Azure audit logs - avoid these typical mistakes

Written By Karl Ots

As a consultant working with Azure for over a decade, I have assessed the security of hundreds of solutions built on the Microsoft Azure cloud. Many companies make the same mistakes with Azure audit logs.

There are some common security misconfigurations that are very common across industries and company sizes. In this post, I will tell you about Azure audit logging, what it is, why is it important, and how to set up Azure audit logging to avoid common security misconfigurations.

If you want to dig deeper read chapter number three in my Azure Security Handbook.

Why should you care about Azure audit logs?

Audit logs are a key requirement for many of the compliance regulations. In case of an incident, you need to be able to verify what happened, who made the changes and how did that affect the system. As the chances are that you are not a time traveler, you need to enable the audit logs before the incident happens.

Missing audit logging

It might be hard to believe, but one of the most typical misconfigurations with Azure audit logging is missing audit logging altogether. And by missing, I really do mean missing, not configuring them insufficiently. This is because most Azure services do not emit any audit logs by default, to avoid unnecessary costs and signal noise. Sadly this is true even for security-focused services such as Azure Key Vault or even Azure Web Application Firewall (WAF)!

Insufficient Azure audit logging

Many companies do audit logging and think that everything is in order, but when it's time to check the logs realize that the logs are insufficient.

This might be because there's a critical data source missing from the logging that was not considered during the initial setup. In the worst case, this might be a real problem with compliance regulations.

Another very common misconfiguration that leads to insufficient audit logging is to have wrong log retention settings. In this case, your log fidelity is sufficient, but the logs you need are deleted before you need to review them.

How to properly set Azure audit logs?

Azure stores Activity Logs for 90 days by default. But in the case of the majority of security incidents, the attacker has been inside the system for more time than that. So you need to store your Azure Activity logs to centralized log storage, such as Azure Log Analytics, your Security Incident, and Event Management system (SIEM) or Azure Storage account.

To enable Resource Logs, such as Web Application Firewall logs, you would need to navigate to Diagnostic settings of your resource, select New, and choose the log types and log storage location you prefer.

This is how you should configure your Azure Key Vault Diagnostic Settings in order to store Audit logs to a Log Analytics Workspace. Note that this view considers sending of logs only. Retention is handled in the Log Analytics Workspace settings.

Learn more about Azure audit logging and other security best practices

Thank you for reading my short post about audit logging. If you have still further questions,  check my book: Azure Security Handbook: A Comprehensive Guide for Defending Your Enterprise Environment

It goes both deeper and wider all things considering Azure security.

Karl Ots

Previous

My article in the ISC2 InfoSecurity Professional: Cloud Security Insights
Next

Azure RBAC and Azure access control