Audit Front Door Access

Security · Front Door · Rule · 2024_03 · Important

Audit and monitor access through Azure Front Door profiles.

Description

Azure Front Door (AFD) supports logging network access to resources through the service. This includes access logs and web application firewall logs. Capturing these logs can help detect and respond to security threats as part of a security monitoring strategy. Additionally, many compliance standards require logging and monitoring of network access.

Like all security monitoring, it is only effective if the logs are reviewed and correlated with other security events. Microsoft Sentinel can be used to analyze and correlate logs, or third-party solutions can be used.

To capture network access events through Front Door, diagnostic settings must be configured. When configuring diagnostics settings enable collection of the following logs:

• FrontdoorAccessLog - Can be used to monitor network activity and access through Front Door.
• FrontdoorWebApplicationFirewallLog - Can be used to detect potential attacks, or false positive detections. This log will be empty if a WAF policy is not configured.

Management operations for Front Door is captured automatically within Azure Activity Logs.

Recommendation

Consider configuring diagnostics setting to log network activity and access through Azure Front Door (AFD). Also consider correlating logs with other security events to detect and respond to security threats.

Examples

Configure with Azure template

To deploy Azure Front Door Premium/ Standard profiles that passes this rule:

• Deploy a diagnostic settings sub-resource.
  • Enable logging for the FrontdoorAccessLog category.
  • Enable logging for the FrontdoorWebApplicationFirewallLog category if a WAF policy is configured.

For example:

Azure Template snippet

{
  "type": "Microsoft.Insights/diagnosticSettings",
  "apiVersion": "2021-05-01-preview",
  "scope": "[format('Microsoft.Cdn/profiles/{0}', parameters('name'))]",
  "name": "audit",
  "properties": {
    "workspaceId": "[parameters('workspaceId')]",
    "logs": [
      {
        "category": "FrontdoorAccessLog",
        "enabled": true
      },
      {
        "category": "FrontdoorWebApplicationFirewallLog",
        "enabled": true
      }
    ]
  },
  "dependsOn": [
    "[resourceId('Microsoft.Cdn/profiles', parameters('name'))]"
  ]
}

To deploy Azure Front Door Classic profiles that passes this rule:

• Deploy a diagnostic settings sub-resource.
  • Enable logging for the FrontdoorAccessLog category.
  • Enable logging for the FrontdoorWebApplicationFirewallLog category if a WAF policy is configured.

For example:

Azure Template snippet

{
  "type": "Microsoft.Insights/diagnosticSettings",
  "apiVersion": "2021-05-01-preview",
  "scope": "[format('Microsoft.Network/frontDoors/{0}', parameters('name'))]",
  "name": "audit",
  "properties": {
    "workspaceId": "[parameters('workspaceId')]",
    "logs": [
      {
        "category": "FrontdoorAccessLog",
        "enabled": true
      },
      {
        "category": "FrontdoorWebApplicationFirewallLog",
        "enabled": true
      }
    ]
  },
  "dependsOn": [
    "[resourceId('Microsoft.Network/frontDoors', parameters('name'))]"
  ]
}

Configure with Bicep

To deploy Azure Front Door Premium/ Standard profiles that passes this rule:

• Deploy a diagnostic settings sub-resource.
  • Enable logging for the FrontdoorAccessLog category.
  • Enable logging for the FrontdoorWebApplicationFirewallLog category.

For example:

Azure Bicep snippet

resource audit 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  name: 'audit'
  scope: afd_profile
  properties: {
    workspaceId: workspaceId
    logs: [
      {
        category: 'FrontdoorAccessLog'
        enabled: true
      }
      {
        category: 'FrontdoorWebApplicationFirewallLog'
        enabled: true
      }
    ]
  }
}

To deploy Azure Front Door Classic profiles that passes this rule:

• Deploy a diagnostic settings sub-resource.
  • Enable logging for the FrontdoorAccessLog category.
  • Enable logging for the FrontdoorWebApplicationFirewallLog category.

For example:

Azure Bicep snippet

resource audit_classic 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  name: 'audit'
  scope: afd_classic
  properties: {
    workspaceId: workspaceId
    logs: [
      {
        category: 'FrontdoorAccessLog'
        enabled: true
      }
      {
        category: 'FrontdoorWebApplicationFirewallLog'
        enabled: true
      }
    ]
  }
}

Notes

This rule applies to Azure Front Door Premium/ Standard/ Classic profiles.

Links

• SE:10 Monitoring and threat detection
• LT-4: Enable logging for security investigation
• Monitor metrics and logs in Azure Front Door
• Monitor metrics and logs in Azure Front Door Classic
• What is Microsoft Sentinel?
• Azure deployment reference

Comments