Skip to main content

πŸ“ Azure Diagnostic Setting exists for Subscription Activity Logs 🟒

  • Contextual name: πŸ“ Diagnostic Setting exists for Subscription Activity Logs 🟒
  • ID: /ce/ca/azure/monitor/diagnostic-setting-for-subscription-activity-logs
  • Located in: πŸ“ Azure Monitor

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Description​

Open File

Description​

Enable Diagnostic settings for exporting activity logs. Diagnostic settings are available for each individual resource within a subscription. Settings should be configured for all appropriate resources for your environment.

Rationale​

A diagnostic setting controls how a diagnostic log is exported. By default, logs are retained only for 90 days. Diagnostic settings should be defined so that logs can be exported and stored for a longer duration in order to analyze security activities within an Azure subscription.

Audit​

From Azure Portal​

To identify Diagnostic Settings on a subscription:

  1. Go to Monitor.
  2. Click Activity Log.
  3. Click Export Activity Logs.
  4. Select a Subscription.
  5. Ensure a Diagnostic settings exists for the selected Subscription.

To identify Diagnostic Settings on specific resources:

  1. Go to Monitor.
  2. Click Diagnostic settings.
  3. Ensure that Diagnostics status is enabled on all appropriate resources.
From Azure CLI​

To identify Diagnostic Settings on a subscription:

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

To enable Diagnostic Settings on a Subscription:

  1. Go to Monitor.
  2. Click on Activity Log.
  3. Click on Export Activity Logs.
  4. Click + Add diagnostic setting.
  5. Enter a Diagnostic setting name.
  6. Select Categories for the diagnostic settings.
  7. Select the appropriate Destination details (this may be Log Analytics, Storage Account, Event Hub, or Partner solution).
  8. Click Save.

To enable Diagnostic Settings on a specific resource:

  1. Go to Monitor.
  2. Click Diagnostic settings.
  3. Click on the resource that has a diagnostics status of disabled.
  4. Select Add Diagnostic Setting.
  5. Enter a Diagnostic setting name.
  6. Select the appropriate log, metric, and destination. (this may be Log Analytics, Storage Account, Event Hub, or Partner solution).
  7. Click Save.

Repeat these step for all resources as needed.

From Azure CLI​

To configure Diagnostic Settings on a Subscription:

az monitor diagnostic-settings subscription create --subscription <subscription id> --name <diagnostic settings name> --location <location> --event-hub <event hub ID> --event-hub-auth-rule <event hub auth rule ID> --storage-account <storage account ID> --workspace <log analytics workspace ID> --logs "<JSON encoded categories>" (e.g. [{category:Security,enabled:true},{category:Administrative,enabled:true},{category:Alert,enabled:true},{category:Policy,enabled:true}])

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 5.1.1 Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs - Level 1 (Manual)1
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 6.1.1 Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs (Manual)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration49