Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Diagnostic Logs for Machine Learning Workspaces

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: MachineLearning-002

To collect detailed information on resource operations, ensure that Diagnostic Logs are enabled for your Azure Machine Learning (ML) workspaces. Diagnostic Logs provide detailed insights into operations, helps identify and resolve issues quickly, ensures compliance with governance policies, and supports auditing and analysis of resource usage and performance.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security
Reliability
Operational
excellence
Cost
optimisation
Performance
efficiency

By default, Diagnostic Logs are not enabled for your Azure Machine Learning (ML) workspaces. Without Diagnostic Logs, the visibility into your Azure data plane is greatly reduced. This diminishes your organization's ability to detect potential attacks, unauthorized requests, or other malicious activity. For example, without Diagnostic Logs, it would be difficult to tell which entities had accessed a breached data store. In addition, alerts for failed attempts to access APIs for Azure database services are only possible when diagnostic logging is enabled. Once collected, Diagnostic Logs should be sent to a storage account and a Log Analytics Workspace or an equivalent third-party system. The log files should be kept in readily accessible storage for at least one year, and then moved to inexpensive cold storage for a longer duration (for security and compliance auditing).

Audit

To determine if Diagnostic Logs are enabled for your Azure Machine Learning workspaces, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Machine Learning workspaces blade at https://portal.azure.com/#browse/Microsoft.MachineLearningServices%2Fworkspaces.

03 Select the Azure subscription that you want to examine from the Subscription equals all filter box.

04 Click on the name (link) of the Azure Machine Learning workspace that you want to examine.

05 In the resource navigation panel, under Monitoring, select Diagnostic settings.

06 In the Diagnostic settings section, check for any diagnostic settings created for the selected workspace. If there are no diagnostic settings available, the Diagnostic Logs monitoring feature is not enabled for the selected Azure Machine Learning (ML) workspace. If one or more diagnostic settings were created for your workspace, choose the diagnostic setting that you want to examine, and select Edit settings. Check the Categories list under Logs to determine the logging configuration available for your ML workspace. If one or more log categories are not selected, Diagnostic Logs are not enabled for the selected Azure Machine Learning (ML) workspace.

07 Repeat steps no. 4 – 6 for each Azure Machine Learning workspace available within the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run ml workspace list command (Windows/macOS/Linux) with custom query filters to list the identifier (ID) of each Azure Machine Learning workspace available in the current subscription: 

az ml workspace list
  --query '[*].id'

02 The command output should return the requested workspace identifiers (IDs): 

[
	"/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.MachineLearningServices/workspaces/tm-ml-project5-workspace",
	"/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.MachineLearningServices/workspaces/tm-ml-production-workspace"
]

03 Run monitor diagnostic-settings list command (Windows/macOS/Linux) with the ID of the Azure Machine Learning workspace that you want to examine as the identifier parameter and custom output filters to describe the name of each diagnostics setting configured for the selected ML workspace: 

az monitor diagnostic-settings list
  --resource "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.MachineLearningServices/workspaces/tm-ml-project5-workspace"
  --query '[].name'

04 The command output should return the requested diagnostics setting identifiers (names). If the command output returns an empty array, i.e. [], there are no diagnostic settings configured for the selected Azure Machine Learning (ML) workspace, therefore, the Audit process ends here: 

[
	"tm-workspace-diagnostic-logs",
	"tm-custom-diagnostic-logs"
]

05 Run monitor diagnostic-settings show command (Windows/macOS/Linux) with the name of the diagnostic setting that you want to examine as the identifier parameter, to describe the log categories supported by Azure Machine Learning, configured for the selected diagnostic setting: 

az monitor diagnostic-settings show
  --name "tm-workspace-diagnostic-logs"
  --resource "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.MachineLearningServices/workspaces/tm-ml-project5-workspace"
  --query 'logs'

06 The command output should return the supported log categories and their status: 

[
	{
		"categoryGroup": "allLogs",
		"enabled": false,
		"retentionPolicy": {
			"days": 0,
			"enabled": false
		}
	},
  {
    "categoryGroup": "audit",
    "enabled": false,
    "retentionPolicy": {
      "days": 0,
      "enabled": false
    }
  }
]

07 Repeat steps no. 5 and 6 for each diagnostic setting created for the selected workspace. If none of the diagnostic settings are properly configured, the Diagnostic Logs monitoring feature is not enabled for the selected Azure Machine Learning (ML) workspace.

08 Repeat step no. 3 - 7 for each Azure Machine Learning workspace available in the selected Azure subscription.

09 Repeat steps no. 1 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable and configure Diagnostic Logs for your Azure Machine Learning (ML) workspaces, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Machine Learning workspaces blade at https://portal.azure.com/#browse/Microsoft.MachineLearningServices%2Fworkspaces.

03 Select the Azure subscription that you want to access from the Subscription equals all filter box, and choose Apply.

04 Click on the name (link) of the Azure Machine Learning workspace that you want to configure.

05 In the resource navigation panel, under Monitoring, select Diagnostic settings.

06 In the Diagnostic settings section, choose Add diagnostic setting to create a new diagnostic setting resource. A diagnostic setting specifies a list of categories of platform logs and/or metrics that you want to collect from an Azure cloud resource, and one or more destinations that you would stream them to.

07 On the Diagnostic setting setup page, perform the following actions:

  1. Provide a unique name for your new diagnostic setting in the Diagnostic setting name box.
  2. In the Logs section, check the allLogs setting checkbox to select all the log categories supported by Azure Machine Learning.
  3. (Optional) In the Metrics section, check the AllMetrics setting checkbox if you want to route the resource's platform metrics to the selected log destinations. By default, platform metrics are sent automatically to Azure Monitor Metrics without any additional configuration required.
  4. In the Destination details section, perform the following operations:
    1. Select Send to Log Analytics workspace and choose a workspace from the Log Analytics workspace dropdown list to send the diagnostic logs.
    2. Select Archive to a storage account and choose a storage account from the Storage account dropdown list to archive the collected logs for at least one year (recommended). The storage account needs to be in the same region as the resource being monitored if the resource is regional.
    3. (Optional) Select Stream to an event hub to stream the collected logs to an Event Hub.
    4. (Optional) Select Send to partner solution to deliver the log files to a supported third-party system.
  5. Choose Save to apply the configuration changes.

08 Repeat steps no. 4 – 7 for each Azure Machine Learning workspace available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run monitor diagnostic-settings create command (Windows/macOS/Linux) to create a new diagnostic setting for the specified Azure Machine Learning (ML) workspace in order to enable the Diagnostic Logs monitoring feature. As an example, the following command request creates a diagnostic setting named "tm-project5-diagnostic-logs" for an Azure Machine Learning workspace, that collects and sends all the supported diagnostic logs to a Log Analytics workspace identified by the ID "abcd1234abcd1234abcd1234" and archive the files to an Azure Storage account identified by "abcd1234abcd1234abcd1234". Platform metrics are sent automatically to Azure Monitor Metrics by default and without any configuration. If you need to route the resource's platform metrics to the selected log destinations, include the --metrics parameter in the command request, as shown in the example below: 

az monitor diagnostic-settings create
  --name "tm-project5-diagnostic-logs"
  --resource "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.MachineLearningServices/workspaces/tm-ml-project5-workspace"
  --workspace "abcd1234abcd1234abcd1234"
  --storage-account "1234abcd1234abcd1234"
  --logs '[
			{
				"categoryGroup": "allLogs",
				"enabled": true,
				"retentionPolicy": {
					"days": 0,
					"enabled": false
				}
			},
			{
				"categoryGroup": "audit",
				"enabled": false,
				"retentionPolicy": {
					"days": 0,
					"enabled": false
				}
			}
		]'
		--metrics '[
		{
			"category": "AllMetrics",
			"enabled": true,
			"retentionPolicy": {
				"enabled": true,
				"days": 0
			}
		}
	]'

02 The command output should return the metadata available for the new diagnostic setting: 

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.machinelearningservices/workspaces/tm-ml-project5-workspace/providers/microsoft.insights/diagnosticSettings/tm-project5-diagnostic-logs",
	"logs": [
		{
			"categoryGroup": "allLogs",
			"enabled": true,
			"retentionPolicy": {
				"days": 0,
				"enabled": false
			}
		},
		{
			"categoryGroup": "audit",
			"enabled": false,
			"retentionPolicy": {
				"days": 0,
				"enabled": false
			}
		}
		],
		"metrics": [
		{
			"category": "AllMetrics",
			"enabled": true,
			"retentionPolicy": {
				"days": 0,
				"enabled": true
			},
			"timeGrain": "PT1M"
		}
	],
	"name": "tm-project5-diagnostic-logs",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"storageAccountId": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.Storage/storageAccounts/1234abcd1234abcd1234",
	"type": "Microsoft.Insights/diagnosticSettings",
	"workspaceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.OperationalInsights/workspaces/abcd1234abcd1234abcd1234"
}

03 Repeat steps no. 1 and 2 for each Azure Machine Learning workspace provisioned in the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Jun 19, 2024

Related MachineLearning rules