Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Diagnostic Logs

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

To collect detailed information on resource operations, ensure that Diagnostic Logs are enabled for your Microsoft Azure AI Foundry instances. Diagnostic Logs provide detailed insights into operations, helps identify and resolve issues quickly, ensures compliance with governance policies, and supports auditing and analysis of resource usage and performance.

Security
Reliability
Operational
excellence
Cost
optimisation
Performance
efficiency

By default, Diagnostic Logs are not enabled for your Azure AI Foundry instances. Without Diagnostic Logs, the visibility into your Azure data plane is greatly reduced. This diminishes your organization's ability to detect potential attacks, unauthorized requests, or other malicious activity. For example, without Diagnostic Logs, it would be difficult to tell which entities had accessed a breached data store. In addition, alerts for failed attempts to access APIs for Azure database services are only possible when diagnostic logging is enabled. Once collected, Diagnostic Logs should be sent to a storage account and a Log Analytics Workspace or an equivalent third-party system. The log files should be kept in readily accessible storage for at least one year, and then moved to inexpensive cold storage for a longer duration (for security and compliance auditing).

Audit

To determine if Diagnostic Logs are enabled for your Azure AI Services (AI Foundry) instances, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure AI Foundry for Value, then choose Apply to list the Azure AI Services (AI Foundry) instances available in the selected subscription.

05 Click on the name (link) of the AI Foundry instance that you want to examine.

06 In the resource navigation panel, under Monitoring, select Diagnostic settings.

07 On the Diagnostic settings page, check for any diagnostic settings created for your AI Foundry instance. If there are no diagnostic settings available, the Diagnostic Logs monitoring feature is not enabled for the selected Azure AI Foundry instance. If one or more diagnostic settings were created for your security policy, choose the diagnostic setting that you want to examine, and select Edit setting. Check the Categories list under Logs to determine the logging configuration available for your instance. Repeat this step for each diagnostic setting created for the selected Azure resource. If one or more log categories are not selected under Categories, Diagnostic Logs are not enabled for the selected Azure AI Foundry instance.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run cognitiveservices account list command (Windows/macOS/Linux) with custom output filters to list the resource identifier (ID) of each Azure AI Services (AI Foundry) instance available within the current subscription: 

az cognitiveservices account list
	--query '[?(kind==`AIServices`)].id'

05 The command output should return the requested AI Foundry instance identifiers: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.CognitiveServices/accounts/cc-project5-ai-service-instance",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.CognitiveServices/accounts/cc-project5-ai-foundry-instance"
]

06 Run monitor diagnostic-settings list command (Windows/macOS/Linux) with the ID of the Azure AI Foundry instance that you want to examine as the identifier parameter and custom output filters to describe the name of each diagnostics setting configured for the selected instance: 

az monitor diagnostic-settings list
	--resource "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.CognitiveServices/accounts/cc-project5-ai-service-instance"
	--query '[].name'

07 The command output should return the requested diagnostics setting identifiers (names). If the command output returns an empty array, i.e. [], there are no diagnostic settings configured for the selected Azure AI Foundry instance, therefore, the Audit process ends here: 

[
	"tm-ai-instance-diagnostic-logs",
	"tm-ai-custom-diagnostic-logs"
]

08 Run monitor diagnostic-settings show command (Windows/macOS/Linux) with the name of the diagnostic setting that you want to examine as the identifier parameter, to describe the log categories supported by Azure AI Foundry, configured for the selected diagnostic setting: 

az monitor diagnostic-settings show
	--name "tm-ai-instance-diagnostic-logs"
	--resource "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.CognitiveServices/accounts/cc-project5-ai-service-instance"
	--query 'logs'

09 The command output should return the supported log categories and their status: 

[
	{
		"category": "Audit",
		"enabled": true,
		"retentionPolicy": {
		"days": 0,
		"enabled": false
		}
	},
	{
		"category": "RequestResponse",
		"enabled": false,
		"retentionPolicy": {
		"days": 0,
		"enabled": false
		}
	},
	{
		"category": "AzureOpenAIRequestUsage",
		"enabled": false,
		"retentionPolicy": {
		"days": 0,
		"enabled": false
		}
	},
	{
		"category": "Trace",
		"enabled": false,
		"retentionPolicy": {
		"days": 0,
		"enabled": false
		}
	}
]

Check the "enabled" attribute value for each log category supported by Azure AI Foundry to determine the logging configuration for the selected diagnostic setting. If one or more log categories are disabled (i.e., "enabled": false), the selected diagnostic setting is not properly configured to collect diagnostic logs.

10 Repeat steps no. 8 and 9 for each diagnostic setting created for the selected instance. If none of the diagnostic settings are properly configured, the Diagnostic Logs monitoring feature is not enabled for the selected Azure AI Foundry instance.

Remediation / Resolution

To enable and configure Diagnostic Logs for your Azure AI Services (AI Foundry) instances, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure AI Foundry for Value, then choose Apply to list the Azure AI Services (AI Foundry) instances available in the selected subscription.

05 Click on the name (link) of the AI Foundry instance that you want to configure.

06 In the resource navigation panel, under Monitoring, select Diagnostic settings.

07 In the Diagnostic settings section, choose Add diagnostic setting to create a new diagnostic setting resource. A diagnostic setting specifies a list of categories of platform logs and/or metrics that you want to collect from an Azure cloud resource, and one or more destinations that you would stream them to.

08 On the Diagnostic setting setup page, perform the following actions:

  1. Provide a unique name for your new diagnostic setting in the Diagnostic setting name box.
  2. In the Logs section, check the allLogs setting checkbox to select all the log categories supported by Azure AI Foundry.
  3. (Optional) In the Metrics section, check the AllMetrics setting checkbox if you want to route the resource's platform metrics to the selected log destinations. By default, platform metrics are sent automatically to Azure Monitor Metrics without any additional configuration required.
  4. In the Destination details section, configure one or more log destinations based on your application requirements:
    1. Select Send to Log Analytics workspace and choose a workspace from the Log Analytics workspace dropdown list to send the diagnostic logs.
    2. Select Archive to a storage account and choose a storage account from the Storage account dropdown list to archive the collected logs for at least one year (recommended). The storage account needs to be in the same region as the resource being monitored if the resource is regional.
    3. Select Stream to an event hub to stream the collected logs to an Event Hub. Select the name, namespace, and policy of the event hub that you want to use.
    4. Select Send to partner solution to deliver the log files to a supported third-party system. For supported partner integrations, please refer to this page.
  5. Choose Save to apply the configuration changes.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run monitor diagnostic-settings create command (Windows/macOS/Linux) to create a new diagnostic setting for the specified Azure AI Foundry instance in order to enable the Diagnostic Logs monitoring feature. As an example, the following command request creates a diagnostic setting named "tm-project5-ai-diagnostic-logs" for an Azure AI Foundry instance, that sends the supported logs and metrics to a Log Analytics workspace identified by the ID "abcd1234abcd1234abcd1234" and archive the files to an Azure Storage account identified by "abcd1234abcd1234abcd1234". Platform metrics are sent automatically to Azure Monitor Metrics by default and without any configuration. If you need to route the resource's platform metrics to the selected log destinations, include the --metrics parameter in the command request, as shown in the example below: 

az monitor diagnostic-settings create
	--name "tm-project5-ai-diagnostic-logs"
	--resource "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.CognitiveServices/accounts/cc-project5-ai-service-instance"
	--workspace "abcd1234abcd1234abcd1234"
	--storage-account "1234abcd1234abcd1234"
	--logs '[
		{
			"categoryGroup": "allLogs",
			"enabled": true,
			"retentionPolicy": {
			"days": 0,
			"enabled": false
			}
		},
		{
			"categoryGroup": "Audit",
			"enabled": false,
			"retentionPolicy": {
			"days": 0,
			"enabled": false
			}
		}
	]'
	--metrics '[
		{
			"category": "AllMetrics",
			"enabled": true,
			"retentionPolicy": {
				"enabled": false,
				"days": 0
			}
		}
	]'

05 The command output should return the configuration information available for the new diagnostic setting: 

{
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.cognitiveservices/accounts/cc-project5-ai-service-instance/providers/microsoft.insights/diagnosticSettings/tm-project5-ai-diagnostic-logs",
	"logs": [
		{
			"categoryGroup": "allLogs",
			"enabled": true,
			"retentionPolicy": {
				"days": 0,
				"enabled": false
			}
		},
		{
			"categoryGroup": "Audit",
			"enabled": false,
			"retentionPolicy": {
				"days": 0,
				"enabled": false
			}
		}
	],
	"metrics": [
		{
			"category": "AllMetrics",
			"enabled": true,
			"retentionPolicy": {
				"days": 0,
				"enabled": true
			},
			"timeGrain": "PT1M"
		}
	],
	"name": "tm-project5-ai-diagnostic-logs",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"storageAccountId": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.Storage/storageAccounts/1234abcd1234abcd1234",
	"type": "Microsoft.Insights/diagnosticSettings",
	"workspaceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.OperationalInsights/workspaces/abcd1234abcd1234abcd1234"
}

References

Publication date Sep 10, 2025

Related AIFoundry rules