Ensure Diagnostic Setting captures appropriate categories

Ensure that Azure Monitor Logs collects all types of activities in your account (Administrative, Alert, Policy and Security operations).

Suggest Edits

Risk Level: Low
Cloud Entity: Azure Monitor Logs
CloudGuard Rule ID: D9.AZU.MON.46
Covered by Spectral: Yes
Category: Management Tools

GSL LOGIC

ActivityLogMonitor should not have (diagnosticSettings contain [ logs contain-any [ category regexMatch /Alert|Security|Policy|Administrative/ and enabled = false ] ])

REMEDIATION

From Portal

Sign in to Azure Management Console.
Go to 'Azure Monitor'.
Click 'Activity log'.
Click on 'Diagnostic settings'.
Click on 'Add diagnostic setting'.
Enter a name for your new Diagnostic Setting.
Ensure that the following categories are checked: Administrative, Alert, Policy, and Security.
Choose the destination details according to your organization's needs.
Note: By default, diagnostic setting is not set.

From TF
NOTE : Repeat 'log' argument for Administrative, Alert, Policy, and Security:

resource "azurerm_monitor_diagnostic_setting" "example" {
	...
	log {
		...
		category = "CATEGORY"
		enabled  = true
		...
	}
	...
}

From Command Line
Run

az monitor diagnostic-settings create --resource ID --name NAME --storage-account STORAGEACCOUNTNAME --logs '@{file}'

NOTE : Use '@{file}' to load from a file. It contains JSON encoded list of logs settings.

References

Azure Monitor Logs

Azure Monitor Logs is a feature of Azure Monitor that collects and organizes log and performance data from monitored resources. Data from multiple sources can be consolidated into a single workspace.

Compliance Frameworks

AZU PCI-DSS 4.0
Azure CIS Foundations v. 1.3.1
Azure CIS Foundations v. 1.4.0
Azure CIS Foundations v. 1.5.0
Azure CIS Foundations v.2.0
Azure CloudGuard Best Practices
Azure HITRUST v9.5.0
Azure ITSG-33
Azure NIST 800-53 Rev 5
CloudGuard Azure All Rules Ruleset

Updated about 1 year ago