Description
Enable Diagnostic settings for exporting activity logs. Diagnostic settings are available for each individual resource within a subscription. Configure settings for all appropriate resources in your environment.
Rationaleβ
A diagnostic setting controls how a diagnostic log is exported. By default, logs are retained only for 90 days. Diagnostic settings should be defined so that logs can be exported and stored for a longer duration to analyze security activities within an Azure subscription.
Auditβ
From Azure Portalβ
To identify Diagnostic Settings on a subscription:
- Go to
Monitor. - Click
Activity Log. - Click
Export Activity Logs. - Select a
Subscription. - Ensure a
Diagnostic settingsexists for the selected Subscription.
To identify Diagnostic Settings on specific resources:
- Go to
Monitor. - Click
Diagnostic settings. - Ensure that Diagnostics status is
enabledon all appropriate resources.
From Azure CLIβ
To identify Diagnostic Settings on a subscription:
az monitor diagnostic-settings subscription list --subscription {{subscription-id}}
To identify Diagnostic Settings on a resource:
az monitor diagnostic-settings list --resource {{resource-id}}
From PowerShellβ
To identify Diagnostic Settings on a Subscription:
Get-AzDiagnosticSetting -SubscriptionId {{subscription-id}}
To identify Diagnostic Settings on a specific resource:
Get-AzDiagnosticSetting -ResourceId {{resource-id}}
Default Valueβ
By default, diagnostic settings are not configured.
Referencesβ
- https://learn.microsoft.com/en-us/azure/azure-monitor/fundamentals/data-sources
- https://learn.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation