Description
Enable Diagnostic settings for exporting activity logs. Diagnostic settings are available for each individual resource within a subscription. Settings should be configured for all appropriate resources for your environment.
Rationaleβ
A diagnostic setting controls how a diagnostic log is exported. By default, logs are retained only for 90 days. Diagnostic settings should be defined so that logs can be exported and stored for a longer duration in order to analyze security activities within an Azure subscription.
Auditβ
From Azure Portalβ
To identify Diagnostic Settings on a subscription:
- Go to
Monitor. - Click
Activity Log. - Click
Export Activity Logs. - Select a
Subscription. - Ensure a
Diagnostic settingsexists for the selected Subscription.
To identify Diagnostic Settings on specific resources:
- Go to
Monitor. - Click
Diagnostic settings. - Ensure that Diagnostics status is
enabledon all appropriate resources.
From Azure CLIβ
To identify Diagnostic Settings on a subscription:
az monitor diagnostic-settings subscription list --subscription <subscription ID>
To identify Diagnostic Settings on a resource:
az monitor diagnostic-settings list --resource <resource Id>
From PowerShellβ
To identify Diagnostic Settings on a Subscription:
Get-AzDiagnosticSetting -SubscriptionId <subscription ID>
To identify Diagnostic Settings on a specific resource:
Get-AzDiagnosticSetting -ResourceId <resource ID>
Default Valueβ
By default, diagnostic setting is not set.
Referencesβ
- https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs#export-the-activity-log-with-a-log-profile
- https://learn.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation