Configure Diagnostic Setting Categories

Risk Level: Medium (should be achieved)

Rule ID: Monitor-007

Ensure that diagnostic settings are configured to log the appropriate activities from the Azure Monitor control/management plane.

Reliability

Cost
optimisation

Operational
excellence

Performance
efficiency

An Azure Monitor diagnostic setting controls how the diagnostic logs are exported. When a diagnostic setting is created using the Azure Portal, by default no log categories are selected. Capturing the appropriate log categories (i.e. Administrative, Security, Alert, and Policy) for the activities performed within your Azure subscriptions provides proper alerting.

Audit

To determine if the diagnostic settings capture the appropriate log categories, perform the following operations:

Using Azure Console

Sign in to the Azure Management Console.
Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.
In the blade navigation panel, choose Activity log.
From the Subscription filter box, select the Azure subscription that you want to examine.
In the top menu bar of the Activity Logs section, click on Export Activity Logs to navigate to the Subscription Diagnostic settings. Diagnostic settings are used to configure streaming export of Azure cloud platform logs and metrics for a subscription to the destination of your choice.
Choose the diagnostic setting that you want to examine, then select Edit settings.
In the Category details section, under log, check the log categories enabled for the selected diagnostic setting. If the following log categories are not selected: Administrative, Security, Alert, and Policy, the configuration of the selected diagnostic setting is not compliant.
Repeat steps no. 6 and 7 for each Azure Diagnostic setting created for the selected subscription.
Repeat steps no. 4 – 8 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

Run monitor diagnostic-settings subscription list command (Windows/macOS/Linux) with custom query filters to list the name and the log categories for each diagnostic setting created within the selected Azure subscription:
```
az monitor diagnostic-settings subscription list
  --query 'value[*].{"name": name, "logs": logs}'
```

The command output should return the requested configuration information:

[
  {
    "name": "cc-web-diagnostic-setting",
    "logs": [
      {
        "category": "Administrative",
        "categoryGroup": null,
        "enabled": true
      },
      {
        "category": "Security",
        "categoryGroup": null,
        "enabled": false
      },
      {
        "category": "ServiceHealth",
        "categoryGroup": null,
        "enabled": false
      },
      {
        "category": "Alert",
        "categoryGroup": null,
        "enabled": false
      },
      {
        "category": "Recommendation",
        "categoryGroup": null,
        "enabled": false
      },
      {
        "category": "Policy",
        "categoryGroup": null,
        "enabled": false
      },
      {
        "category": "Autoscale",
        "categoryGroup": null,
        "enabled": false
      },
      {
        "category": "ResourceHealth",
        "categoryGroup": null,
        "enabled": false
      }
    ]
  }
]

Check the "category" and "enabled" attributes values for each supported log category to determine which log categories are enabled for each diagnostic setting. If the following log categories are not enabled: "Administrative", "Security", "Alert", and "Policy", the configuration of the verified diagnostic setting is not compliant.

Repeat steps no. 1 and 2 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To configure Microsoft Azure diagnostic settings to capture appropriate log categories, perform the following operations:

Using Azure Console

Sign in to the Azure Management Console.
Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.
In the blade navigation panel, choose Activity log.
From the Subscription filter box, select the Azure subscription that you want to access.
To view the Subscription’s Diagnostic settings, in the top menu bar click on Export Activity Logs.
Either choose the Diagnostic setting that you want to reconfigure, then select Edit settings, or create a new Diagnostic setting.
In the Category details section, under log, ensure that the following log categories are selected: Administrative, Security, Alert, and Policy. Choose Save to apply the changes.
Repeat steps no. 6 and 7 for each Azure Diagnostic setting created for the selected subscription.
Repeat steps no. 4 – 7 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

Run az monitor diagnostic-settings subscription update command (Windows/macOS/Linux) using the name of the Microsoft Azure diagnostic setting that you want to reconfigure as the identifier parameter, to enable the appropriate log categories (i.e. "Administrative", "Security", "Alert", and "Policy") for the selected diagnostic setting:

az monitor diagnostic-settings subscription update
  --name "cc-web-diagnostic-setting"
  --logs '[
    {
      "category": "Administrative",
      "enabled": true
    },
    {
      "category": "Security",
      "enabled": true
    },
    {
      "category": "Alert",
      "enabled": true
    },
    {
      "category": "Policy",
      "enabled": true
    },
    {
      "category": "ServiceHealth",
      "enabled": false
    },
    {
      "category": "ResourceHealth",
      "enabled": false
    },
    {
      "category": "Recommendation",
      "enabled": false
    },
    {
      "category": "Autoscale",
      "enabled": false
    }
  ]'

The command output should return the metadata available for the updated diagnostic setting:

{
  "eventHubAuthorizationRuleId": null,
  "eventHubName": null,
  "id":
  "subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/providers/microsoft.insights/diagnosticSettings/cc-web-diagnostic-setting",
  "location": "global",
  "logs": [
    {
      "category": "Administrative",
      "categoryGroup": null,
      "enabled": true
    },
    {
      "category": "Security",
      "categoryGroup": null,
      "enabled": true
    },
    {
      "category": "Alert",
      "categoryGroup": null,
      "enabled": true
    },
    {
      "category": "Policy",
      "categoryGroup": null,
      "enabled": true
    },
    {
      "category": "ServiceHealth",
      "categoryGroup": null,
      "enabled": false
    },
    {
      "category": "ResourceHealth",
      "categoryGroup": null,
      "enabled": false
    },
    {
      "category": "Recommendation",
      "categoryGroup": null,
      "enabled": false
    },
    {
      "category": "Autoscale",
      "categoryGroup": null,
      "enabled": false
    }
  ],
  "name": "cc-web-diagnostic-setting",
  "serviceBusRuleId": null,
  "storageAccountId": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/abcd1234abcd1234abcd1234",
  "type": "Microsoft.Insights/diagnosticSettings",
  "workspaceId": null
}

Repeat steps no. 1 and 2 for each Azure diagnostic setting created for the selected subscription.
Repeat steps no. 1 – 3 for each subscription available in your Microsoft Azure cloud account.

References

Azure Command Line Interface (CLI) Documentation
az monitor diagnostic-settings subscription list
az monitor diagnostic-settings subscription update

Publication date Aug 16, 2019

Audit

Using Azure Console

Using Azure CLI

Remediation / Resolution

Using Azure Console

Using Azure CLI

References

Related Monitor rules