iCompaas Support

Description:

Azure resources generate control-plane logs that record create, update, delete, policy changes, RBAC actions, and configuration updates. Diagnostic Settings must be configured to capture all supported control/management-plane categories and export them to Log Analytics, Storage Account, or Event Hub.

Rationale:

Missing diagnostic logs reduces visibility into administrative actions and configuration changes, impacting incident response, forensic investigations, and compliance. Exporting Activity Logs ensures long-term visibility and supports monitoring, auditing, and compliance requirements

Impact:

• Enables long-term retention of Activity Logs

• Improves detection and investigation of administrative and control-plane actions

• Supports SIEMs like Microsoft Sentinel, Splunk, and QRadar

• Required for CIS, NIST, SOC2, PCI, and ISO compliance

Default Value:

Control-plane logging is disabled by default unless manually configured.

Pre-requisites:

• Log Analytics Workspace, Event Hub, or Storage Account must exist

• Appropriate permissions, Microsoft.Insights/diagnosticSettings/*, Subscription-level permissions (e.g., Owner, Contributor, Monitoring Contributor)

Test Plan:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Open Subscriptions

3. Select the target subscription

4. From the left menu, select Activity log

5. Click Export Activity Logs

6. Open Diagnostic settings

7. Verify that at least one diagnostic setting exists

8. Confirm Activity Logs are being exported to an approved destination

9. Record the diagnostic setting name and destination as evidence

Implementation Steps:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Open Subscriptions

3. Select the target subscription

4. From the left menu, select Activity log

5. Click Export Activity Logs

6. Click Add diagnostic setting

7. Enter a name for the diagnostic setting

8. Select Administrative, Security, ServiceHealth, Alert, and Policy logs

9. Choose an export destination (Log Analytics workspace, Storage account, or Event Hub)

10. Save the diagnostic setting

Backout Plan:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Open Subscriptions

3. Select the target subscription

4. Open Activity log

5. Click Export Activity Logs

6. Open Diagnostic settings

7. Select the most recent diagnostic setting

8. Click Delete

9. Confirm the deletion

Reference:

• https://learn.microsoft.com/azure/azure-monitor/essentials/resource-logs