Azure Introduction
Azure Pricing
Azure Threats
Ensure that AuditActionGroups in auditing is set properly
More Info:
Configure the ‘AuditActionGroups’ property to appropriate groups to capture all the critical activities on the SQL Server and all the SQL databases hosted on the SQL server.
Risk Level
Medium
Address
Reliability, Security
Compliance Standards
HITRUST, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration related to AuditActionGroups in Azure, please follow the below steps:
- Login to the Azure portal (https://portal.azure.com/).
- Go to the Azure Active Directory service.
- Select the “Audit logs” option under the Monitoring section.
- In the Audit logs blade, click on the “Diagnostic settings” option.
- Select the diagnostic setting that needs to be remediated.
- In the “Diagnostic settings” blade, scroll down to the “Categories” section.
- In the “Categories” section, ensure that the “AuditLogs” option is selected.
- Under the “AuditLogs” option, select the “Select specific actions” radio button.
- In the “Select specific actions” section, ensure that all the required AuditActionGroups are selected.
- Click on the “Save” button to save the changes.
By following the above steps, the misconfiguration related to AuditActionGroups in Azure can be remediated.
To remediate the misconfiguration of AuditActionGroups in auditing for AZURE using AZURE CLI, follow these steps:
-
Open the AZURE CLI on your local machine or use the AZURE Cloud Shell.
-
Run the following command to get the current configuration of AuditActionGroups:
az monitor activity-log list --query [].categories.actionGroups -
Check the output of the above command to see if AuditActionGroups are set properly. If not, proceed to the next step.
-
Run the following command to set the AuditActionGroups:
az monitor activity-log update --set categories.actionGroups=<comma separated list of action groups>Replace
<comma separated list of action groups>with the appropriate list of action groups. For example, if you want to set the AuditActionGroups to “Write”, “Delete”, and “Action”, the command would be:az monitor activity-log update --set categories.actionGroups=Write,Delete,Action -
Verify the configuration by running the first command again:
az monitor activity-log list --query [].categories.actionGroupsThe output should now show the updated list of AuditActionGroups.
By following these steps, you can remediate the misconfiguration of AuditActionGroups in auditing for AZURE using AZURE CLI.
To remediate the misconfiguration of AuditActionGroups in Azure using Python, follow the below steps:
- Import the necessary libraries:
from azure.identity import DefaultAzureCredential
from azure.mgmt.monitor import MonitorManagementClient
- Set the credentials:
credential = DefaultAzureCredential()
subscription_id = '<Your Subscription ID>'
- Initialize the MonitorManagementClient:
monitor_client = MonitorManagementClient(credential, subscription_id)
- Get the existing AuditActionGroups:
audit_action_groups = monitor_client.activity_log_alerts.list_action_groups(resource_group_name='<Your Resource Group Name>', action_group_name='<Your Action Group Name>')
- Update the AuditActionGroups:
updated_audit_action_groups = [
{
"id": "/subscriptions/<Your Subscription ID>/resourceGroups/<Your Resource Group Name>/providers/microsoft.insights/actionGroups/<Your Action Group Name>",
"action_group_type": "CustomEmail/SMS/Push/Voice",
"short_name": "<Your Short Name>",
"email_receivers": [
{
"name": "<Your Email Name>",
"email_address": "<Your Email Address>",
"use_common_alert_schema": True
}
]
}
]
monitor_client.action_groups.create_or_update(resource_group_name='<Your Resource Group Name>', action_group_name='<Your Action Group Name>', parameters=updated_audit_action_groups)
- Verify the updated AuditActionGroups:
updated_audit_action_groups = monitor_client.activity_log_alerts.list_action_groups(resource_group_name='<Your Resource Group Name>', action_group_name='<Your Action Group Name>')
By following these steps, you can remediate the misconfiguration of AuditActionGroups in Azure using Python.