Remediation
From Azure Portalβ
- Go to
Azure Monitor. - Click
Activity log. - Click on
Export Activity Logs. - Select the
Subscriptionfrom the drop down menu. - Click
Edit settingnext to a diagnostic setting. - Check the following categories:
Administrative,Alert,Policy, andSecurity. - Choose the destination details according to your organization's needs.
- Click
Save.
From Azure CLIβ
az monitor diagnostic-settings subscription create \
--subscription {{subscription-id}} \
--name {{diagnostic-setting-name}} \
--location {{location}} \
--event-hub {{event-hub-id}} \
--event-hub-auth-rule {{event-hub-auth-rule-id}} \
--storage-account {{storage-account-id}} \
--workspace {{log-analytics-workspace-id}} \
--logs "[{category:Security,enabled:true},{category:Administrative,enabled:true},{category:Alert,enabled:true},{category:Policy,enabled:true}]"
From PowerShellβ
$logCategories = @()
$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Administrative -Enabled $true
$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Security -Enabled $true
$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Alert -Enabled $true
$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Policy -Enabled $true
New-AzSubscriptionDiagnosticSetting `
-SubscriptionId {{subscription-id}} `
-Name {{diagnostic-setting-name}} `
-EventHubAuthorizationRuleId {{event-hub-auth-rule-id}} `
-EventHubName {{event-hub-name}} `
-StorageAccountId {{storage-account-id}} `
-WorkSpaceId {{log-analytics-workspace-id}} `
-MarketplacePartnerId {{marketplace-partner-id}} `
-Log $logCategories