🛡️ Azure Diagnostic Setting captures Administrative, Alert, Policy, and Security categories🟢

Contextual name: 🛡️ Diagnostic Setting captures Administrative, Alert, Policy, and Security categories🟢
ID: /ce/ca/azure/monitor/diagnostic-setting-categories
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY, RELIABILITY

Logic

🧠 prod.logic.yaml🟢
- 📗 Azure Diagnostic Setting
- 🔌 Azure Diagnostic Setting - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

Internal: dec-x-a193b20f

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-a193b20f	1

Description

Open File

Description

Prerequisite: A Diagnostic Setting must exist. If one does not exist, the navigation and options within this recommendation are not available. Review the recommendation at the beginning of this subsection titled: "Ensure that a 'Diagnostic Setting' exists."

The diagnostic setting should be configured to log the appropriate activities from the control/management plane.

Rationale

A diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.

Audit

This policy flags an Azure Subscription Diagnostic Setting as INCOMPLIANT if the Logs JSON does not capture one of the following categories: Administrative, Alert, Policy, Security.

Default Value

When the diagnostic setting is created using Azure Portal, by default no categories are selected.

References

https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings

https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/resource-manager-diagnostic-settings

... see more

Remediation

Open File

Remediation

From Azure Portal

Go to Azure Monitor.

Click Activity log.

Click on Export Activity Logs.

Select the Subscription from the drop down menu.

Click Edit setting next to a diagnostic setting.

Check the following categories: Administrative, Alert, Policy, and Security.

Choose the destination details according to your organization's needs.

Click Save.

From Azure CLI
az monitor diagnostic-settings subscription create \
    --subscription {{subscription-id}} \
    --name {{diagnostic-setting-name}} \
    --location {{location}} \
    --event-hub {{event-hub-id}} \
    --event-hub-auth-rule {{event-hub-auth-rule-id}} \
    --storage-account {{storage-account-id}} \
    --workspace {{log-analytics-workspace-id}} \
    --logs "[{category:Security,enabled:true},{category:Administrative,enabled:true},{category:Alert,enabled:true},{category:Policy,enabled:true}]"
From PowerShell
$logCategories = @()
$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Administrative -Enabled $true

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 APRA CPG 234 → 💼 8 For accountability purposes, a regulated entity would typically ensure that users and information assets are uniquely identified and their actions are logged at a sufficient level of granularity to support information security monitoring processes.		2	2	no data
💼 APRA CPG 234 → 💼 16b situational awareness and intelligence;		6	7	no data
💼 APRA CPG 234 → 💼 16f information security reporting and analytics;		9	11	no data
💼 APRA CPG 234 → 💼 36j monitoring controls — for timely detection of compromises to information security;		9	11	no data
💼 APRA CPG 234 → 💼 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;		19	22	no data
💼 APRA CPG 234 → 💼 e. use of, and access to, information assets is attributable to an individual, hardware or software, and activity logged and monitored;		2	2	no data
💼 CIS Azure v1.3.0 → 💼 5.1.2 Ensure Diagnostic Setting captures appropriate categories - Level 1 (Automated)		1	1	no data
💼 CIS Azure v1.4.0 → 💼 5.1.2 Ensure Diagnostic Setting captures appropriate categories - Level 1 (Automated)		1	1	no data
💼 CIS Azure v1.5.0 → 💼 5.1.2 Ensure Diagnostic Setting captures appropriate categories - Level 1 (Automated)		1	1	no data
💼 CIS Azure v2.0.0 → 💼 5.1.2 Ensure Diagnostic Setting captures appropriate categories - Level 1 (Automated)		1	1	no data
💼 CIS Azure v2.1.0 → 💼 5.1.2 Ensure Diagnostic Setting captures appropriate categories - Level 1 (Automated)		1	1	no data
💼 CIS Azure v3.0.0 → 💼 6.1.2 Ensure Diagnostic Setting captures appropriate categories (Automated)			1	no data
💼 CIS Azure v4.0.0 → 💼 7.1.1.2 Ensure Diagnostic Setting captures appropriate categories (Automated)			1	no data
💼 CIS Azure v5.0.0 → 💼 6.1.1.2 Ensure Diagnostic Setting captures appropriate categories (Automated)			1	no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			77	no data
💼 FedRAMP High Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			21	no data
💼 FedRAMP High Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)		7	31	no data
💼 FedRAMP High Security Controls → 💼 AU-3(1) Additional Audit Information (M)(H)			14	no data
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)	2		73	no data
💼 FedRAMP High Security Controls → 💼 CM-3 Configuration Change Control (M)(H)	4		41	no data
💼 FedRAMP High Security Controls → 💼 SI-4(20) Privileged Users (H)		48	56	no data
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			73	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			21	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)			31	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-3(1) Additional Audit Information (M)(H)			14	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			73	no data
💼 FedRAMP Moderate Security Controls → 💼 CM-3 Configuration Change Control (M)(H)	2		24	no data
💼 ISO/IEC 27001:2022 → 💼 5.28 Collection of evidence		14	21	no data
💼 ISO/IEC 27001:2022 → 💼 8.15 Logging		18	34	no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			180	no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			100	no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			181	no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			49	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(4) Account Management _ Automated Audit Actions		14	21	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(9) Least Privilege _ Log Use of Privileged Functions		17	24	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-3(1) Content of Audit Records _ Additional Audit Information		13	14	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation	4	47	73	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-3 Configuration Change Control	8	17	41	no data

Logic​

Similar Policies​

Similar Internal Rules​

Description​

Description​

Rationale​

Audit​

Default Value​

References​

Remediation​

Remediation​

From Azure Portal​

From Azure CLI​

From PowerShell​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Similar Internal Rules

Description

Description

Rationale

Audit

Default Value

References

Remediation

Remediation

From Azure Portal

From Azure CLI

From PowerShell

policy.yaml

Linked Framework Sections