nuclei-templates/cloud/azure/storageaccounts/azure-blob-service-logging-disabled.yaml

id: azure-blob-service-logging-disabled
info:
  name: Azure Storage Blob Service Logging Not Enabled
  author: princechaddha
  severity: medium
  description: |
    Ensure that Azure Storage Blob service logging is enabled for read, write, and delete requests. The Storage Blob service provides scalable, cost-efficient objective storage in the Azure cloud. Storage logging is performed server-side and allows details for both successful and failed requests to be recorded in the associated storage account. These logs contain the following information about the individual requests: timing information such as start time, end-to-end latency, server latency, authentication details, concurrency information, and the size of the request/response.    
  impact: |
    Not enabling logging for read, write, and delete operations on Azure Storage Blob can prevent tracking of data access and manipulation, thus reducing the ability to diagnose issues or detect breaches.    
  remediation: |
    Enable logging for the Azure Storage Blob service by setting the 'read', 'write', and 'delete' attributes to true in the storage account settings.    
  reference:
    - https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging
  tags: cloud,devops,azure,microsoft,azure-storage,azure-cloud-config

flow: |
  code(1);
  for (let AccountData of iterate(template.accountList)) {
    AccountData = JSON.parse(AccountData);
    set("name", AccountData.name);
    code(2);
  }  

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az storage account list --query '[*].{"name":name}'      

    extractors:
      - type: json
        name: accountList
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az storage logging show --services b --account-name "$name" --output json      

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"delete": false'
          - '"read": false'
          - '"write": false'
        condition: and

    extractors:
      - type: dsl
        dsl:
          - 'name + " has logging disabled for read, write, and delete operations."'
# digest: 4a0a00473045022100c549efcef1d99e2271ff679f2584bd77701ed663a4065b9cef3eda7bea67173002200e063ca2ad10b9e221571330b2a1af37df93429368ad7a9f76ed4a47b0cde080:922c64590222798bb761d5b6d8e72950