs.microsoft.com/en-us/azure/azuremonitor/essentials/resource-logs-categories

5. Logs and Audit - Fundamentals: https://docs.microsoft.com/enus/azure/security/fundamentals/log-audit

6. Collecting Logs: https://docs.microsoft.com/en-us/azure/azuremonitor/platform/collect-activity-logs

7. Key Vault Logging: https://docs.microsoft.com/en-us/azure/key-vault/key-vaultlogging

8. Monitor Diagnostic Settings: https://docs.microsoft.com/enus/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest

9. Overview of Diagnostic Logs: https://docs.microsoft.com/en-us/azure/azuremonitor/platform/diagnostic-logs-overview

10.Supported Services for Diagnostic Logs: https://docs.microsoft.com/enus/azure/azure-monitor/platform/diagnostic-logs-schema

11.Diagnostic Logs for CDNs: https://docs.microsoft.com/en-us/azure/cdn/cdnazure-diagnostic-logs