lacework-global-554
5.1.1 Ensure that a 'Diagnostic Setting' exists (Manual)
Profile Applicability
• Level 1
Description
Enable Diagnostic settings for exporting activity logs. Diagnostic settings are available for each individual resource within a subscription. Settings should be configured for all appropriate resources for your environment.
Rationale
A diagnostic setting controls how a diagnostic log is exported. By default, logs are retained only for 90 days. Diagnostic settings should be defined so that logs can be exported and stored for a longer duration in order to analyze security activities within an Azure subscription.
Audit
From Azure Portal
- Go to
Monitor
- Click
Diagnostic settings
- Ensure that Diagnostics status is
enabled
on all appropriate resources.
Remediation
From Azure Portal
- Go to
Monitor
- Click
Diagnostic settings
- Click on the resource that has a diagnostics status of
disabled
- Select
Add Diagnostic Setting
- Enter a
Diagnostic setting name
- Select the appropriate log, metric, and destination. (This may be Log Analytics/Storage account or Event Hub)
- Click
save
Repeat these step for all resources as needed.
References
https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs#export-the-activity-log-with-a-log-profile
https://docs.microsoft.com/en-us/cli/azure/monitor/log-profiles?view=azure-cli-latest#az_monitor_log_profiles_create
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation