Ensure that a 'Diagnostic Setting' exists

Ensure that Azure Monitor Logs is configured to export Activity Logs by enabling the 'enabled' field in the JSON file being transmitted in the 'logs' parameter.

Risk Level: Low
Cloud Entity: Azure Monitor Logs
CloudGuard Rule ID: D9.AZU.MON.47
Covered by Spectral: No
Category: Management Tools

GSL LOGIC

ActivityLogMonitor should have diagnosticSettings contain [ logs contain [ enabled=true ] ]

REMEDIATION

From Portal

  1. Sign in to Azure Management Console.
  2. Go to 'Azure Monitor'.
  3. Click on 'Diagnostic settings'.
  4. Click on the resource that has a diagnostics status of disabled
  5. Click on 'Add diagnostic setting'.
  6. Enter a name for your new Diagnostic Setting.
  7. Select the appropriate log, metric, and destination. (This may be Log Analytics/Storage account or Event Hub).
  8. Repeat these step for all resources as needed.
    Note: By default, diagnostic setting is not set.

From TF
Set the 'enabled' argument to 'true' as below:

resource "azurerm_monitor_diagnostic_setting" "example" {
	...
	log {
		...
		category = "CATEGORY"
		enabled  = true
		...
	}
	...
}

From Command Line
Run

az monitor diagnostic-settings create --resource ID --name NAME --storage-account STORAGEACCOUNTNAME --logs '@{file}'

NOTE : Use '@{file}' to load from a file. It contains JSON encoded list of logs settings.

References

  1. https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting
  3. https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az_monitor_diagnostic_settings_create
  4. https://learn.microsoft.com/en-us/rest/api/monitor/diagnostic-settings/create-or-update?tabs=HTTP#logsettings

Azure Monitor Logs

Azure Monitor Logs is a feature of Azure Monitor that collects and organizes log and performance data from monitored resources. Data from multiple sources can be consolidated into a single workspace.

Compliance Frameworks

  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset