Diagnostic setting does not capture AuditEvent category Affecting Monitor service in Azure

Snyk CCSS

Logging/ Configuration

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-AzureCIS-ControlsHIPAAISO-27001NIST-800-53PCI-DSSSOC-2

Snyk IDSNYK-CC-00478
creditSnyk Research Team

Report a new misconfiguration Found a mistake?

Description

Not capturing the diagnostic setting AuditEvent category for appropriate management activities can lead to missing important alerts.

How to fix?

Set properties.logs.category to AuditEvent and properties.logs.enabled to true.

Example configuration:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {},
    "resources": [
      {
        "type": "Microsoft.Insights/diagnosticSettings",
        "apiVersion": "2021-05-01-preview",
        "scope": "mykeyvault",
        "name": "allowed1",
        "properties": {
          "workspaceId": "myworkspaceId",
          "storageAccountId": "myaccountId",
          "eventHubAuthorizationRuleId": "myeventHubAuthorizationRuleId",
          "eventHubName": "myeventHubName",
          "logs": [
            {
              "category": "AuditEvent",
              "enabled": true
            }
          ],
          "metrics": [
            {
              "category": "AllMetrics",
              "enabled": true
            }
          ]
        }
      }
    ]
  }

Set log.category to AuditEvent and log.enabled to true.

For AzureRM provider < v4.0.0, set log.category to AuditEvent and log.enabled to true. Note the log attribute was deprecated in v3.63.0.
For AzureRM provider >= v4.0.0, set enabled_log.category to AuditEvent or enabled_log.category_group to one of audit or allLogs.