Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Diagnostic Logs for the Supported Resources

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Monitor-008

Ensure that Diagnostic Logs are enabled for all the supported Azure resources in order to make sure that the interactions within your cloud resources are logged. With resource-level Diagnostic Logs you can gain insight into the operations that were performed within that resource itself, for example, getting a secret from an Azure Key Vault. To follow security best practices, your Azure subscriptions should log every access request and operation made to your cloud resources. Diagnostic Logs should be sent to a storage account and a Log Analytics Workspace or an equivalent third-party system. The log files should be kept in readily accessible storage for a minimum of one year, and then moved to inexpensive cold storage for a longer duration of time (for security and compliance auditing).

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security
Reliability
Operational
excellence
Cost
optimisation
Performance
efficiency

Ensure that your Azure cloud logging systems are correctly configured to log all relevant activities and retain the logs for a sufficient length of time. By default, Diagnostic Logs are not enabled for your cloud resources. Without Diagnostic Logs, the visibility into your Azure data plane is greatly reduced and therefore your organization's ability to detect potential attacks, unauthorized requests, or other malicious activity is diminished. For example, without Diagnostic Logs it would be impossible to tell which entities had accessed a data store that was breached. In addition, alerts for failed attempts to access APIs for Azure web and database services are only possible when diagnostic logging is enabled.


Audit

To determine if Diagnostic Logs are enabled for all the supported Azure cloud resources, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access your Azure cloud resources.

03 From the Subscription filter box, select the Azure subscription that you want to examine.

04 Click on the identifier (link) of the Azure cloud resource that you want to examine.

05 In the blade navigation panel, under Monitoring, select Diagnostic settings.

06 In the Diagnostic settings section, check for any diagnostic settings created for the selected cloud resource. If there are no diagnostic settings defined, the Diagnostic Logs feature is not enabled for the selected Microsoft Azure cloud resource.

07 Repeat steps no. 4 – 6 for each Azure cloud resource provisioned within the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run resource list command (Windows/macOS/Linux) with custom query filters to list the identifier (ID) of each Azure cloud resource provisioned in the selected subscription:

az resource list
  --subscription abcdabcd-1234-abcd-1234-abcd1234abcd
  --query '[*].id'

02 The command output should return the requested resource identifiers (IDs):

[
  "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-app-key-vault",
  "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/cc-app-storage-account"
]

03 Run monitor diagnostic-settings list command (Windows/macOS/Linux) using the ID of the Azure cloud resource that you want to examine as the identifier parameter and custom query filters to describe the active diagnostics settings available for the selected resource:

az monitor diagnostic-settings list
  --resource "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-app-key-vault"
  --query 'value'

04 The command output should return the requested configuration settings:

[]

If the monitor diagnostic-settings list command output returns an empty array, i.e. [], as shown in the example above, there are no diagnostic settings defined yet, therefore the Diagnostic Logs feature is not enabled for the selected Microsoft Azure cloud resource.

05 Repeat steps no. 3 and 4 for each Azure cloud resource provisioned in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To enable and configure the Diagnostic Logs feature for the supported Azure cloud resources, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access your Azure cloud resources.

03 From the Subscription filter box, select the Azure subscription that you want to access.

04 Click on the identifier of the Azure cloud resource that you want to reconfigure.

05 In the blade navigation panel, under Monitoring, select Diagnostic settings.

06 In the Diagnostic settings section, choose + Add diagnostic setting. A diagnostic setting specifies a list of categories of platform logs and/or metrics that you want to collect from a cloud resource, and one or more destinations that you would stream them to.

07 On the Diagnostic setting setup page, perform the following actions:

  1. Provide a unique name for your new diagnostic setting in the Diagnostic setting name box.
  2. In the Category details section, select all the supported logs and metrics.
  3. In the Destination details section, perform the following:
    • Select Send to Log Analytics workspace and choose a workspace from the Log Analytics workspace dropdown list to send the diagnostic logs.
    • Select Archive to a storage account and choose a storage account from the Storage account dropdown list to archive the collected logs for at least one year. The storage account needs to be in the same region as the resource being monitored if the resource is regional. Enter the appropriate retention period in the Retention (days) field next to each supported log and metric. Ideally, the logs should be kept in the selected storage account for a minimum of one year.
    • (Optional) You can also stream the logs to an Event Hub and/or send the log files to a supported third-party system.
  4. Choose Save to apply the changes.

08 Repeat steps no. 4 – 7 for each Azure cloud resource provisioned within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run monitor diagnostic-settings create command (Windows/macOS/Linux) to create a diagnostic setting for the specified Azure cloud resource in order to enable the Diagnostic Logs feature. As an example, the following command request creates a diagnostic setting named "cc-diagnostic-logs" for an Azure Key Vault, that sends the supported logs and metrics to a Log Analytics workspace named "cc-log-analytics-workspace" and archive the files to an Azure Storage account identified by the ID "abcd1234abcd1234abcd1234":

az monitor diagnostic-settings create
  --name "cc-diagnostic-logs"
  --resource "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-app-key-vault"
  --workspace "cc-log-analytics-workspace" --storage-account abcd1234abcd1234abcd1234 --logs '[
    {
      "category": "AuditEvent",
      "enabled": true,
      "retentionPolicy": {
        "enabled": true,
        "days": 365
      }
    },
    {
      "category": "AzurePolicyEvaluationDetails",
      "enabled": true,
      "retentionPolicy": {
        "enabled": true,
        "days": 365
      }
    }
  ]'
  --metrics '[
    {
      "category": "AllMetrics",
      "enabled": true,
      "retentionPolicy": {
        "enabled": true,
        "days": 365
      }
    }
  ]'

02 The command output should return the metadata available for the new diagnostic setting:

{
  "eventHubAuthorizationRuleId": null,
  "eventHubName": null,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.keyvault/vaults/cc-production-vault/providers/microsoft.insights/diagnosticSettings/cc-diagnostic-logs",
  "identity": null,
  "kind": null,
  "location": null,
  "logAnalyticsDestinationType": null,
  "logs": [
    {
      "category": "AuditEvent",
      "categoryGroup": null,
      "enabled": true,
      "retentionPolicy": {
        "days": 365,
        "enabled": true
      }
    },
    {
      "category": "AzurePolicyEvaluationDetails",
      "categoryGroup": null,
      "enabled": true,
      "retentionPolicy": {
        "days": 365,
        "enabled": true
      }
    }
  ],
  "metrics": [
    {
      "category": "AllMetrics",
      "enabled": true,
      "retentionPolicy": {
        "days": 365,
        "enabled": true
      },
      "timeGrain": "0:01:00"
    }
  ],
  "name": "cc-diagnostic-logs",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "serviceBusRuleId": null,
  "storageAccountId": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.Storage/storageAccounts/abcd1234abcd1234abcd1234",
  "tags": null,
  "type": "Microsoft.Insights/diagnosticSettings",
  "workspaceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.OperationalInsights/workspaces/cc-log-analytics-workspace"
}

03 Repeat steps no. 1 and 2 for each Azure cloud resource provisioned in the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Oct 23, 2021