Cloud Incident Response Blog | Cado Security

How to be IR prepared in Azure

Written by Admin | Feb 16, 2024 10:48:00 PM

With over 200 services in Azure, it can be overwhelming for security teams to understand whether or not they have all the right logs enabled for the purpose of incident investigations. In the event malicious activity is detected, it’s critical that security teams have the ability to quickly dive into the details.

This blog demystifies Azure’s sometimes complicated logging methods. Below, we’ve outlined which logs should be enabled and how to enable them. This will help ensure your organization is prepared for an investigation when a security incident occurs.

 

Types of Logs in Azure

Azure Logs as Seen in Azure Monitor 

 

Within Azure, there are two types of logs: Platform Logs and Application Logs;

  • Platform Logs: Platform logs provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on. Platform Logs are automatically generated. There are three different platform logs available at the different layers within Azure.
  • Resource Logs (Previously Diagnostic Logs): Resource Logs are at the resource layer, these provide insight into operations that were performed within an Azure resource, such as getting a secret from a key vault, or making a request to a database. The contents of resource logs vary according to the Azure service and resource type.
  • Activity Logs: Activity Logs are found at the subscription layer, and provide insight into the operations performed on each Azure resource in the subscription from the outside, as well as provide insight into the operations performed on each Azure resource in the subscription from the outside. Activity Logs can be used to determine what, who, and when for any write operation (PUT, POST, DELETE) executed on the resources in your subscription. There’s a single activity log for each Azure subscription.
  • Microsoft Entra Logs (Previously AD Logs): Microsoft Entra Logs are found at the tenant layer, contain the history of sign-in activity and an audit trail of changes made in Microsoft Entra ID (Previously Azure Active Directory) for a particular tenant.
  • Application Logs: Application Logs are logs developers send from applications hosted on Microsoft Azure, these logs capture information like errors, warnings, and other runtime details.

 

Which Logs are Enabled by Default? And Which Need to be Enabled? 

Microsoft Azure has over 200 services, making it nearly impossible to cover everything in this blog. However, here are the top most frequently used Azure products and details on what is logged by default, how long these logs are retained, and different configuration options:

 

Azure DevOps

What is logged by default? 

Auditing is turned off by default for all Azure DevOps Services.

What can be configured?

Azure DevOps will track any audit changes, this occurs whenever a user or service identity within the organization edits the state of an artifact. Some examples are, permissions changes, deleted resources, branch policy changes, and auditing log access.

How long are these logs retained?

Events get stored for 90 days, after which they’re deleted. However, you can back up audit events to an external location to keep the data for longer than the 90-day period.

How do I enable/configure logs for this service?

Logs for Azure DevOps can be toggled on and off by organization Owners and Project Collection Administrators in the Organization Settings page. Microsoft Provides A guide on how to enable logs here.

 

Azure Blob Storage

What is logged by default? 

Platform metrics and the Activity Logs are collected and stored by default.

What can be configured?

Resource Logs aren’t collected and stored until you create a diagnostic setting. These can be configured to log the following categories:

  • StorageRead
  • StorageWrite
  • StorageDelete

How long are these logs retained?

By default the Logs are retained for 90 days but can be configured to up to 730 days.

How do I enable/configure logs for this service?

As previously stated Platform metrics and the Activity Log are collected and stored by default. But Resource Logs must be enabled by creating a diagnostic setting. Microsoft Provides a guide on creating diagnostic settings here.

 

Azure Virtual Machines 

What is logged by default? 

Azure VM Activity Logs, log activities such as configuration changes and when the service was stopped and started.

What can be configured?

The Azure Monitor agent can be Installed on a VM to collect logs and performance data from the guest operating system. 

How long are these logs retained?

By default, the Activity Logs are retained for 90 days, but a retention period of up to 730 days can be configured.

How do I enable/configure logs for this service?

Microsoft provides a guide on installing the Azure monitor agent here, as well as instructions on how to configure the agent for VM insights and creating data collection rules. 

 

Azure Kubernetes Service 

What is logged by default? 

AKS collects the usual Activity Logs and platform metrics automatically.

What can be configured?

Control plane logs for AKS clusters are implemented as resource logs in Azure Monitor. Resource logs aren’t collected and stored until you create a diagnostic setting to route them to one or more locations. There is also the options to enable container insights. This service collects various logs and performance data from a cluster including stdout/stderr streams and store them in a Log Analytics workspace and Azure Monitor Metrics

How long are these logs retained?

By default, AKS Activity Logs are retained for 90 days, but a retention period of up to 730 days can be configured.

How do I enable/configure logs for this service?

Microsoft provides documentation on how to enable monitoring for Kubernetes clusters here.

 

Azure Cosmo DB

What is logged by default? 

Platform metrics and the Activity Log from Cosmo DB are collected and stored by default.

What can be configured?

Resource logs for Cosmo DB are not collected and stored by default. In order to configure this, you have to create a diagnostic setting. Diagnostic settings can be used to log events from the following fields:

  • CollectionName
  • DatabaseName
  • OperationType
  • Region
  • StatusCode

See a list of all resource metrics supported in Azure Monitor.

How long are these logs retained?

By default the Activity Logs are retained for 90 days but can be configured to up to 730 days.

How do I enable/configure logs for this service?

As previously stated, Platform Metrics and the Activity Logs are collected and stored by default. However, Resource Logs must be enabled by creating a diagnostic setting. Microsoft provides a guide on creating diagnostic settings here.

 

Azure Entra ID (Previously Active Directory)

What does it log?

Entra ID logs contain Sign-in Logs, Provisioning Logs, and Audit Logs.

  • Sign-In Logs: Sign-in logs record all sign-ins into an Azure tenant, which includes your internal apps and resources.
  • Provisioning Logs: Provision Logs retain all activities performed by the provisioning service, such as the creation of a group in ServiceNow or a user imported from Workday.
  • Audit Logs: Audit Logs provide a comprehensive report on every logged event in Microsoft Entra ID including changes to applications, groups, users, and licenses. 

How long are these logs retained?

Entra ID retains logs for different amounts of time depending on your Entra ID license. See the table below:

Report Microsoft Entra ID Free Microsoft Entra ID P1 Microsoft Entra ID P2
Audit logs 7 days 30 days 30 days
Sign-ins 7 days 30 days 30 days
Microsoft Entra multi factor authentication usage 30 days 30 days 30 days
Microsoft Graph activity logs NA Must be integrated with storage or analytics tools Must be integrated with storage or analytics tools

 

Azure Content Delivery Network 

What is logged by default? 

By default, Azure content delivery records the usual Activity Logs. 

What can be configured?

Azure Content Delivery Network also has a unique log type: Raw Logs. These raw logs provide rich information about every request that CDN receives.

How long are these logs retained?

Logs are retained for 90 days by default; this can be configured up to a limit of 730 days.

How do I enable/configure logs for this service?

To enable the Raw Logs, take a look at Microsoft’s guide here.

 

Azure API Management 

What is logged by default? 

Platform metrics and the Activity Logs are collected and stored by default.

What can be configured?

Resource Logs aren’t collected and stored until you create a diagnostic setting. 

How long are these logs retained?

The default retention for Logs is 90 with the option to increase up to 730 days.

How do I enable/configure logs for this service?

As previously stated, platform metrics and the Activity Logs are collected and stored by default. However, resource logs must be enabled by creating a diagnostic setting. Microsoft Provides a guide on creating diagnostic settings here.

 

Being IR Prepared in Azure with Cado

Cado’s Incident Readiness Dashboard empowers organizations to proactively assess their level of preparedness when it comes to investigating and responding to cloud-based incidents. 

The Cado Platform’s Incident Readiness Dashboard provides security teams with the ability to proactively run readiness checks, see readiness trends over time, and identify issues that could prevent the organization from rapidly responding to active threats.

Cado’s Incident Readiness Dashboard

Cado’s Incident Readiness Dashboard delivers the following features:

  • The ability to ensure that your organization has the correct logging, management agents, and other cloud-native tools appropriately configured and operational.
  • The ability to ensure that data gathered during an investigation can be decrypted.
  • The ability to verify that your permissions are aligned with best practices and are capable of supporting your incident response efforts.

To see how Cado can help your organization audit its level of preparedness to investigate and respond to future incidents, contact our team to schedule a demo.