Ensure that AuditActionGroups in auditing is set properly

More Info:

Configure the ‘AuditActionGroups’ property to appropriate groups to capture all the critical activities on the SQL Server and all the SQL databases hosted on the SQL server.

Risk Level

Medium

Address

Reliability, Security

Compliance Standards

HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of AuditActionGroups in auditing for AZURE using AZURE CLI, follow these steps:

Open the AZURE CLI on your local machine or use the AZURE Cloud Shell.
Run the following command to get the current configuration of AuditActionGroups:
```
az monitor activity-log list --query [].categories.actionGroups
```
Check the output of the above command to see if AuditActionGroups are set properly. If not, proceed to the next step.
Run the following command to set the AuditActionGroups:
```
az monitor activity-log update --set categories.actionGroups=<comma separated list of action groups>
```
Replace <comma separated list of action groups> with the appropriate list of action groups. For example, if you want to set the AuditActionGroups to “Write”, “Delete”, and “Action”, the command would be:
```
az monitor activity-log update --set categories.actionGroups=Write,Delete,Action
```
Verify the configuration by running the first command again:
```
az monitor activity-log list --query [].categories.actionGroups
```
The output should now show the updated list of AuditActionGroups.

By following these steps, you can remediate the misconfiguration of AuditActionGroups in auditing for AZURE using AZURE CLI.

Using Python

To remediate the misconfiguration of AuditActionGroups in Azure using Python, follow the below steps:

Import the necessary libraries:

from azure.identity import DefaultAzureCredential
from azure.mgmt.monitor import MonitorManagementClient

Set the credentials:

credential = DefaultAzureCredential()
subscription_id = '<Your Subscription ID>'

Initialize the MonitorManagementClient:

monitor_client = MonitorManagementClient(credential, subscription_id)

Get the existing AuditActionGroups:

audit_action_groups = monitor_client.activity_log_alerts.list_action_groups(resource_group_name='<Your Resource Group Name>', action_group_name='<Your Action Group Name>')

Update the AuditActionGroups:

updated_audit_action_groups = [
    {
        "id": "/subscriptions/<Your Subscription ID>/resourceGroups/<Your Resource Group Name>/providers/microsoft.insights/actionGroups/<Your Action Group Name>",
        "action_group_type": "CustomEmail/SMS/Push/Voice",
        "short_name": "<Your Short Name>",
        "email_receivers": [
            {
                "name": "<Your Email Name>",
                "email_address": "<Your Email Address>",
                "use_common_alert_schema": True
            }
        ]
    }
]

monitor_client.action_groups.create_or_update(resource_group_name='<Your Resource Group Name>', action_group_name='<Your Action Group Name>', parameters=updated_audit_action_groups)

Verify the updated AuditActionGroups:

updated_audit_action_groups = monitor_client.activity_log_alerts.list_action_groups(resource_group_name='<Your Resource Group Name>', action_group_name='<Your Action Group Name>')

By following these steps, you can remediate the misconfiguration of AuditActionGroups in Azure using Python.

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

Ensure that AuditActionGroups in auditing is set properly

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation