Diagnostic setting does not capture AuditEvent category Affecting Monitor service in Azure

Snyk CCSS

Logging / Configuration

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Azure CIS-Controls HIPAA ISO-27001 NIST-800-53 PCI-DSS SOC-2

Snyk ID SNYK-CC-00478
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Not capturing the diagnostic setting AuditEvent category for appropriate management activities can lead to missing important alerts.

How to fix?

Set properties.logs.category to AuditEvent and properties.logs.enabled to true.

Example Configuration

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {},
    "resources": [
      {
        "type": "Microsoft.Insights/diagnosticSettings",
        "apiVersion": "2021-05-01-preview",
        "scope": "mykeyvault",
        "name": "allowed1",
        "properties": {
          "workspaceId": "myworkspaceId",
          "storageAccountId": "myaccountId",
          "eventHubAuthorizationRuleId": "myeventHubAuthorizationRuleId",
          "eventHubName": "myeventHubName",
          "logs": [
            {
              "category": "AuditEvent",
              "enabled": true
            }
          ],
          "metrics": [
            {
              "category": "AllMetrics",
              "enabled": true
            }
          ]
        }
      }
    ]
  }

ARM

Resource: Microsoft.Insights/diagnosticSettings

Terraform

Resource: azurerm_monitor_diagnostic_setting

References

Diagnostic settings in Azure Monitor