Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Ensure that a Diagnostic Setting Exists for Subscription Activity Logs

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Diagnostic Settings exist for exporting activity logs from your Azure subscriptions and appropriate resources. Diagnostic settings control how a diagnostic log is exported and stored. By default, logs are retained only for 90 days in the Azure portal. These settings are available for each individual resource within a subscription and should be configured for all appropriate resources in your environment to provide comprehensive visibility into security and operational activities.

Security
Operational
excellence

A diagnostic setting controls how a diagnostic log is exported. Without properly configured diagnostic settings, organizations lack the ability to retain and analyze activity logs beyond the default 90-day period. Configuring diagnostic settings ensures that activity logs are exported to appropriate destinations such as Log Analytics workspaces for querying and analysis, storage accounts for long-term archival, Event Hubs for SIEM integration, or partner solutions for third-party monitoring. This enables security teams to detect anomalies, track administrative changes, monitor policy violations, and maintain comprehensive audit trails required by regulatory frameworks.

Enabling diagnostic settings will incur additional costs for log storage and may require monitoring tools and infrastructure to process the exported logs. Organizations should plan for increased storage consumption, especially when archiving logs to storage accounts with long retention periods. Additionally, streaming logs to Event Hubs or sending them to Log Analytics workspaces will generate additional costs based on data ingestion rates. Organizations must also allocate resources to configure and maintain diagnostic settings across all subscriptions and resources, which can be operationally intensive in large environments.

Audit

To determine if diagnostic settings are configured for your Azure subscriptions and resources, perform the following operations:

Using Azure Console

To identify Diagnostic Settings on a subscription:

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Monitor blade available at https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/overview.

03 In the navigation panel, select Activity Log.

04 Click on Export Activity Logs from the top menu bar.

05 Select a Subscription from the dropdown list.

06 Verify that a diagnostic setting exists for the selected subscription. If no diagnostic settings are displayed, then diagnostic logging is not enabled for that subscription.

07 If a diagnostic setting exists, click on the Edit setting link next to the setting name to review its configuration:

  1. Under Logs, verify that appropriate log categories are selected (e.g., Administrative, Security, ServiceHealth, Alert, Recommendation, Policy, Autoscale, ResourceHealth).
  2. Under Destination details, verify that logs are being sent to one or more of the following approved destinations:
    • Send to Log Analytics workspace: For analysis and querying
    • Archive to a storage account: For long-term retention
    • Stream to an event hub: For integration with SIEM tools
    • Send to partner solution: For partner integration

08 Repeat steps no. 5 - 7 for each Azure subscription in your Microsoft Azure cloud account.

To identify Diagnostic Settings on specific resources:

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Monitor blade available at https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/overview.

03 In the navigation panel, click on Settings then select Diagnostic settings.

04 On the Diagnostic settings page, you can filter resources by subscription, resource group, resource type, and location to find specific resources.

05 For each resource listed, verify that a diagnostic setting exists. Resources without diagnostic settings configured will show "Disabled" in the Diagnostics status column.

06 Click on a resource name and then Edit settingto view its diagnostic settings configuration and verify:

  1. Under Logs, ensure that relevant log categories are enabled based on the resource type.
  2. Under Metrics, ensure that appropriate metrics are being collected (if applicable).
  3. Under Destination details, verify that logs and metrics are being sent to approved destinations.

07 Repeat this process for all appropriate resources in your environment.

Using Azure CLI

To identify Diagnostic Settings on a subscription:

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list \
	--query '[].{id:id, name:name}'

02 The command output should return the requested subscription identifiers (IDs) and names: 

[
	{
		"id": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"name": "Production Subscription"
	},
	{
		"id": "abcd1234-abcd-1234-abcd-abcd1234abcd",
		"name": "Development Subscription"
	}
]

03 Run monitor diagnostic-settings subscription list command (Windows/macOS/Linux) using the subscription ID to check if diagnostic settings exist: 

az monitor diagnostic-settings subscription list \
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 The command output should return the diagnostic settings configuration:

If no diagnostic settings exist:

[]

If the monitor diagnostic-settings subscription list command output returns an empty array ([]), no diagnostic settings are configured for the selected Azure subscription.
If diagnostic settings exist: 
[
	{
		"id": "subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/microsoft.insights/diagnosticSettings/subscription-diagnostic-setting",
		"location": "global",
		"logs": [
			{
				"category": "Administrative",
				"enabled": true
			},
			{
				"category": "Security",
				"enabled": true
			},
			{
				"category": "ServiceHealth",
				"enabled": true
			},
			{
				"category": "Alert",
				"enabled": true
			},
			{
				"category": "Recommendation",
				"enabled": true
			},
			{
				"category": "Policy",
				"enabled": true
			},
			{
				"category": "Autoscale",
				"enabled": true
			},
			{
				"category": "ResourceHealth",
				"enabled": true
			}
		],
		"name": "subscription-diagnostic-setting",
		"type": "Microsoft.Insights/diagnosticSettings",
		"workspaceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/monitoring-rg/providers/Microsoft.OperationalInsights/workspaces/log-analytics-workspace"
	}
]

Review the output to ensure that appropriate log categories have "enabled": true and that logs are being sent to approved destinations (storageAccountId, workspaceId, or eventHubAuthorizationRuleId).

05 Repeat steps no. 3 - 4 for each subscription available in your Microsoft Azure cloud account.

To identify Diagnostic Settings on a resource:

01 Run resource list command (Windows/macOS/Linux) to get the resource ID of the resource you want to check: 

az resource list \
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd \
	--query '[].{name:name, type:type, id:id}'

02 The command output should return all resources with their names, types, and IDs. You can filter for a specific resource by name: 

az resource list \
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd \
	--query "[?name=='my-vm'].{name:name, type:type, id:id}"
The output will show the resource ID: 
[
	{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/my-resource-group/providers/Microsoft.Compute/virtualMachines/my-vm",
	"name": "my-vm",
		"type": "Microsoft.Compute/virtualMachines"
	}
]

03 Run monitor diagnostic-settings list command (Windows/macOS/Linux) using the resource ID from step 2 to check if diagnostic settings exist for the specific resource: 

az monitor diagnostic-settings list \
	--resource "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/my-resource-group/providers/Microsoft.Compute/virtualMachines/my-vm"

04 The command output should return the diagnostic settings configuration for the resource:

If no diagnostic settings exist:

[]

If diagnostic settings exist: 
[
	{
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/my-resource-group/providers/Microsoft.Compute/virtualMachines/my-vm/providers/microsoft.insights/diagnosticSettings/vm-diagnostic-setting",
		"logs": [
			{
				"category": "Administrative",
				"enabled": true
			}
		],
		"metrics": [
			{
				"category": "AllMetrics",
				"enabled": true,
				"retentionPolicy": {
					"enabled": false,
					"days": 0
				}
			}
		],
		"name": "vm-diagnostic-setting",
		"storageAccountId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/monitoring-rg/providers/Microsoft.Storage/storageAccounts/logstorage",
		"workspaceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/monitoring-rg/providers/Microsoft.OperationalInsights/workspaces/log-analytics-workspace"
	}
]

05 Repeat steps no. 1 - 4 for each resource that requires diagnostic settings in your Azure environment.

Remediation / Resolution

To create and configure diagnostic settings for your Microsoft Azure subscriptions and resources, perform the following operations:

Using Azure Console

To enable Diagnostic Settings on a Subscription:

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Monitor blade available at https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/overview.

03 In the navigation panel, select Activity log.

04 Click on Export Activity Logs from the top menu bar.

05 Select the Azure subscription that you want to configure from the Subscription dropdown list.

06 Click + Add diagnostic setting to create a new diagnostic setting.

07 In the Diagnostic setting name field, provide a name for the diagnostic setting (e.g., "subscription-activity-logs").

08 Under Logs, select the log categories you want to collect. For comprehensive logging, it is recommended to enable the following categories:

  • Administrative: Captures all administrative operations
  • Security: Logs security-related events
  • ServiceHealth: Service health notifications
  • Alert: Alert events
  • Recommendation: Azure Advisor recommendations
  • Policy: Azure Policy evaluation events
  • Autoscale: Autoscale engine operations
  • ResourceHealth: Resource health events

09 Under Destination details, select one or more of the following destinations based on your requirements:

  • Send to Log Analytics workspace: Select this option and choose the appropriate subscription and Log Analytics workspace for analysis and querying.
  • Archive to a storage account: Select this option and choose the appropriate subscription and storage account for long-term retention.
  • Stream to an event hub: Select this option and choose the appropriate subscription and event hub for integration with third-party systems or SIEM tools.
  • Send to partner solution: Select this option for partner integration (partner integration must be installed first).

10 Click Save to apply the diagnostic setting configuration.

11 Repeat steps no. 5 - 10 for each Azure subscription in your Microsoft Azure cloud account.

To enable Diagnostic Settings on a specific resource:

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Monitor blade available at https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/overview.

03 In the navigation panel, select Diagnostic settings.

04 On the Diagnostic settings page, use the filters to locate the resource you want to configure then click on the resource.

05 Click + Add diagnostic setting on the resource page.

06 In the Diagnostic setting name field, provide a name for the diagnostic setting.

07 Under Logs, select the log categories you want to capture. The available categories will vary based on the resource type.

08 Under Metrics (if applicable), select the metrics you want to collect. Many resources support the AllMetrics option for comprehensive metric collection.

09 Under Destination details, choose one or more destinations for the logs and metrics:

  • Send to Log Analytics workspace: For advanced querying and monitoring.
  • Archive to a storage account: For long-term retention.
  • Stream to an event hub: For integration with third-party systems.
  • Send to partner solution: For partner integration.

10 Click Save to apply the diagnostic setting configuration.

11 Repeat steps no. 4 - 10 for each resource that requires diagnostic settings in your environment.

Using Azure CLI

To configure Diagnostic Settings on a Subscription:

01 Run monitor diagnostic-settings subscription create command (Windows/macOS/Linux) to create a diagnostic setting for your Azure subscription. The following examples show how to configure different destination types:

Option 1: Send to Log Analytics workspace

az monitor diagnostic-settings subscription create \
	--subscription <subscription-id> \
	--name "subscription-activity-logs" \
	--location "global" \
	--workspace <log-analytics-workspace-id> \
	--logs '[
		{"category": "Administrative", "enabled": true},
		{"category": "Security", "enabled": true},
		{"category": "ServiceHealth", "enabled": true},
		{"category": "Alert", "enabled": true},
		{"category": "Recommendation", "enabled": true},
		{"category": "Policy", "enabled": true},
		{"category": "Autoscale", "enabled": true},
		{"category": "ResourceHealth", "enabled": true}
	]'

Option 2: Archive to a storage account

az monitor diagnostic-settings subscription create \
	--subscription <subscription-id> \
	--name "subscription-activity-logs" \
	--location "global" \
	--storage-account <storage-account-id> \
	--logs '[
		{"category": "Administrative", "enabled": true},
		{"category": "Security", "enabled": true},
		{"category": "ServiceHealth", "enabled": true},
		{"category": "Alert", "enabled": true},
		{"category": "Recommendation", "enabled": true},
		{"category": "Policy", "enabled": true},
		{"category": "Autoscale", "enabled": true},
		{"category": "ResourceHealth", "enabled": true}
	]'

Option 3: Stream to an Event Hub

az monitor diagnostic-settings subscription create \
	--subscription <subscription-id> \
	--name "subscription-activity-logs" \
	--location "global" \
	--event-hub <event-hub-id> \
	--event-hub-auth-rule <event-hub-authorization-rule-id> \
	--logs '[
		{"category": "Administrative", "enabled": true},
		{"category": "Security", "enabled": true},
		{"category": "ServiceHealth", "enabled": true},
		{"category": "Alert", "enabled": true},
		{"category": "Recommendation", "enabled": true},
		{"category": "Policy", "enabled": true},
		{"category": "Autoscale", "enabled": true},
		{"category": "ResourceHealth", "enabled": true}
	]'

Note: Replace placeholders with actual resource IDs. You can combine multiple destinations by including multiple parameters (e.g., both --workspace and --storage-account).

02 Repeat step no. 1 for each subscription in your Microsoft Azure cloud account.

To configure Diagnostic Settings on a specific resource:

01 Run monitor diagnostic-settings categories list command (Windows/macOS/Linux) to get the available diagnostic categories for the resource: 

az monitor diagnostic-settings categories list \
	--resource <resource-id>

Replace <resource-id> with the full Azure resource ID (e.g., /subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/my-resource-group/providers/Microsoft.Compute/virtualMachines/my-vm).
The command output will show available log and metric categories for the resource type.

02 Run monitor diagnostic-settings create command (Windows/macOS/Linux) to create a diagnostic setting for a specific resource. The following examples show how to configure different destination types:

Option 1: Send to Log Analytics workspace

az monitor diagnostic-settings create \
	--resource <resource-id> \
	--name "resource-diagnostic-setting" \
	--workspace <log-analytics-workspace-id> \
	--logs <resource-specific-log-settings>

Option 2: Archive to a storage account

az monitor diagnostic-settings create \
	--resource <resource-id> \
	--name "resource-diagnostic-setting" \
	--storage-account <storage-account-id> \
	--logs <resource-specific-log-settings>

Option 3: Stream to an Event Hub

az monitor diagnostic-settings create \
	--resource <resource-id> \
	--name "resource-diagnostic-setting" \
	--event-hub-rule <event-hub-authorization-rule-id> \
	--logs <resource-specific-log-settings>

Note: The log and metric categories vary by resource type. Use the categories returned from step 1 to configure the appropriate log and metric settings. Replace placeholders with actual resource IDs. You can combine multiple destinations by including multiple parameters (e.g., both --workspace and --storage-account).

03 Repeat steps no. 1 - 2 for each resource that requires diagnostic settings in your Azure environment.

References

Publication date Jan 28, 2026

Related Monitor rules