Fixes: 'Ensure all operations in Azure Key Vault are logged'

Signed-off-by: Manuel Weber <[email protected]>
mondoohq · Dec 31, 2024 · 6903c47 · 6903c47
1 parent ef5c16a
commit 6903c47
Showing 1 changed file with 13 additions and 38 deletions.
diff --git a/core/mondoo-azure-security.mql.yaml b/core/mondoo-azure-security.mql.yaml
@@ -1241,7 +1241,7 @@ queries:
         1. Navigate to the Azure Portal at https://portal.azure.com.
         2. Go to **Key Vaults** and select a Key Vault.
         3. Under **Monitoring**, select **Diagnostic settings**.
-        4. Verify that logging for both **AuditEvent** and **AllLogs** categories are enabled and that they are configured to send logs to an Azure Storage Account, Log Analytics workspace, or Event Hub.
+        4. Verify that logging for both **audit** and **allLogs** categories are enabled and that they are configured to send logs to an Azure Storage Account, Log Analytics workspace, or Event Hub.
 
         **From Azure CLI:**
 
@@ -1251,7 +1251,7 @@ queries:
         az monitor diagnostic-settings list --resource <Key Vault Resource ID> --output table
         ```
 
-        Ensure that the output shows that logs for AuditEvent and AllLogs categories are enabled and properly configured to a storage account or other supported destinations.
+        Ensure that the output shows that logs for audit and allLogs categories are enabled and properly configured to a storage account or other supported destinations.
 
         **From PowerShell:**
 
@@ -1260,14 +1260,14 @@ queries:
             Get-AzDiagnosticSetting -ResourceId $_.ResourceId
         }
         ```
-        Verify that each Key Vault has AuditEvent and AllLogs enabled and is logging to the designated destinations.
+        Verify that each Key Vault has audit and allLogs enabled and is logging to the designated destinations.
       remediation: |
         ### Microsoft Azure Portal
 
         1. Log into Microsoft Azure Portal at https://portal.azure.com.
         2. Visit `Key vaults` and select a vault.
         3. Go to `Diagnostic settings`.
-        4. Edit an existing setting or add a new one, ensuring `AuditEvent` and `All logs` are selected.
+        4. Edit an existing setting or add a new one, ensuring `audit` and `All logs` are selected.
         5. Set the appropriate destination for logs, such as an Azure storage account or Log Analytics workspace.
         6. Save the configuration.
 
@@ -1276,15 +1276,15 @@ queries:
         To create or update diagnostic settings for a Key Vault:
 
         ```bash
-        az monitor diagnostic-settings create --name "defaultLogs" --resource <Key Vault Resource ID> --logs '[{"category": "AuditEvent", "enabled": true}, {"category": "AllLogs", "enabled": true}]' --storage-account <Storage Account ID> | --workspace <Log Analytics Workspace ID> | --event-hub <Event Hub Name>
+        az monitor diagnostic-settings create --name "defaultLogs" --resource <Key Vault Resource ID> --logs '[{"category": "audit", "enabled": true}, {"category": "allLogs", "enabled": true}]' --storage-account <Storage Account ID> | --workspace <Log Analytics Workspace ID> | --event-hub <Event Hub Name>
         ```
 
         **From PowerShell:**
 
         ```powershell
         $logs = @(
-            New-AzDiagnosticSettingLogConfig -Category "AuditEvent" -Enabled $true
-            New-AzDiagnosticSettingLogConfig -Category "AllLogs" -Enabled $true
+            New-AzDiagnosticSettingLogConfig -Category "audit" -Enabled $true
+            New-AzDiagnosticSettingLogConfig -Category "allLogs" -Enabled $true
         )
         Set-AzDiagnosticSetting -ResourceId <Key Vault Resource ID> -Log $logs -StorageAccountId <Storage Account ID> | -WorkspaceId <Log Analytics Workspace ID> | -EventHubAuthorizationRuleId <Event Hub Authorization Rule ID> | -EventHubName <Event Hub Name>
         ```
@@ -1298,7 +1298,7 @@ queries:
           log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
 
           log {
-            category = "AuditEvent"
+            category = "audit"
             enabled  = true
 
             retention_policy {
@@ -1308,7 +1308,7 @@ queries:
           }
 
           log {
-            category = "AllLogs"
+            category = "allLogs"
             enabled  = true
 
             retention_policy {
@@ -1332,42 +1332,17 @@ queries:
     filters: |
       asset.platform == "azure-keyvault-vault"
     mql: |
-      // Step 1: Verify that diagnostic settings are configured for the Key Vault vaults.
-      azure.subscription.keyVault.vault.diagnosticSettings != empty
-      // Step 2: Confirm the presence and enablement of specific log categories within the diagnostic settings.
-      // The checks ensure that both 'audit' and 'allLogs' category groups are actively enabled for comprehensive logging.
-      azure.subscription.keyVault.vault.diagnosticSettings.all(properties.logs.any(categoryGroup == "AuditEvent"))
-      azure.subscription.keyVault.vault.diagnosticSettings.all(properties.logs.any(categoryGroup == "allLogs"))
-      azure.subscription.keyVault.vault.diagnosticSettings.any(properties.logs.where(categoryGroup == "AuditEvent").all(enabled == true))
-      azure.subscription.keyVault.vault.diagnosticSettings.any(properties.logs.where(categoryGroup == "allLogs").all(enabled == true))
-      // Step 3: Ensure that there is an appropriate destination for the logs.
-      // Diagnostic settings should forward logs to one or more of the following destinations:
-      // an Azure Storage account, an Azure Monitor Log Analytics workspace, an event hub, or a partner solution.
-      // The existence of any of these destination settings confirms that the logs are not only enabled but also appropriately stored.
-      azure.subscription.keyVault.vault.diagnosticSettings.all(properties.eventHubAuthorizationRuleId != empty) ||
-        azure.subscription.keyVault.vault.diagnosticSettings.all(properties.workspaceId != empty) ||
-          azure.subscription.keyVault.vault.diagnosticSettings.all(properties.storageAccountId != empty) ||
-            azure.subscription.keyVault.vault.diagnosticSettings.all(properties.marketplacePartnerId != empty)
+      azure.subscription.keyVault.vault.diagnosticSettings.any(properties.logs.where(categoryGroup == "audit").any(enabled == true))
+      azure.subscription.keyVault.vault.diagnosticSettings.any(properties.logs.where(categoryGroup == "allLogs").any(enabled == true))
   - uid: mondoo-azure-security-ensure-logging-enabled-kv-api
     filters: |
       asset.platform == "azure"
     mql: |
       // Step 1: Verify that diagnostic settings are configured for the Key Vault vaults.
       azure.subscription.keyVault.vaults.all(diagnosticSettings != empty)
       // Step 2: Confirm the presence and enablement of specific log categories within the diagnostic settings.
-      // The checks ensure that both 'audit' and 'allLogs' category groups are actively enabled for comprehensive logging.
-      azure.subscription.keyVault.vaults.all(diagnosticSettings.all(properties.logs.any(categoryGroup == "AuditEvent")))
-      azure.subscription.keyVault.vaults.all(diagnosticSettings.all(properties.logs.any(categoryGroup == "allLogs")))
-      azure.subscription.keyVault.vaults.all(diagnosticSettings.any(properties.logs.where(categoryGroup == "AuditEvent").all(enabled == true)))
-      azure.subscription.keyVault.vaults.all(diagnosticSettings.any(properties.logs.where(categoryGroup == "allLogs").all(enabled == true)))
-      // Step 3: Ensure that there is an appropriate destination for the logs.
-      // Diagnostic settings should forward logs to one or more of the following destinations:
-      // an Azure Storage account, an Azure Monitor Log Analytics workspace, an event hub, or a partner solution.
-      // The existence of any of these destination settings confirms that the logs are not only enabled but also appropriately stored.
-      azure.subscription.keyVault.vaults.all(diagnosticSettings.all(properties.eventHubAuthorizationRuleId != empty)) ||
-        azure.subscription.keyVault.vaults.all(diagnosticSettings.all(properties.workspaceId != empty)) ||
-          azure.subscription.keyVault.vaults.all(diagnosticSettings.all(properties.storageAccountId != empty)) ||
-            azure.subscription.keyVault.vaults.all(diagnosticSettings.all(properties.marketplacePartnerId != empty))
+      azure.subscription.keyVault.vaults.all(diagnosticSettings.any(properties.logs.where(categoryGroup == "audit").any(enabled == true)))
+      azure.subscription.keyVault.vaults.all(diagnosticSettings.any(properties.logs.where(categoryGroup == "allLogs").any(enabled == true)))
   - uid: mondoo-azure-security-ensure-activity-log-alert-exists-for-create-update-delete-network-security-group
     title: Ensure that activity log alerts exist for the commands Create, Update, and Delete Network Security Group
     impact: 80