π Azure Diagnostic Setting captures Administrative, Alert, Policy, and Security categories π’
- Contextual name: π Diagnostic Setting captures Administrative, Alert, Policy, and Security categories π’
- ID:
/ce/ca/azure/monitor/diagnostic-setting-categories - Located in: π Azure Monitor
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITYRELIABILITY
Similar Policiesβ
- Internal
dec-x-a193b20f
Similar Internal Rulesβ
| Rule | Policies | Flags |
|---|---|---|
| βοΈ dec-x-a193b20f | 1 |
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
Prerequisite: A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: "Ensure that a 'Diagnostic Setting' exists."
The diagnostic setting should be configured to log the appropriate activities from the control/management plane.
Rationaleβ
A diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.
Auditβ
This policy flags an Azure Subscription Diagnostic Setting as
INCOMPLIANTif theLogs JSONdoes not capture one of the following categories: Administrative, Alert, Policy, Security.Default Valueβ
When the diagnostic setting is created using Azure Portal, by default no categories are selected.
Referencesβ
... see more
Remediationβ
Remediationβ
From Azure Portalβ
- Go to
Azure Monitor.- Click
Activity log.- Click on
Export Activity Logs.- Select the
Subscriptionfrom the drop down menu.- Click
Edit settingnext to a diagnostic setting.- Check the following categories:
Administrative,Alert,Policy, andSecurity.- Choose the destination details according to your organization's needs.
- Click
Save.From Azure CLIβ
az monitor diagnostic-settings subscription create --subscription <subscription id> --name <diagnostic settings name> --location <location> --event-hub <event hub ID> --event-hub-auth-rule <event hub auth rule ID> --storage-account <storage account ID> --workspace <log analytics workspace ID> --logs "[{category:Security,enabled:true},{category:Administrative,enabled:true},{category:Alert,enabled:true},{category:Policy,enabled:true}]"From PowerShellβ
$logCategories = @(); $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Administrative -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Security -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Alert -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Policy -Enabled $true New-AzSubscriptionDiagnosticSetting -SubscriptionId <subscription ID> -Name <Diagnostic settings name> <[-EventHubAuthorizationRule <event hub auth rule ID> -EventHubName <event hub name>] [-StorageAccountId <storage account ID>] [-WorkSpaceId <log analytics workspace ID>] [-MarketplacePartner ID <full ARM Marketplace resource ID>]> -Log $logCategories
... [see more](remediation.md)