iCompaas Support

Description:

Subscription Activity Logs provide a record of all management-level operations performed within your Azure subscription. These logs include actions like resource creation, modification, deletion, and access control changes, which are critical for auditing and monitoring activities at the subscription level. Enabling a diagnostic setting for Subscription Activity Logs ensures that this log data is captured and stored in a specified destination, such as Log Analytics, Event Hub, or Storage Account. This allows you to analyze the logs, monitor subscription activities, and maintain a history of actions for compliance and security purposes.

Rationale:

By enabling a Diagnostic Setting for Subscription Activity Logs, you can:

• Track and monitor all changes made to resources and services at the subscription level.
  

• Enhance security by auditing user and administrative actions within the subscription.
  

• Meet compliance requirements by capturing and retaining logs of critical activities.
  

• Enable proactive monitoring by integrating these logs with Azure Monitor, Log Analytics, or a third-party SIEM via Event Hub.
  

Enabling the diagnostic setting ensures that you capture the full scope of actions performed across all resources within the subscription, including API calls, user activities, and administrative operations.

Impact:

Enabling Subscription Activity Logs provides better insight into the operational and security state of your Azure subscription. However, enabling logging will generate additional data that may increase storage costs, depending on the retention period and volume of logs captured. You should implement appropriate log retention and query management strategies to control costs.

Default Value:

By default, Subscription Activity Logs are available for Azure subscriptions but are not automatically captured in Log Analytics, Event Hub, or Storage Accounts. A diagnostic setting must be manually configured to capture and send these logs to the desired destination.

Pre-requisites:

• Azure subscription with Owner or Contributor permissions.
  

• Owner or Contributor role permissions to configure diagnostic settings.
  

• Log Analytics workspace, Storage Account, or Event Hub to store and analyze the logs.
  

Audit:

1. Sign in to Azure portal as an Owner or Contributor.
   

2. Navigate to Azure Monitor and review Diagnostic Settings for the subscription to ensure Activity Logs are captured.
   

3. Verify that the Subscription Activity Logs are being sent to the appropriate destination (e.g., Log Analytics workspace, Event Hub, or Storage Account).
   

Implementation Steps (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Owner or Contributor permissions.
     

2. Navigate to Azure Monitor:
   

   • In the Azure portal, search for Azure Monitor and select it.
     

3. Go to Diagnostic Settings:
   

   • In Azure Monitor, select Diagnostic settings under the Monitoring section.
     

4. Add a New Diagnostic Setting:
   

   • In the Diagnostic Settings pane, click + Add diagnostic setting to create a new setting for Subscription Activity Logs.
     

   • Under Category Details, select SubscriptionActivityLogs. This category will capture all activity logs for the subscription.
     

5. Choose Destination for Logs:
   

   • Choose one or more destinations where the logs should be sent:
     

     • Log Analytics workspace: For querying and analyzing logs using Azure Monitor.
       

     • Storage Account: For long-term retention or access to the logs.
       

     • Event Hub: For forwarding logs to an external SIEM system or third-party tool.
       

6. Select the Destination:
   

   • If you selected Log Analytics workspace, choose the relevant Log Analytics workspace where the logs will be sent.
     

   • If you selected Storage Account, choose the relevant Storage Account.
     

   • If you selected Event Hub, specify the Event Hub namespace and Event Hub to send the logs.
     

7. Set Retention Policy:
   

   • You can specify the log retention period based on your organizational needs. Logs can be retained for up to 2 years in Log Analytics or Storage Accounts.
     

8. Review and Create:
   

   • Review your diagnostic setting configuration to ensure you are capturing the Subscription Activity Logs and sending them to the appropriate destination.
     

   • Click Save to apply the changes and start capturing the logs.
     

9. Verify Log Capture:
   

   • After configuring the diagnostic setting, trigger some activity (e.g., create or delete a resource) within the Azure subscription to ensure logs are generated.
     

   • Navigate to the selected destination (e.g., Log Analytics workspace, Event Hub, or Storage Account) and verify that the logs are captured.
     

Automate Diagnostic Settings with Azure CLI: You can automate the configuration of Subscription Activity Log capture using the Azure CLI. Here’s an example of how to set it up:

az monitor diagnostic-settings create \

  --resource <Subscription-ID> \

  --name "SubscriptionActivityLogs" \

  --workspace <Log-Analytics-Workspace-ID> \

  --logs '[{"category": "SubscriptionActivityLogs", "enabled": true}]'

11.  Replace <Subscription-ID> and <Log-Analytics-Workspace-ID> with the appropriate values for your environment.
    

12. Set Up Alerts (Optional):
    

    • After enabling the Subscription Activity Logs, you can create alerts in Azure Monitor to notify you of specific activities, such as resource deletions, configuration changes, or permission modifications.
      

    • In Azure Monitor, go to Alerts and create a new alert rule based on the Activity Logs for specific activities.
      

13. Monitor and Review Logs:
    

    • Use Azure Monitor and Log Analytics to regularly review the Subscription Activity Logs for insights into your subscription activities.
      

    • Create dashboards or alerts to detect important changes or security events.
      

Backout Plan (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Owner or Contributor permissions.
     

2. Navigate to Azure Monitor:
   

   • Go to Azure Monitor in the Azure portal.
     

3. Remove or Modify Diagnostic Setting:
   

   • In Diagnostic Settings, locate the Subscription Activity Logs diagnostic setting you created.
     

   • You can delete the diagnostic setting or modify the categories being captured (e.g., turn off SubscriptionActivityLogs).
     

4. Verify Log Collection Stopped:
   

   • After deleting or modifying the diagnostic setting, check your Log Analytics workspace, Storage Account, or Event Hub to ensure no further logs are being captured.
     

5. Test the Reverted Configuration:
   

   • Perform a test action (e.g., modify resources, create a new resource) and confirm that no logs are being captured or sent to the destination.
     

References:

• Azure Activity Logs Overview
  

• Azure Monitor - Diagnostic Settings Overview
  

• Azure CLI - Manage Diagnostic Settings