How to monitor and audit App Service Configuration and File changes

Overview

The ability to track and audit changes to websites is a common requirement among enterprises. This audit trail helps to identify who made changes and when, either accidentally or maliciously. When running an application on a local server there are many options to achieve this, however when running in Azure App Service we must rely on the features that the platform offers because there is no access to the machine itself.

How to

We will split this discussion into two parts, first to discuss configuration/setting changes and second for file system changes.

Configuration and Setting Changes

  • Azure supports a new feature called Application Change Analysis:¬†https://docs.microsoft.com/en-us/azure/azure-monitor/app/change-analysis
  • To enable the feature, open the Web App in question in the Azure portal, open the Diagnose and Solve Problems blade, search for “Changes”, and select the Application Changes detector. It will show a banner that asks you to enable change detection to use this feature, simply toggle on the feature for the sites you want to monitor:
  • Moving forward, any configuration changes that impact the raw ARM settings or environment variables of the app will be captured here
  • For example, my recent changes to SSL settings are captured and both the before/after values are displayed:
  • Leveraging this feature, there will never be any confusion of who made a change or exactly what changes have been made

File or Code Changes 

  • The App Service team recently announced a new feature to send a variety of logs to Log Analytics, Event Hub, or Storage. This can be accessed under the Diagnostic Settings blade in the Azure portal.
  • One of the new logging types offered is AppServiceFileAuditLogs, which detects changes made to the file system of the application. This will help track changes in the event that a recent deployment causes the site to fail, or if someone has maliciously changed the files.
  • Unfortunately, as of December 2019 the feature is still in development. Expect it to be available in the next few months.
  • Read more about it and follow the changes: https://docs.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs#send-logs-to-azure-monitor-preview

Leave a Reply

Your email address will not be published. Required fields are marked *