Insufficient Logging on Azure
How Insufficient Logging Manifests in Azure
Insufficient logging in Azure environments creates blind spots that attackers actively exploit. In Azure API Management, missing audit trails for key operations like API creation, subscription key generation, and policy modifications leave no forensic evidence when APIs are compromised. Without logging these administrative actions, security teams cannot determine when unauthorized changes occurred or who made them.
Azure Functions presents another critical logging gap. By default, function executions are logged, but security-relevant events like failed authentication attempts, function-level authorization failures, and suspicious invocation patterns often go unlogged. An attacker can repeatedly probe Azure Functions endpoints to discover exposed functions without triggering any security alerts. The lack of structured logging for HTTP triggers means failed access attempts blend into normal application logs, making detection nearly impossible.
Azure App Service environments frequently suffer from insufficient logging of authentication failures and authorization bypasses. When Azure AD authentication is configured but not properly monitored, successful token theft attacks leave no trace. Attackers can reuse stolen tokens to access protected APIs without generating any security-relevant logs. Additionally, missing logs for file upload operations in App Service create opportunities for attackers to upload malicious payloads without detection.
Storage account security is severely compromised when insufficient logging exists. Azure Blob Storage and Azure Table Storage operations lack comprehensive audit trails by default. Without logging read, write, and delete operations at the storage account level, attackers can exfiltrate sensitive data through direct storage API calls without triggering any alerts. The absence of logging for shared access signature (SAS) token generation and usage creates additional attack vectors that remain undetected.
Azure Key Vault represents a critical failure point when logging is insufficient. Key operations like secret retrieval, key creation, and access policy modifications must be logged, but many Azure deployments lack proper Key Vault logging configuration. Without these audit trails, attackers who compromise credentials can silently access sensitive keys and secrets without leaving any forensic evidence. The lack of integration between Key Vault logs and centralized logging solutions further compounds this problem.
Network security groups (NSGs) in Azure often lack sufficient logging for denied traffic. While NSG flow logs can be enabled, many organizations fail to configure them properly or analyze the data. This creates blind spots where port scanning, brute force attacks, and other network reconnaissance activities go completely unnoticed. Attackers can systematically probe Azure virtual network boundaries without generating any security alerts.
Azure-Specific Detection
Detecting insufficient logging in Azure requires examining both configuration and runtime behavior. Azure Monitor provides the foundation for comprehensive logging, but many Azure services have logging disabled by default or configured at minimal levels. Using Azure CLI, you can audit logging configurations across your Azure environment:
# Check diagnostic settings for Azure Functions
az monitor diagnostic-settings list --resource-group myResourceGroup --resource myFunctionApp
# Verify Key Vault logging is enabled
az keyvault show --name myKeyVault --query properties.enableVaultForSoftDelete
# Check NSG flow log configuration
az network watcher flow-log show --location eastus --resource-group myResourceGroup --resource myNSGAzure Policy can enforce logging requirements across your Azure tenant. Create policies that require diagnostic logs for all supported resource types:
{
"if": {
"anyOf": [
{
"field": "type",
"equals": "Microsoft.Web/sites"
},
{
"field": "type",
"equals": "Microsoft.KeyVault/vaults"
},
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
}
]
},
"then": {
"effect": "auditIfNotExists",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
"equals": "true"
}
]
}
}
}
}middleBrick provides specialized Azure API scanning that identifies insufficient logging vulnerabilities. The scanner examines Azure-specific endpoints for missing audit trails, analyzes Azure AD authentication configurations, and tests for proper logging of security-relevant events. middleBrick's Azure scanning includes:
- Authentication logging verification for Azure AD-protected APIs
- Audit trail analysis for Azure Functions and Logic Apps
- Storage account access logging assessment
- Key Vault audit log configuration validation
- Network security group flow log analysis
The scanner tests for common Azure logging misconfigurations like disabled diagnostic settings, insufficient retention periods, and missing log categories. middleBrick's findings include specific remediation steps for Azure services, such as enabling diagnostic logs for Azure Functions, configuring Key Vault audit logging, and setting up proper log retention policies.
Azure-Specific Remediation
Remediating insufficient logging in Azure requires systematic configuration of diagnostic settings and centralized log collection. For Azure Functions, enable comprehensive logging through the Azure portal or ARM templates:
{
"type": "Microsoft.Web/sites",
"apiVersion": "2021-02-01",
"properties": {
"siteConfig": {
"appSettings": [
{
"name": "AzureWebJobsDashboard",
"value": "AppInsights"
}
]
}
},
"resources": [
{
"type": "providers/diagnosticsettings",
"apiVersion": "2017-05-01-preview",
"name": "Microsoft.Insights/service",
"properties": {
"workspaceId": "your-log-analytics-workspace-id",
"logs": [
{
"category": "FunctionAppLogs",
"enabled": true
},
{
"category": "FunctionAppLogs",
"enabled": true
}
],
"metrics": [
{
"category": "AllMetrics",
"enabled": true
}
]
}
}
]
}Azure Key Vault requires specific audit logging configuration to capture all security-relevant operations:
# Enable Key Vault logging
az keyvault update --name myKeyVault --set properties.enableSoftDelete=true
# Configure diagnostic settings for Key Vault
az monitor diagnostic-settings create \
--resource myKeyVault \
--name KeyVaultLogs \
--workspace myLogAnalyticsWorkspace \
--logs '[{"category": "AuditEvent", "enabled": true}]' \
--metrics '[{"category": "AllMetrics", "enabled": true}]'For Azure Storage accounts, implement comprehensive logging and monitoring:
# Enable storage analytics logging
az storage logging update \
--services blob \
--log read,write,delete \
--retention 365 \
--account-name myStorageAccount
# Enable storage metrics
az storage metrics update \
--services blob \
--retention 365 \
--hour true \
--minute false \
--account-name myStorageAccountAzure Application Insights provides application-level logging with built-in security monitoring capabilities. Configure structured logging in your Azure applications:
public class SecurityLoggingMiddleware
{
private readonly RequestDelegate _next;
private readonly ILogger _logger;
public SecurityLoggingMiddleware(RequestDelegate next, ILogger<SecurityLoggingMiddleware> logger)
{
_next = next;
_logger = logger;
}
public async Task InvokeAsync(HttpContext context)
{
var startTime = DateTime.UtcNow;
try
{
await _next(context);
// Log security-relevant events
if (context.Response.StatusCode == 401 || context.Response.StatusCode == 403)
{
_logger.LogWarning("Unauthorized access attempt: {Method} {Path} from {IP}",
context.Request.Method, context.Request.Path, context.Connection.RemoteIpAddress);
}
}
catch (Exception ex)
{
_logger.LogError(ex, "Unhandled exception: {Message}", ex.Message);
throw;
}
finally
{
var duration = DateTime.UtcNow - startTime;
_logger.LogInformation("Request completed: {Method} {Path} {Status} {Duration}ms",
context.Request.Method, context.Request.Path, context.Response.StatusCode, duration.TotalMilliseconds);
}
}
}Implement centralized log collection using Azure Log Analytics and create security-focused queries:
// Query for failed authentication attempts
AzureDiagnostics
| where Category == "FunctionAppLogs" and ResultType == "Failure" and Message contains "authentication"
| summarize count() by bin(TimeGenerated, 1h), ClientIP
| where count_ > 10 // Alert if more than 10 failures in an hour
// Detect unusual storage access patterns
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STORAGE" and OperationName == "BlobDownload"
| summarize count() by bin(TimeGenerated, 1h), CallerIpAddress
| where count_ > 100 // Alert on high-volume downloadsFrequently Asked Questions
How does insufficient logging in Azure differ from on-premises environments?
Azure environments present unique logging challenges due to their distributed nature and the variety of Azure services. Unlike on-premises systems where you control all infrastructure, Azure services have different logging capabilities, retention policies, and integration requirements. Azure's shared responsibility model means that while Microsoft secures the infrastructure, you're responsible for configuring and monitoring logging for your applications and data. This creates complexity in ensuring consistent logging across Azure Functions, App Service, Storage, and other PaaS offerings.
Can middleBrick scan Azure-specific logging configurations?
Yes, middleBrick includes Azure-specific scanning capabilities that examine logging configurations across Azure services. The scanner checks for enabled diagnostic logs in Azure Functions, Key Vault audit logging configuration, storage account access logging, and NSG flow log settings. middleBrick also tests whether Azure AD authentication failures are properly logged and whether security events from Azure Application Insights are being collected and analyzed. The tool provides specific remediation guidance for Azure services, helping you implement comprehensive logging across your Azure environment.