Description

Prerequisite: A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: "Ensure that a 'Diagnostic Setting' exists."

The diagnostic setting should be configured to log the appropriate activities from the control/management plane.

Rationale

A diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.

Audit

From Azure Portal

Go to Azure Monitor.
Click Activity log.
Click on Export Activity Logs.
Select the appropriate Subscription.
Click Edit setting next to a diagnostic setting.
Ensure that the following categories are checked: Administrative, Alert, Policy, and Security.

From Azure CLI

Ensure the categories Administrative, Alert, Policy, and Security set to: enabled: true:

az monitor diagnostic-settings subscription list --subscription <subscription ID>

From Powershell

Ensure the categories Administrative, Alert, Policy, and Security are set to Enabled:True:

Get-AzSubscriptionDiagnosticSetting -Subscription <subscriptionID>

From Azure Policy

If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure.

Policy ID: 3b980d31-7904-4bb7-8575-5665739a8052 - Name: An activity log alert should exist for specific Security operations
Policy ID: b954148f-4c11-4c38-8221-be76711e194a - Name: An activity log alert should exist for specific Administrative operations
Policy ID: c5447c04-a4d7-4ba8-a263-c9ee321a6858 - Name: An activity log alert should exist for specific Policy operations

Default Value

When the diagnostic setting is created using Azure Portal, by default no categories are selected.

Rationale​

Audit​

From Azure Portal​

From Azure CLI​

From Powershell​

From Azure Policy​

Default Value​

References​