Description:

The diagnostic setting should be configured to log the appropriate activities from the control/management plane.


Rationale:

A diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.

Impact:

By enabling Diagnostic settings, it can be used to send metrics for certain Azure services into Azure Monitor Logs for analysis with other monitoring data using log queries with certain limitations.


Default Value:

When the diagnostic setting is created using Azure Portal, by default no categories are selected.


Audit:

From Azure Console

  1. Go to Azure Monitor

  2. Click Activity log

  3. Click on Diagnostic settings

  4. Click on Edit Settings for the diagnostic settings entry

  5. Ensure that the following categories are checked: Administrative, Alert, Policy, and Security

Using Azure Command-Line Interface 2.0

Ensure the categories set to Administrative, Alert, Policy, and Security

az monitor diagnostic-settings subscription list

AZ PowerShell cmdlets

Ensure the categories Administrative, Alert, Policy, and Security are set to Enabled: True

get-AzDiagnosticSetting -ResourceId subscriptions/<subscriptionID>

Remediation:

From Azure Console

  1. Go to Azure Monitor

  2. Click Activity log

  3. Click on Diagnostic settings

  4. Click on Edit Settings for the diagnostic settings entry

  5. Ensure that the following categories are checked: Administrative, Alert, Policy, and Security


Backout Plan:

  1. Go to Azure Monitor

  2. Click Activity log

  3. Click on Diagnostic settings

  4. Click on Edit Settings for the diagnostic settings entry

  5. Ensure that only administrative category is selected 


References:

  1. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic- settings

  2. https://docs.microsoft.com/en-us/azure/azure-monitor/samples/resource- manager-diagnostic-settings

  3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources