Add Azure.ACR.Logs rule to collect audit logs for Container Registry

[Copilot]

Description

This PR implements a new rule Azure.ACR.Logs (AZR-000498) that ensures audit diagnostic logs are enabled for Azure Container Registry resources. This addresses the security best practice of monitoring authentication and repository access events for compliance and security investigation purposes.

Changes

• New Rule: Azure.ACR.Logs checks that Container Registry instances have diagnostic settings configured to capture audit events
• Log Categories: The rule validates that at least one of the following is enabled:
  • ContainerRegistryLoginEvents - captures authentication events to the registry
  • ContainerRegistryRepositoryEvents - captures push and pull operations for container images
  • Alternative: audit or allLogs category groups
• Documentation: Added comprehensive documentation with ARM and Bicep examples
• Tests: Added 6 new test cases covering various diagnostic settings configurations
• Metadata:
  • Rule reference: AZR-000498
  • Rule set: 2025_12
  • Pillar: Security
  • MCSB control: LT-4
  • WAF maturity: L1
  • Severity: Important

Example

A Container Registry that passes this rule:

resource registry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = {
  name: name
  location: location
  sku: {
    name: 'Premium'
  }
  properties: {
    adminUserEnabled: false
  }
}

resource logs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  name: 'logs'
  scope: registry
  properties: {
    workspaceId: workspaceId
    logs: [
      {
        category: 'ContainerRegistryLoginEvents'
        enabled: true
      }
      {
        category: 'ContainerRegistryRepositoryEvents'
        enabled: true
      }
    ]
  }
}

Related Issues

Fixes #3536

References

• Monitor Azure Container Registry
• Container Registry resource logs
• LT-4: Enable logging for security investigation

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• management.azure.com

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[RULE] Collect audit logs for Azure Container Reigstry</issue_title>
<issue_description>### Existing rule

No response

Suggested rule

Enable Azure resource logs for Container Registry for ContainerRegistryLoginEvents and ContainerRegistryRepositoryEvents.

Pillar

Security

Additional context

Similar to Azure.KeyVault.Logs

• https://learn.microsoft.com/en-us/azure/container-registry/monitor-container-registry-reference#resource-logs
• https://learn.microsoft.com/en-gb/security/benchmark/azure/baselines/container-registry-security-baseline?toc=%2Fazure%2Fcontainer-registry%2FTOC.json#lt-4-enable-logging-for-security-investigation</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #3445

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.