lacework-global-554
Ensure that a 'Diagnostic Setting' exists (Manual)
Profile Applicability
• Level 1
Description
Enable Diagnostic settings for exporting activity logs. Diagnostic settings are available for each individual resource within a subscription. Configure settings for all appropriate resources for your environment.
Rationale
A diagnostic setting controls how a diagnostic log is exported. By default, logs are retained only for 90 days. Diagnostic settings should be defined so that logs can be exported and stored for a longer duration in order to analyze security activities within an Azure subscription.
Audit
From Azure Portal
- Go to
Monitor
- Click
Diagnostic settings
- Ensure that Diagnostics status is
enabled
on all appropriate resources.
Remediation
From Azure Portal
- Go to
Monitor
. - Click
Diagnostic settings
. - Click a resource that has a diagnostics status of
disabled
. - Select
Add Diagnostic Setting
. - Enter a
Diagnostic setting name
. - Select the appropriate
log
,metric
, anddestination
. (This may be Log Analytics/Storage account or Event Hub) - Click
Save
.
Repeat these step for all resources as needed.
References
https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs#export-the-activity-log-with-a-log-profile
https://docs.microsoft.com/en-us/cli/azure/monitor/log-profiles?view=azure-cli-latest#az_monitor_log_profiles_create
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation