More Info:

Ensure that AuditEvent logging is enabled for Azure Key Vault instances in order to record any interactions with your vaults for enhancing data protection and compliance within your Azure cloud account.

Risk Level

Medium

Address

Security

Compliance Standards

ISO27001, HIPAA, CISAZURE, CBP

Triage and Remediation

Remediation

Using Console

To remediate the AuditEvent logging misconfiguration in AZURE using the AZURE console, you can follow the below steps:
  1. Login to the AZURE portal (https://portal.azure.com/).
  2. Navigate to the resource group where the affected resource is located.
  3. Click on the affected resource to open its properties page.
  4. In the left-hand menu, click on the “Monitoring” option.
  5. Under the Monitoring section, click on “Diagnostic settings”.
  6. Click on “Add diagnostic setting” to create a new diagnostic setting.
  7. In the “Add diagnostic setting” page, provide a name for the diagnostic setting.
  8. Under the “Logs” section, enable the “AuditEvent” log by selecting it from the list of available logs.
  9. Choose the destination where you want to send the logs (such as a storage account or event hub).
  10. Click on “Save” to save the new diagnostic setting.
Once the diagnostic setting is saved, Azure will start collecting the AuditEvent logs and sending them to the specified destination. This will remediate the AuditEvent logging misconfiguration in Azure.

To remediate the misconfiguration of AuditEvent logging not being enabled in Azure using Azure CLI, follow these steps:
  1. Open the Azure CLI on your local machine or the Azure Cloud Shell.
  2. Run the following command to enable AuditEvent logging: 
    az monitor diagnostic-settings create --name <DIAGNOSTIC-SETTING-NAME> --resource <RESOURCE-ID> --resource-type <RESOURCE-TYPE> --logs '[{"category": "AuditEvent", "enabled": true}]'
    Replace the placeholders <DIAGNOSTIC-SETTING-NAME>, <RESOURCE-ID>, and <RESOURCE-TYPE> with the appropriate values. For example, if you want to enable AuditEvent logging for a virtual machine, the command would be: 
    az monitor diagnostic-settings create --name audit-vm --resource /subscriptions/<SUBSCRIPTION-ID>/resourceGroups/<RESOURCE-GROUP-NAME>/providers/Microsoft.Compute/virtualMachines/<VM-NAME> --resource-type Microsoft.Compute/virtualMachines --logs '[{"category": "AuditEvent", "enabled": true}]'
  3. Once the command is executed successfully, the AuditEvent logging will be enabled for the specified resource.
  4. To verify that AuditEvent logging is enabled, run the following command: 
    az monitor diagnostic-settings show --name <DIAGNOSTIC-SETTING-NAME> --resource <RESOURCE-ID> --resource-type <RESOURCE-TYPE>
    This command will display the current diagnostic settings for the specified resource, including whether AuditEvent logging is enabled or not.
That’s it! The AuditEvent logging misconfiguration has been remediated for Azure using Azure CLI.
To remediate the AuditEvent logging misconfiguration in Azure using Python, follow these steps:
  1. Import the necessary modules:
from azure.mgmt.monitor import MonitorManagementClient
from azure.common.credentials import ServicePrincipalCredentials
  1. Set the credentials for the Azure account:
credentials = ServicePrincipalCredentials(
    client_id=<client-id>,
    secret=<client-secret>,
    tenant=<tenant-id>
)
Replace <client-id>, <client-secret>, and <tenant-id> with the corresponding values for your Azure account.
  1. Instantiate the MonitorManagementClient:
monitor_client = MonitorManagementClient(
    credentials=credentials,
    subscription_id=<subscription-id>
)
Replace <subscription-id> with the ID of the subscription you want to remediate.
  1. Enable AuditEvent logging:
monitor_client.activity_log_alerts.create_or_update(
    resource_group_name=<resource-group-name>,
    activity_log_alert_name=<alert-name>,
    activity_log_alert={
        'location': '<location>',
        'tags': {
            '<tag-key>': '<tag-value>'
        },
        'enabled': True,
        'scopes': [
            '/subscriptions/<subscription-id>'
        ],
        'condition': {
            'allOf': [
                {
                    'field': 'category',
                    'equals': 'AuditEvent'
                }
            ]
        },
        'actions': {
            'action_groups': [
                {
                    'action_group_id': '<action-group-id>'
                }
            ]
        }
    }
)
Replace <resource-group-name> with the name of the resource group containing the alert, <alert-name> with the name of the alert, <location> with the location of the alert, <tag-key> and <tag-value> with the key and value of any tags you want to add to the alert, and <action-group-id> with the ID of the action group you want to associate with the alert.
  1. Verify that AuditEvent logging is enabled:
alert = monitor_client.activity_log_alerts.get(
    resource_group_name=<resource-group-name>,
    activity_log_alert_name=<alert-name>
)

print(alert.enabled)
Replace <resource-group-name> and <alert-name> with the corresponding values for your alert.If the output is True, then AuditEvent logging is enabled.

Additional Reading: