iCompaas Support

Description:

Azure resources generate control-plane (management-plane) logs that capture administrative operations such as create, update, delete, policy enforcement, access changes, and configuration modifications. A Diagnostic Setting must be configured for each supported resource to capture these control-plane log categories and export them to a Log Analytics Workspace, Storage Account, or Event Hub. Enabling this ensures visibility into administrative activity across Azure resources.

Rationale:

If control-plane logging is not enabled, critical administrative operations may go unlogged. This prevents detection of unauthorized changes, hinders forensic investigations, weakens compliance, and creates gaps in audit trails. Capturing these logs is essential for monitoring configuration drift, identifying risky changes, and supporting governance and regulatory requirements.

Impact:

• Ensures full visibility into administrative and configuration activities

• Improves detection of unauthorized or suspicious management operations

• Supports governance, monitoring, and compliance reporting

• Enables SIEM ingestion (Sentinel, Splunk, QRadar) for audit and security analysis

• Provides evidence for forensic investigations during security incidents

Default Value:

Most Azure services have no Diagnostic Settings enabled by default. Manual configuration is required.

Pre-Requisites:

• Log Analytics Workspace, Storage Account, or Event Hub must exist

• Access permissions, Microsoft.Insights/diagnosticSettings/*, Read permissions on the resource

• Review of supported log categories per resource type

Test Plan:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Open Subscriptions

3. Select the target subscription

4. From the left menu, select Activity log

5. Click Export Activity Logs

6. Open Diagnostic settings

7. Select the diagnostic setting, and click on edit settings.

8. Verify Administrative, Security, ServiceHealth, Alert, and Policy logs are enabled

9. Confirm that the diagnostic setting is enabled and exporting logs

10. If the required categories are not enabled, follow the implementation steps

Implementation Steps:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Open Subscriptions

3. Select the target subscription

4. From the left menu, select Activity log

5. Click Export Activity Logs

6. Click Add diagnostic setting

7. Enter a name for the diagnostic setting

8. Enable Administrative, Security, ServiceHealth, Alert, and Policy logs

9. Select an export destination (Log Analytics workspace, Storage account, or Event Hub)

10. Save the diagnostic setting

Backout Plan:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Open Subscriptions

3. Select the target subscription

4. From the left menu, select Activity log

5. Click Export Activity Logs

6. Open Diagnostic settings

7. Select the diagnostic setting

8. Click Edit settings

9. Disable the previously enabled log categories

10. Save the diagnostic setting

Reference:

• https://learn.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings

• https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log

• https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-logs