Description:
The diagnostic setting should be configured to log the appropriate activities from the control/management plane.
Rationale:
A diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.
Impact:
By enabling Diagnostic settings, it can be used to send metrics for certain Azure services into Azure Monitor Logs for analysis with other monitoring data using log queries with certain limitations.
Default Value:
When the diagnostic setting is created using Azure Portal, by default no categories are selected.
Audit:
From Azure Console
Go to Azure Monitor
Click Activity log
Click on Diagnostic settings
Click on Edit Settings for the diagnostic settings entry
Ensure that the following categories are checked: Administrative, Alert, Policy, and Security
Using Azure Command-Line Interface 2.0
Ensure the categories set to Administrative, Alert, Policy, and Security
az monitor diagnostic-settings subscription list
AZ PowerShell cmdlets
Ensure the categories Administrative, Alert, Policy, and Security are set to Enabled: True
get-AzDiagnosticSetting -ResourceId subscriptions/<subscriptionID>
Remediation:
From Azure Console
Go to Azure Monitor
Click Activity log
Click on Diagnostic settings
Click on Edit Settings for the diagnostic settings entry
Ensure that the following categories are checked: Administrative, Alert, Policy, and Security
Backout Plan:
Go to Azure Monitor
Click Activity log
Click on Diagnostic settings
Click on Edit Settings for the diagnostic settings entry
Ensure that only administrative category is selected