fix(sdk): accept AuditEvent key vault diagnostics

[davletd]

Context

Fixes #11656

Azure Key Vault diagnostic settings can represent audit logging as an explicit AuditEvent log category with categoryGroup: null. In that state, Key Vault audit logging is materially enabled, but keyvault_logging_enabled only evaluated category groups and reported the vault as failing.

From a compliance standpoint, this check should evaluate the control objective: Key Vault audit logging is enabled and routed to a supported destination. It should not fail solely because Azure returned the category-based diagnostic setting representation instead of category groups. A false failure makes the result difficult to trust for teams consuming Prowler OCSF output directly.

Description

This PR updates keyvault_logging_enabled to pass when a diagnostic setting has either:

• category == "AuditEvent" and enabled == true, or
• the existing accepted category-group condition: audit and allLogs enabled

The existing category-group behavior is preserved. The metadata and remediation text now describe both supported representations, and a regression test covers the observed Azure ARM shape with AuditEvent enabled and AzurePolicyEvaluationDetails disabled.

Steps to review

1. Review the added unit test for AuditEvent category-based diagnostic settings.
2. Confirm the existing category-group tests still pass and keep the previous behavior.
3. Run:

uv run --python /opt/homebrew/bin/python3.12 pytest -q tests/providers/azure/services/keyvault/keyvault_logging_enabled/keyvault_logging_enabled_test.py

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? No
  • If so, do we need to update permissions for the provider? Please review this carefully.

UI

• All issue/task requirements work as expected on the UI
• If this PR adds or updates npm dependencies, include package-health evidence (maintenance, popularity, known vulnerabilities, license, release age) and explain why existing/native alternatives are insufficient.
• Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
• Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
• Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
• Ensure new entries are added to CHANGELOG.md, if applicable.

API

• All issue/task requirements work as expected on the API
• Endpoint response output (if applicable)
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable)
• Performance test results (if applicable)
• Any other relevant evidence of the implementation (if applicable)
• Verify if API specs need to be regenerated.
• Check if version updates are required (e.g., specs, uv, etc.).
• Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Summary by CodeRabbit

• Bug Fixes

  • Azure Key Vault logging check now correctly recognizes AuditEvent category-based diagnostic logging, eliminating false failures.

• Documentation

  • Updated check documentation and remediation guidance to reflect new supported logging configurations.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 8b5f80e1-f7c7-49ab-9f1b-ec259a9c608e

📥 Commits

Reviewing files that changed from the base of the PR and between ccc1f16 and 00f7c29.

📒 Files selected for processing (4)

• prowler/CHANGELOG.md
• prowler/providers/azure/services/keyvault/keyvault_logging_enabled/keyvault_logging_enabled.metadata.json
• prowler/providers/azure/services/keyvault/keyvault_logging_enabled/keyvault_logging_enabled.py
• tests/providers/azure/services/keyvault/keyvault_logging_enabled/keyvault_logging_enabled_test.py

---

📝 Walkthrough

Walkthrough

The keyvault_logging_enabled Azure check is updated to treat an enabled AuditEvent log category as compliant, in addition to the existing audit+allLogs category-group path. Metadata descriptions, CLI/Bicep/Terraform remediation examples, a new unit test, and a changelog entry are updated to match.

Changes

keyvault_logging_enabled AuditEvent Compliance Fix

Layer / File(s)	Summary
Compliance check logic prowler/providers/azure/services/keyvault/keyvault_logging_enabled/keyvault_logging_enabled.py	Introduces has_audit_category (from category == "AuditEvent") alongside the existing has_audit_group/has_all_logs flags. The pass condition changes from requiring both category-group flags to accepting has_audit_category OR (has_audit_group AND has_all_logs).
Metadata, remediation examples, and changelog keyvault_logging_enabled/keyvault_logging_enabled.metadata.json, prowler/CHANGELOG.md	Updates the check description to document both compliance paths. Revises CLI, Bicep, and Terraform remediation snippets to use AuditEvent category instead of audit/allLogs category groups. Adds a Fixed changelog entry for 5.31.0.
Unit test: AuditEvent category PASS tests/providers/azure/services/keyvault/keyvault_logging_enabled/keyvault_logging_enabled_test.py	Adds test_diagnostic_setting_with_audit_event_category_logging, which mocks a diagnostic setting with AuditEvent enabled and AzurePolicyEvaluationDetails disabled, asserting a PASS result with correct status_extended, resource_name, and resource_id.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• HugoPBrito

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: accepting AuditEvent category in Key Vault diagnostics instead of only category groups.
Description check	✅ Passed	The PR description follows the template with Context (issue reference), Description, Steps to review, and Checklist sections completed appropriately for SDK changes.
Linked Issues check	✅ Passed	The code changes directly address issue #11656 by adding support for AuditEvent category recognition, updating metadata documentation, and including a regression test for the reported scenario.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing the keyvault_logging_enabled check to recognize AuditEvent categories, with updates to implementation, metadata, tests, and changelog.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.88%. Comparing base (99285d4) to head (00f7c29).
⚠️ Report is 14 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (99285d4) and HEAD (00f7c29). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (99285d4)	HEAD (00f7c29)
api	1	0

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11660      +/-   ##
==========================================
- Coverage   94.10%   87.88%   -6.22%     
==========================================
  Files         247      237      -10     
  Lines       36421     6200   -30221     
==========================================
- Hits        34274     5449   -28825     
+ Misses       2147      751    -1396     

Flag	Coverage Δ
api	?
prowler-py3.10-azure	87.85% <100.00%> (?)
prowler-py3.11-azure	87.83% <100.00%> (?)
prowler-py3.12-azure	87.88% <100.00%> (?)
prowler-py3.13-azure	87.88% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	87.88% <94.87%> (∅)
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.