Control: 5.1.6 Ensure that logging for Azure AppService 'HTTP logs' is enabled
Description
Enable AppServiceHTTPLogs diagnostic log category for Azure App Service instances to ensure all http requests are captured and centrally logged.
Capturing web requests can be important supporting information for security analysts performing monitoring and incident response activities. Once logging, these logs can be ingested into SIEM or other central aggregation point for the organization.
Remediation
From Azure Portal
- Go to
App Services
For each App Service:
- Go to
Diagnostic Settings. - Click
Add Diagnostic Setting. - Check the checkbox next to 'HTTP logs'.
- Configure a destination based on your specific logging consumption capability (for example Stream to an event hub and then consuming with SIEM integration for Event Hub logging).
Default Value:
Not configured.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v210_5_1_6Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v210_5_1_6 --shareSQL
This control uses a named query:
with diagnostic_settings_http_logs as ( select distinct id from azure_app_service_web_app, jsonb_array_elements(diagnostic_settings) as ds, jsonb_array_elements(ds -> 'properties' -> 'logs') as log where log ->> 'category' = 'AppServiceHTTPLogs' and (log -> 'enabled')::bool
)select a.id as resource, case when ds.id is not null then 'ok' else 'alarm' end as status, case when ds.id is not null then a.name || ' HTTP logs for diagnostic log category enabled.' else a.name || ' HTTP logs for diagnostic log category disabled.' end as reason , a.resource_group as resource_group , sub.display_name as subscriptionfrom azure_app_service_web_app as a left join diagnostic_settings_http_logs as ds on ds.id = a.id left join azure_subscription as sub on sub.subscription_id = a.subscription_id;