AuditEvent logging should be enabled

More Info:

Ensure that AuditEvent logging is enabled for Azure Key Vault instances in order to record any interactions with your vaults for enhancing data protection and compliance within your Azure cloud account.

Risk Level

Medium

Address

Security

Compliance Standards

ISO27001, HIPAA, CISAZURE, CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of AuditEvent logging not being enabled in Azure using Azure CLI, follow these steps:

Open the Azure CLI on your local machine or the Azure Cloud Shell.

Run the following command to enable AuditEvent logging:

az monitor diagnostic-settings create --name <DIAGNOSTIC-SETTING-NAME> --resource <RESOURCE-ID> --resource-type <RESOURCE-TYPE> --logs '[{"category": "AuditEvent", "enabled": true}]'

Replace the placeholders <DIAGNOSTIC-SETTING-NAME>, <RESOURCE-ID>, and <RESOURCE-TYPE> with the appropriate values. For example, if you want to enable AuditEvent logging for a virtual machine, the command would be:

az monitor diagnostic-settings create --name audit-vm --resource /subscriptions/<SUBSCRIPTION-ID>/resourceGroups/<RESOURCE-GROUP-NAME>/providers/Microsoft.Compute/virtualMachines/<VM-NAME> --resource-type Microsoft.Compute/virtualMachines --logs '[{"category": "AuditEvent", "enabled": true}]'

Once the command is executed successfully, the AuditEvent logging will be enabled for the specified resource.
To verify that AuditEvent logging is enabled, run the following command:
```
az monitor diagnostic-settings show --name <DIAGNOSTIC-SETTING-NAME> --resource <RESOURCE-ID> --resource-type <RESOURCE-TYPE>
```
This command will display the current diagnostic settings for the specified resource, including whether AuditEvent logging is enabled or not.

That’s it! The AuditEvent logging misconfiguration has been remediated for Azure using Azure CLI.

Using Python

To remediate the AuditEvent logging misconfiguration in Azure using Python, follow these steps:

Import the necessary modules:

from azure.mgmt.monitor import MonitorManagementClient
from azure.common.credentials import ServicePrincipalCredentials

Set the credentials for the Azure account:

credentials = ServicePrincipalCredentials(
    client_id=<client-id>,
    secret=<client-secret>,
    tenant=<tenant-id>
)

Replace <client-id>, <client-secret>, and <tenant-id> with the corresponding values for your Azure account.

Instantiate the MonitorManagementClient:

monitor_client = MonitorManagementClient(
    credentials=credentials,
    subscription_id=<subscription-id>
)

Replace <subscription-id> with the ID of the subscription you want to remediate.

Enable AuditEvent logging:

monitor_client.activity_log_alerts.create_or_update(
    resource_group_name=<resource-group-name>,
    activity_log_alert_name=<alert-name>,
    activity_log_alert={
        'location': '<location>',
        'tags': {
            '<tag-key>': '<tag-value>'
        },
        'enabled': True,
        'scopes': [
            '/subscriptions/<subscription-id>'
        ],
        'condition': {
            'allOf': [
                {
                    'field': 'category',
                    'equals': 'AuditEvent'
                }
            ]
        },
        'actions': {
            'action_groups': [
                {
                    'action_group_id': '<action-group-id>'
                }
            ]
        }
    }
)

Replace <resource-group-name> with the name of the resource group containing the alert, <alert-name> with the name of the alert, <location> with the location of the alert, <tag-key> and <tag-value> with the key and value of any tags you want to add to the alert, and <action-group-id> with the ID of the action group you want to associate with the alert.

Verify that AuditEvent logging is enabled:

alert = monitor_client.activity_log_alerts.get(
    resource_group_name=<resource-group-name>,
    activity_log_alert_name=<alert-name>
)

print(alert.enabled)

Replace <resource-group-name> and <alert-name> with the corresponding values for your alert.If the output is True, then AuditEvent logging is enabled.

Additional Reading:

https://docs.microsoft.com/en-us/azure/key-vault/key-vault-logging

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

AuditEvent logging should be enabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: