Skip to main content

πŸ›‘οΈ Azure Diagnostic Setting exists for Subscription Activity Logs🟒βšͺ

  • Contextual name: πŸ›‘οΈ Diagnostic Setting exists for Subscription Activity Logs🟒βšͺ
  • ID: /ce/ca/azure/monitor/diagnostic-setting-for-subscription-activity-logs
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Description​

Open File

Description​

Enable Diagnostic settings for exporting activity logs. Diagnostic settings are available for each individual resource within a subscription. Configure settings for all appropriate resources in your environment.

Rationale​

A diagnostic setting controls how a diagnostic log is exported. By default, logs are retained only for 90 days. Diagnostic settings should be defined so that logs can be exported and stored for a longer duration to analyze security activities within an Azure subscription.

Audit​

From Azure Portal​

To identify Diagnostic Settings on a subscription:

  1. Go to Monitor.
  2. Click Activity Log.
  3. Click Export Activity Logs.
  4. Select a Subscription.
  5. Ensure a Diagnostic settings exists for the selected Subscription.

To identify Diagnostic Settings on specific resources:

  1. Go to Monitor.
  2. Click Diagnostic settings.
  3. Ensure that Diagnostics status is enabled on all appropriate resources.
From Azure CLI​

To identify Diagnostic Settings on a subscription:

az monitor diagnostic-settings subscription list --subscription {{subscription-id}}

... [see more](description.md)

Remediation​

Open File

Remediation​

From Azure Portal​

To enable Diagnostic Settings on a Subscription:

  1. Go to Monitor.
  2. Click on Activity Log.
  3. Click on Export Activity Logs.
  4. Click + Add diagnostic setting.
  5. Enter a Diagnostic setting name.
  6. Select Categories for the diagnostic settings.
  7. Select the appropriate Destination details (this may be Log Analytics, Storage Account, Event Hub, or Partner solution).
  8. Click Save.

To enable Diagnostic Settings on a specific resource:

  1. Go to Monitor.
  2. Click Diagnostic settings.
  3. Click on the resource that has a diagnostics status of disabled.
  4. Select Add Diagnostic Setting.
  5. Enter a Diagnostic setting name.
  6. Select the appropriate log, metric, and destination. (this may be Log Analytics, Storage Account, Event Hub, or Partner solution).
  7. Click Save.

Repeat these steps for all resources as needed.

From Azure CLI​

To configure Diagnostic Settings on a Subscription:

az monitor diagnostic-settings subscription create \
    --subscription {{subscription-id}} \

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS Azure v5.0.0 β†’ πŸ’Ό 6.1.1.1 Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration75no data