Description:

Enable Diagnostic settings for exporting activity logs. Diagnostic settings are available for each individual resource within a subscription. Settings should be configured for all appropriate resources for your environment.


Rationale:

A diagnostic setting controls how a diagnostic log is exported. By default, logs are retained only for 90 days. Diagnostic settings should be defined so that logs can be exported and stored for a longer duration in order to analyze security activities within an Azure subscription.


Impact:

By enabling Diagnostic settings, it can be used to send metrics for certain Azure services into Azure Monitor Logs for analysis with other monitoring data using log queries with certain limitations.


Default Value:

By default, the diagnostic setting is not set.


Audit:

From Azure Console

  1. Search for Monitor
  2. Click on Activity Log 
  3. Go to Diagnostics settings


  4. Ensure that a Diagnostic status is enabled on all appropriate resources.


Remediation:

From Azure Console

  1. Search for Monitor

  2. Click on Activity Log  

  3. Go to Diagnostics Settings
  4. Select Add Diagnostic Settings



  5. Enter a Diagnostic setting name

  6. Select the appropriate log, metric, and destination. (This may be Log Analytics/Storage account or Event Hub)

  7. Click save

     Repeat these steps for all resources as needed.


Backout Plan:

  1. Search for Monitor

  2. Click on Activity Log

  3. Select Diagnostic Settings

  4. Click on Edit setting of defined Diagnostic setting

  5. Click delete



References:

  1. https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring- overview-activity-logs#export-the-activity-log-with-a-log-profile

  2. https://docs.microsoft.com/en-us/cli/azure/monitor/log-profiles?view=azure-cli- latest#az_monitor_log_profiles_create

  3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-logging-threat-detection#lt-5-centralize-security-log-management-and-analysis