I'll discuss query auditing features and Azure Log Analytics in this post. I might go into more detail about the use cases and the significance of this functionality in a later post. Legislation, regulatory compliance, and monitoring have a lot of similar use cases, but that's for another discussion.

Here's what this brief post will cover:

Audit logs: What are they?
Logging versus audit logs
How to apply Configure auditing of queries in Log Analytics.

Audit logs: What are they?
Records that list events or procedures in chronological order are called audit trails, or audit logs.

I'll leave you with the opening line from Wikipedia and a link to the entire article for this first synopsis.

An audit trail, also known as an audit log, is a chronological record, set of records, destination, and/or source of records that are significant to security and that offer documentary proof of the series of actions that have impacted a particular operation, method, event, or equipment at any one time.

Granted, every circumstance is different, thus the purpose and execution of audit logs will vary as well. But the basic idea is still the same: you can review the chronological recordings of significant events at a later time.

Logging vs. audit logs
Depending on the circumstances, auditing and logging can mean quite different things.

Application-level events, such as administrative activities, custom logic within the applications, exceptions, traces, abnormalities found, and any pertinent health information about the systems and apps, are the main focus of logging.

However, user-level transactions—such as when a person or an Azure identity modifies a system—are often recorded via audit logging.

Putting this into the context of Azure Log Analytics queries, you can see which queries have been conducted and by whom if you have auditing enabled.

The length of time you are required to keep the audit logs after the application expires will also depend on your industry, regulatory compliance, legal requirements, and other data processing criteria. Additionally, a lot depends on the kind of data you are auditing.

Many of the implemented systems that I observe have several access layers and storage locations, as well as application logs and one or more audit logs. with justification.

Configure query audit logging

As of my most recent knowledge update, query auditing tools for tracking who performed which queries are not directly provided by Azure Log Analytics. Instead, data gathered from multiple sources, including audit logs, is queried and analyzed using Log Analytics.

However, you might want to use Azure Monitor and Azure Policy if you are trying to audit Log Analytics-related actions like querying and data access. In particular, you can create policies to enforce auditing setups after using Azure Monitor to gather logs and data pertaining to Log Analytics operations.

Steps to Configure Log Analytics Activity Auditing:

1. Enable Azure Monitor for Log Analytics:

   • Ensure that Azure Monitor is enabled for the Log Analytics workspace where you want to collect activity logs.

2. Configure Diagnostic Settings:

   • In the Azure portal, navigate to your Log Analytics workspace.
   • Under the "Settings" section, select "Diagnostics settings."
   • Add a diagnostic setting, and configure it to send relevant logs to Azure Monitor.

   Example Settings:

   • Log Categories: Select categories like 'AuditEvent', 'QueryRuntime', and 'QueryExecution'.
   • Destination: Choose Azure Monitor Logs.

3. Create a Log Analytics Query for Auditing:

   • Use Log Analytics queries to analyze the collected data. For example, you might query 'AuditEvent' logs to see who accessed Log Analytics and when.