<  Back to rules search

Diagnostic Setting captures appropriate categories


Set up the azure.monitor integration.


Configure the diagnostic setting to log the appropriate activities from the control/management plane.


A diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.


From the console

  1. Go to Azure Monitor
  2. Click Activity log
  3. Click on Diagnostic settings
  4. Click on Edit Settings for the diagnostic settings entry
  5. Ensure that the following categories are checked: Administrative, Alert, Policy, and Security

ARM Template with AZ PowerShell cmdlets:

Create a file to hold the following JSON:

{ "$schema""https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion""", "parameters"{ "settingName"{ "type""String" }, "workspaceId"{ "type""String" } }, "resources"[ { "type""Microsoft.Insights/diagnosticSettings", "apiVersion""2017-05-01-preview", "name""[parameters(''settingName'')]", "dependsOn"[], "properties"{ "workspaceId""[parameters(''workspaceId'')]", "logs"[ { "category""Administrative", "enabled"true }, { "category""Alert", "enabled"true }, { "category""Autoscale", "enabled"false }, { "category""Policy", "enabled"true }, { "category""Recommendation", "enabled"false }, { "category""ResourceHealth", "enabled"false }, { "category""Security", "enabled"true }, { "category""ServiceHealth", "enabled"false } ] } } ] }

Reference the JSON. In the New-AzSubscriptionDeployment, call $OMSWorkspace:

Get-AzResource -ResourceType "Microsoft.OperationalInsights/workspaces" -Name <Workspace Name> New-AzSubscriptionDeployment -Name CreateDiagnosticSetting -location eastus -TemplateFile CreateDiagnosticSetting.jsonc -settingName "Send Activity log to workspace" -workspaceId $OMSWorkspace.ResourceId'


  1. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings
  2. https://docs.microsoft.com/en-us/azure/azure-monitor/samples/resource-manager-diagnostic-settings
  3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources

CIS Controls

Version 7 6.3 - Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.