< Back to rules searchDiagnostic Setting captures appropriate categories
Set up the azure.monitor integration.
Description
Configure the diagnostic setting to log the appropriate activities from the control/management plane.
Rationale
A diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.
From the console
- Go to Azure Monitor
- Click Activity log
- Click on Diagnostic settings
- Click on Edit Settings for the diagnostic settings entry
- Ensure that the following categories are checked: Administrative, Alert, Policy, and Security
ARM Template with AZ PowerShell cmdlets:
Create a file to hold the following JSON:
{ "$schema""https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion""
1.0.0.0", "parameters"{ "settingName"{ "type""String" }, "workspaceId"{ "type""String" } }, "resources"[ { "type""Microsoft.Insights/diagnosticSettings", "apiVersion""2017-05-01-preview", "name""[parameters(''settingName'')]", "dependsOn"[], "properties"{ "workspaceId""[parameters(''workspaceId'')]", "logs"[ { "category""Administrative", "enabled"true }, { "category""Alert", "enabled"true }, { "category""Autoscale", "enabled"false }, { "category""Policy", "enabled"true }, { "category""Recommendation", "enabled"false }, { "category""ResourceHealth", "enabled"false }, { "category""Security", "enabled"true }, { "category""ServiceHealth", "enabled"false } ] } } ] }
Reference the JSON. In the New-AzSubscriptionDeployment
, call $OMSWorkspace
:
Get-AzResource -ResourceType "Microsoft.OperationalInsights/workspaces" -Name <Workspace Name> New-AzSubscriptionDeployment -Name CreateDiagnosticSetting -location eastus -TemplateFile CreateDiagnosticSetting.jsonc -settingName "Send Activity log to workspace" -workspaceId $OMSWorkspace.ResourceId'
References
- https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings
- https://docs.microsoft.com/en-us/azure/azure-monitor/samples/resource-manager-diagnostic-settings
- https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources
CIS Controls
Version 7 6.3 - Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.