Audit Front Door Access#
Security · Front Door · Rule · 2024_03 · Important
Audit and monitor access through Azure Front Door profiles.
Description#
Azure Front Door (AFD) supports logging network access to resources through the service. This includes access logs and web application firewall logs. Capturing these logs can help detect and respond to security threats as part of a security monitoring strategy. Additionally, many compliance standards require logging and monitoring of network access.
Like all security monitoring, it is only effective if the logs are reviewed and correlated with other security events. Microsoft Sentinel can be used to analyze and correlate logs, or third-party solutions can be used.
To capture network access events through Front Door, diagnostic settings must be configured. When configuring diagnostics settings enable collection of the following logs:
FrontdoorAccessLog
- Can be used to monitor network activity and access through Front Door.FrontdoorWebApplicationFirewallLog
- Can be used to detect potential attacks, or false positive detections. This log will be empty if a WAF policy is not configured.
Management operations for Front Door is captured automatically within Azure Activity Logs.
Recommendation#
Consider configuring diagnostics setting to log network activity and access through Azure Front Door (AFD). Also consider correlating logs with other security events to detect and respond to security threats.
Examples#
Configure with Azure template#
To deploy Azure Front Door Premium/ Standard profiles that passes this rule:
- Deploy a diagnostic settings sub-resource.
- Enable logging for the
FrontdoorAccessLog
category. - Enable logging for the
FrontdoorWebApplicationFirewallLog
category if a WAF policy is configured.
- Enable logging for the
For example:
{
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2021-05-01-preview",
"scope": "[format('Microsoft.Cdn/profiles/{0}', parameters('name'))]",
"name": "audit",
"properties": {
"workspaceId": "[parameters('workspaceId')]",
"logs": [
{
"category": "FrontdoorAccessLog",
"enabled": true
},
{
"category": "FrontdoorWebApplicationFirewallLog",
"enabled": true
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Cdn/profiles', parameters('name'))]"
]
}
To deploy Azure Front Door Classic profiles that passes this rule:
- Deploy a diagnostic settings sub-resource.
- Enable logging for the
FrontdoorAccessLog
category. - Enable logging for the
FrontdoorWebApplicationFirewallLog
category if a WAF policy is configured.
- Enable logging for the
For example:
{
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2021-05-01-preview",
"scope": "[format('Microsoft.Network/frontDoors/{0}', parameters('name'))]",
"name": "audit",
"properties": {
"workspaceId": "[parameters('workspaceId')]",
"logs": [
{
"category": "FrontdoorAccessLog",
"enabled": true
},
{
"category": "FrontdoorWebApplicationFirewallLog",
"enabled": true
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/frontDoors', parameters('name'))]"
]
}
Configure with Bicep#
To deploy Azure Front Door Premium/ Standard profiles that passes this rule:
- Deploy a diagnostic settings sub-resource.
- Enable logging for the
FrontdoorAccessLog
category. - Enable logging for the
FrontdoorWebApplicationFirewallLog
category.
- Enable logging for the
For example:
resource audit 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
name: 'audit'
scope: afd_profile
properties: {
workspaceId: workspaceId
logs: [
{
category: 'FrontdoorAccessLog'
enabled: true
}
{
category: 'FrontdoorWebApplicationFirewallLog'
enabled: true
}
]
}
}
To deploy Azure Front Door Classic profiles that passes this rule:
- Deploy a diagnostic settings sub-resource.
- Enable logging for the
FrontdoorAccessLog
category. - Enable logging for the
FrontdoorWebApplicationFirewallLog
category.
- Enable logging for the
For example:
resource audit_classic 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
name: 'audit'
scope: afd_classic
properties: {
workspaceId: workspaceId
logs: [
{
category: 'FrontdoorAccessLog'
enabled: true
}
{
category: 'FrontdoorWebApplicationFirewallLog'
enabled: true
}
]
}
}
Notes#
This rule applies to Azure Front Door Premium/ Standard/ Classic profiles.
Links#
- SE:10 Monitoring and threat detection
- LT-4: Enable logging for security investigation
- Monitor metrics and logs in Azure Front Door
- Monitor metrics and logs in Azure Front Door Classic
- What is Microsoft Sentinel?
- Azure deployment reference