Merge pull request #195451 from mssindhurid/main

Maggiemouse1 · web-flow · commit c12281704b74 · 2022-04-19T08:41:55.000+01:00
maa shoebox
diff --git a/articles/attestation/audit-logs.md b/articles/attestation/audit-logs.md
@@ -11,123 +11,75 @@ ms.author: mbaldwin
 
 ---
 
-# Audit logs for Azure Attestation
+# Azure Attestation logging
 
-Audit logs are secure, immutable, timestamped records of discrete events that happened over time. These logs capture important events that may affect the functionality of your attestation instance.
+If you create one or more Azure Attestation resources, you’ll want to monitor how and when your attestation instance is accessed, and by whom. You can do this by enabling logging for Microsoft Azure Attestation, which saves information in an Azure storage account you provide.  
 
-Azure Attestation manages attestation instances and the policies associated with them. Actions associated with instance management and policy changes are audited and logged.
+Logging information will be available up to 10 minutes after the operation occurred (in most cases, it will be quicker than this). Since you provide the storage account, you can secure your logs via standard Azure access controls and delete logs you no longer want to keep in your storage account. 
 
-This article contains information on the events that are logged, the information collected, and the location of these logs.
+## Interpret your Azure Attestation logs
 
-## About Audit logs
+When logging is enabled, up to three containers may be automatically created for you in your specified storage account:  **insights-logs-auditevent, insights-logs-operational, insights-logs-notprocessed**. It is recommended to only use **insights-logs-operational** and **insights-logs-notprocessed**. **insights-logs-auditevent** was created to provide early access to logs for customers using VBS. Future enhancements to logging will occur in the **insights-logs-operational** and **insights-logs-notprocessed**.  
 
-Azure Attestation uses code to produce audit logs for events that affect the way attestation is performed. This typically boils down to how or when policy changes are made to your attestation instance as well as some admin actions.
+**Insights-logs-operational** contains generic information across all TEE types. 
 
-### Auditable Events
-Here are some of the audit logs we collect:
+**Insights-logs-notprocessed** contains requests which the service was unable to process, typically due to malformed HTTP headers, incomplete message bodies, or similar issues.  
 
-|     Event/API                              |     Event Description                                                                         |
-|--------------------------------------------|-----------------------------------------------------------------------------------------------|
-|     Create Instance                        |     Creates a new instance of an attestation service. |
-|     Destroy Instance                       |     Destroys an instance of an attestation service. |
-|     Add Policy Certificate                 |     Addition of a certificate to the current set of policy management certificates. |
-|     Remove Policy Certificate              |     Remove a certificate from the current set of policy management certificates. |
-|     Set Current Policy                     |     Sets the attestation policy for a given TEE type. |
-|     Reset Attestation Policy               |     Resets the attestation policy for a given TEE type. |
-|     Prepare to Update Policy               |     Prepare to update attestation policy for a given TEE type. |
-|     Rehydrate Tenants After Disaster       |     Re-seals all of the attestation tenants on this instance of the attestation service. This can only be performed by Attestation Service admins. |
+Individual blobs are stored as text, formatted as a JSON blob. Let’s look at an example log entry: 
 
-### Collected  information
-For each of these events, Azure Attestation collects the following information:
 
-- Operation Name
-- Operation Success
-- Operation Caller, which could be any of the following:
-    - Azure AD UPN
-    - Object ID
-    - Certificate
-    - Azure AD Tenant ID
-- Operation Target, which could be any of the following:
-    - Environment
-    - Service Region
-    - Service Role
-    - Service Role Instance
-    - Resource ID
-    - Resource Region
+```json
+{  
+ "Time": "2021-11-03T19:33:54.3318081Z", 
+ "resourceId": "/subscriptions/<subscription ID>/resourceGroups/<resource group name>/providers/Microsoft.Attestation/attestationProviders/<instance name>",
+ "region": "EastUS", 
+ "operationName": "AttestSgxEnclave", 
+ "category": "Operational", 
+ "resultType": "Succeeded", 
+ "resultSignature": "400", 
+ "durationMs": 636, 
+ "callerIpAddress": "::ffff:24.17.183.201", 
+ "traceContext": "{\"traceId\":\"e4c24ac88f33c53f875e5141a0f4ce13\",\"parentId\":\"0000000000000000\",}", 
+ "identity": "{\"callerAadUPN\":\"deschuma@microsoft.com\",\"callerAadObjectId\":\"6ab02abe-6ca2-44ac-834d-42947dbde2b2\",\"callerId\":\"deschuma@microsoft.com\"}",
+ "uri": "https://deschumatestrp.eus.test.attest.azure.net:443/attest/SgxEnclave?api-version=2018-09-01-preview", 
+ "level": "Informational", 
+ "location": "EastUS", 
+ "properties": 
+  { 
+    "failureResourceId": "", 
+    "failureCategory": "None", 
+    "failureDetails": "", 
+    "infoDataReceived": 
+    { 
+      "Headers": 
+      { 
+      "User-Agent": "PostmanRuntime/7.28.4" 
+      }, 
+      "HeaderCount": 10,
+      "ContentType": "application/json",
+      "ContentLength": 6912, 
+      "CookieCount": 0, 
+      "TraceParent": "" 
+    } 
+   } 
+ } 
+```
 
-### Sample Audit log
+Most of these fields are documented in the [Top-level common schema](/azure-monitor/essentials/resource-logs-schema#top-level-common-schema). The following table lists the field names and descriptions for the entries not included in the top-level common schema: 
 
-Audit logs are provided in JSON format. Here is an example of what an audit log may look like.
+|     Field Name                           |     Description                                                                         |
+|------------------------------------------|-----------------------------------------------------------------------------------------------|
+|     traceContext                        |     JSON blob representing the W3C trace-context |
+|    uri                       |     Request URI  |
 
-```json
-{
-    "operationName": "SetCurrentPolicy",
-    "resultType": "Success",
-    "resultDescription": null,
-    "auditEventCategory": [
-        "ApplicationManagement"
-    ],
-    "nCloud": null,
-    "requestId": null,
-    "callerIpAddress": null,
-    "callerDisplayName": null,
-    "callerIdentities": [
-        {
-            "callerIdentityType": "ObjectID",
-            "callerIdentity": "<some object ID>"
-        },
-        {
-            "callerIdentityType": "TenantId",
-            "callerIdentity": "<some tenant ID>"
-        }
-    ],
-    "targetResources": [
-        {
-            "targetResourceType": "Environment",
-            "targetResourceName": "PublicCloud"
-        },
-        {
-            "targetResourceType": "ServiceRegion",
-            "targetResourceName": "EastUS2"
-        },
-        {
-            "targetResourceType": "ServiceRole",
-            "targetResourceName": "AttestationRpType"
-        },
-        {
-            "targetResourceType": "ServiceRoleInstance",
-            "targetResourceName": "<some service role instance>"
-        },
-        {
-            "targetResourceType": "ResourceId",
-            "targetResourceName": "/subscriptions/<some subscription ID>/resourceGroups/<some resource group name>/providers/Microsoft.Attestation/attestationProviders/<some instance name>"
-        },
-        {
-            "targetResourceType": "ResourceRegion",
-            "targetResourceName": "EastUS2"
-        }
-    ],
-    "ifxAuditFormat": "Json",
-    "env_ver": "2.1",
-    "env_name": "#Ifx.AuditSchema",
-    "env_time": "2020-11-23T18:23:29.9427158Z",
-    "env_epoch": "MKZ6G",
-    "env_seqNum": 1277,
-    "env_popSample": 0.0,
-    "env_iKey": null,
-    "env_flags": 257,
-    "env_cv": "##00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000",
-    "env_os": null,
-    "env_osVer": null,
-    "env_appId": null,
-    "env_appVer": null,
-    "env_cloud_ver": "1.0",
-    "env_cloud_name": null,
-    "env_cloud_role": null,
-    "env_cloud_roleVer": null,
-    "env_cloud_roleInstance": null,
-    "env_cloud_environment": null,
-    "env_cloud_location": null,
-    "env_cloud_deploymentUnit": null
-}
-```
+The properties contain additional Azure attestation specific context: 
+
+|     Field Name                           |     Description                                                                         |
+|------------------------------------------|-----------------------------------------------------------------------------------------------|
+|     failureResourceId                        |     Resource ID of component which resulted in request failure  |
+|    failureCategory                       |     Broad category indicating category of a request failure. Includes categories such as AzureNetworkingPhysical, AzureAuthorization etc.   |
+|    failureDetails                       |     Detailed information about a request failure, if available   |
+|    infoDataReceived                       |     Information about the request received from the client. Includes some HTTP headers, the number of headers received, the content type and content length    |
+
+## Next steps
+- [How to enable Microsoft Azure Attestation logging ](azure-diagnostic-monitoring.md)
diff --git a/articles/attestation/overview.md b/articles/attestation/overview.md
@@ -46,7 +46,7 @@ OE standardizes specific requirements for verification of an enclave evidence. T
 
 Client applications can be designed to take advantage of TPM attestation by delegating security-sensitive tasks to only take place after a platform has been validated to be secure. Such applications can then make use of Azure Attestation to routinely establish trust in the platform and its ability to access sensitive data.
 
-### Azure Confidential VM attestation 
+### AMD SEV-SNP attestation 
 
 Azure [Confidential VM](../confidential-computing/confidential-vm-overview.md) (CVM) is based on [AMD processors with SEV-SNP technology](../confidential-computing/virtual-machine-solutions-amd.md) and aims to improve VM security posture by removing trust in host, hypervisor and Cloud Service Provider (CSP). To achieve this, CVM offers VM OS disk encryption option with platform-managed keys and binds the disk encryption keys to the virtual machine's TPM. When a CVM boots up, SNP report containing the guest VM firmware measurements will be sent to Azure Attestation. The service validates the measurements and issues an attestation token that is used to release keys from [Managed-HSM](../key-vault/managed-hsm/overview.md) or [Azure Key Vault](../key-vault/general/basic-concepts.md). These keys are used to decrypt the vTPM state of the guest VM, unlock the OS disk and start the CVM. The attestation and key release process is performed automatically on each CVM boot, and the process ensures the CVM boots up only upon successful attestation of the hardware.
 
diff --git a/articles/attestation/toc.yml b/articles/attestation/toc.yml
@@ -47,6 +47,8 @@
         href: claim-sets.md
   - name: Workflow
     href: workflow.md
+  - name: Azure Attestation logging
+    href: audit-logs.md
 - name: References
   items:
   - name: Regional availability
