Skip to main content

lacework-global-554

Ensure that a 'Diagnostic Setting' exists (Manual)

Profile Applicability

• Level 1

Description

Enable Diagnostic settings for exporting activity logs. Diagnostic settings are available for each individual resource within a subscription. Configure settings for all appropriate resources for your environment.

Rationale

A diagnostic setting controls how a diagnostic log is exported. By default, logs are retained only for 90 days. Diagnostic settings should be defined so that logs can be exported and stored for a longer duration in order to analyze security activities within an Azure subscription.

Audit

From Azure Portal

  1. Go to Monitor
  2. Click Diagnostic settings
  3. Ensure that Diagnostics status is enabled on all appropriate resources.

Remediation

From Azure Portal

  1. Go to Monitor.
  2. Click Diagnostic settings.
  3. Click a resource that has a diagnostics status of disabled.
  4. Select Add Diagnostic Setting.
  5. Enter a Diagnostic setting name.
  6. Select the appropriate log, metric, and destination. (This may be Log Analytics/Storage account or Event Hub)
  7. Click Save.

Repeat these step for all resources as needed.

References

https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs#export-the-activity-log-with-a-log-profile
https://docs.microsoft.com/en-us/cli/azure/monitor/log-profiles?view=azure-cli-latest#az_monitor_log_profiles_create
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation