lacework-global-555
5.1.2 Ensure Diagnostic Setting captures appropriate categories (Automated)
Profile Applicability
• Level 1
Description
Prerequisite: A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: "Ensure that a 'Diagnostic Setting' exists."
The diagnostic setting should be configured to log the appropriate activities from the control/management plane.
Rationale
A diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.
Audit
From Azure Portal
- Go to
Azure Monitor - Click
Activity log - Click on
Export Activity Logs - Click
Edit settingon the appropriate Diagnostic setting entry - Ensure that the following categories are checked:
Administrative, Alert, Policy, and Security
From Azure CLI
Ensure the categories 'Administrative', 'Alert', 'Policy', and 'Security' set to: 'enabled: true'
az monitor diagnostic-settings subscription list
From Azure Powershell
Ensure the categories Administrative, Alert, Policy, and Security are set to Enabled:True
get-AzDiagnosticSetting -ResourceId subscriptions/<subscriptionID>
Remediation
From Azure Portal
- Go to
Azure Monitor - Click
Activity log - Click on
Diagnostic settings - Click on
Add diagnostic setting - Enter a name for your new Diagnostic Setting
- Check the following categories:
Administrative, Alert, Policy, and Security - Choose the destination details according to your organization's needs.
Using ARM Template via AZ PowerShell cmdlets
Create a file to hold the JSON
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"settingName": {
"type": "String"
},
"workspaceId": {
"type": "String"
}
},
"resources": [
{
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2017-05-01-preview",
"name": "[parameters('settingName')]",
"dependsOn": [],
"properties": {
"workspaceId": "[parameters('workspaceId')]",
"logs": [
{
"category": "Administrative",
"enabled": true
},
{
"category": "Alert",
"enabled": true
},
{
"category": "Autoscale",
"enabled": false
},
{
"category": "Policy",
"enabled": true
},
{
"category": "Recommendation",
"enabled": false
},
{
"category": "ResourceHealth",
"enabled": false
},
{
"category": "Security",
"enabled": true
},
{
"category": "ServiceHealth",
"enabled": false
}
]
}
}
]
}
Reference the JSON in the New-AzSubscriptionDeployment call
$OMSWorkspace = Get-AzResource -ResourceType "Microsoft.OperationalInsights/workspaces" -Name <Workspace Name>
New-AzSubscriptionDeployment -Name CreateDiagnosticSetting -location eastus -TemplateFile CreateDiagnosticSetting.jsonc -settingName "Send Activity log to workspace" -workspaceId $OMSWorkspace.ResourceId
References
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings
https://docs.microsoft.com/en-us/azure/azure-monitor/samples/resource-manager-diagnostic-settings
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation