Ensure Diagnostic Setting captures appropriate categories

Ensure that Azure Monitor Logs collects all types of activities in your account (Administrative, Alert, Policy and Security operations).

Risk Level: Low
Cloud Entity: Azure Monitor Logs
CloudGuard Rule ID: D9.AZU.MON.46
Covered by Spectral: Yes
Category: Management Tools

GSL LOGIC

ActivityLogMonitor should not have (diagnosticSettings contain [ logs contain-any [ category regexMatch /Alert|Security|Policy|Administrative/ and enabled = false ] ])

REMEDIATION

From Portal

  1. Sign in to Azure Management Console.
  2. Go to 'Azure Monitor'.
  3. Click 'Activity log'.
  4. Click on 'Diagnostic settings'.
  5. Click on 'Add diagnostic setting'.
  6. Enter a name for your new Diagnostic Setting.
  7. Ensure that the following categories are checked: Administrative, Alert, Policy, and Security.
  8. Choose the destination details according to your organization's needs.
    Note: By default, diagnostic setting is not set.

From TF
NOTE : Repeat 'log' argument for Administrative, Alert, Policy, and Security:

resource "azurerm_monitor_diagnostic_setting" "example" {
	...
	log {
		...
		category = "CATEGORY"
		enabled  = true
		...
	}
	...
}

From Command Line
Run

az monitor diagnostic-settings create --resource ID --name NAME --storage-account STORAGEACCOUNTNAME --logs '@{file}'

NOTE : Use '@{file}' to load from a file. It contains JSON encoded list of logs settings.

References

  1. https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting
  3. https://learn.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az-monitor-diagnostic-settings-create
  4. https://learn.microsoft.com/en-us/rest/api/monitor/diagnostic-settings/create-or-update?tabs=HTTP#logsettings

Azure Monitor Logs

Azure Monitor Logs is a feature of Azure Monitor that collects and organizes log and performance data from monitored resources. Data from multiple sources can be consolidated into a single workspace.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset