Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Subscription Activity Log Diagnostic Settings

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Monitor-010

Ensure that Azure Monitor Activity Logs for your subscription are exported to an appropriate data store using diagnostic settings. Diagnostic settings improve on the legacy Log Profile method for exporting Activity Logs by providing better functionality and consistency with resource logs. The Azure activity log captures all management activities performed on a subscription. By default, the Azure Portal only retains activity logs for 90 days. To make sure that all activity events recorded for your subscription are retained for a longer duration, configure a diagnostic setting to export and archive the activity log to an Azure storage account or stream it to an Event Hub.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security
Reliability

Diagnostic settings control how and where an Azure activity log is exported. A well configured diagnostic setting should allow your activity logs to be exported and stored for a longer period of time in order to be able to perform a better analysis of the activity recorded within your Azure subscription, to assist with security and compliance auditing.


Audit

To determine if there an appropriate diagnostic setting is configured for each Microsoft Azure subscription, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/overview.

03 In the blade navigation panel, under Overview, select Activity log to access the activity log created for your Azure cloud account.

04 Select the Azure subscription that you want to examine from the Subscription dropdown list, and check for any events generated. By default, the events captured by the Activity log are retained within Azure Monitor for 90 days.

05 Click on Export Activity Logs from the console top menu to navigate to the diagnostic settings configurations window.

06 Select a Subscription you want to check from the drop down menu. If there are no diagnostic settings defined for your chosen subscription, activity logs are not being exported.

07 Repeat step no. 6 for each subscription available within your Microsoft Azure cloud account.

Using Azure CLI

01 Run az account list to list your available subscriptions and retrieve the chosen subscription id

az account list

02 Run monitor diagnostic-settings subscription list command (Windows/macOS/Linux) with custom query filters to list the diagnostic settings created and configured for the current Azure subscription:

az monitor diagnostic-settings subscription list
	--subscription 111222-1111-aaaa-bbbb-cccc1111dddd
	--query 'value[*].id'

03 The command output should return the identifier (name) of the existing Log Profile:

[]

If the monitor diagnostic-settings subscription list command output returns an empty array (i.e. []), as shown in the output example above, there are no diagnostic settings configured to export activity logs within the selected Microsoft Azure subscription.

04 Repeat steps no. 1 and 2 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To create and configure diagnostic settings (the new log profiles) for your Microsoft Azure subscriptions in order to archive your activity logs to a storage account, send them to a Log Analytics workspace, or stream them to an Azure Event Hub, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/overview.

03 In the blade navigation panel, under Overview, select Activity log to access the activity log created for your Azure cloud account.

04 Choose Export Activity Logs from the console top menu to navigate to the Azure subscription diagnostic settings. Diagnostic settings are used to configure the streaming export of the Azure subscription logs and metrics to the destination of your choice.

05 On the Diagnostic settings page, select the Azure subscription that you want to access from the Subscription dropdown list, and choose + Add diagnostic setting to create a new diagnostic setting for the selected subscription:

  1. Provide a unique name for your new diagnostic setting in the Diagnostic setting name box.
  2. For Logs, choose the platform log categories that you want to collect from the selected Azure subscription, available in the Categories section.
  3. For Destination details, select one of the following options, based on your requirements:
    • Select Send to Log Analytics workspace and choose the subscription and the Log Analytics workspace that you want to use to collect your activity logs and event data.
    • Select Archive to a storage account if you want to write the activity log to an Azure storage account. Choose again the subscription and the Azure storage account that will store your log data.
    • Select Stream to an event hub if you want to write the activity log to an Azure Event Hub. Choose the subscription and the event hub namespace in which you would like an event hub to be created for streaming your activity log data.
    • Select Send to partner solution for partner integration. You must first install partner integration into your subscription. Configuration options vary by partner.
  4. Choose Save to apply the changes. Logs are streamed to the specified destination(s) as new event data is generated.

06 Repeat step no. 5 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run monitor diagnostic-settings subscription create command (Windows/macOS/Linux) to create a new diagnostic setting for your Microsoft Azure subscription, in order to send activity logs to a Log Analytics workspace, a storage account, a partner solution, or to an Azure Event Hub. For example, the following command request creates a subscription diagnostic setting that writes your subscription activity log to an Azure storage account identified by the ID "/subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.Storage/storageAccounts/abcdabcdabcdabcdabcdabcd":

az monitor diagnostic-settings subscription create
  --name cc-log-diagnostic-setting
  --location "global"
  --storage-account "/subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.Storage/storageAccounts/abcdabcdabcdabcdabcdabcd"
  --logs '[
   {
     "category": "Security",
     "enabled": true
   },
   {
     "category": "Administrative",
     "enabled": true
   },
   {
     "category": "ServiceHealth",
     "enabled": true
   },
   {
     "category": "Alert",
     "enabled": true
   },
   {
     "category": "Recommendation",
     "enabled": true
   },
   {
     "category": "Policy",
     "enabled": true
   },
   {
     "category": "Autoscale",
     "enabled": true
   },
   {
     "category": "ResourceHealth",
     "enabled": true
   }
]'

02 The command output should return the configuration information available for the new diagnostic setting:

{
  "eventHubAuthorizationRuleId": null,
  "eventHubName": null,
  "id": "subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/providers/microsoft.insights/diagnosticSettings/cc-log-diagnostic-setting",
  "location": "global",
  "logs": [
    {
      "category": "Security",
      "categoryGroup": null,
      "enabled": true
    },
    {
      "category": "Administrative",
      "categoryGroup": null,
      "enabled": true
    },
    {
      "category": "ServiceHealth",
      "categoryGroup": null,
      "enabled": true
    },
    {
      "category": "Alert",
      "categoryGroup": null,
      "enabled": true
    },
    {
      "category": "Recommendation",
      "categoryGroup": null,
      "enabled": true
    },
    {
      "category": "Policy",
      "categoryGroup": null,
      "enabled": true
    },
    {
      "category": "Autoscale",
      "categoryGroup": null,
      "enabled": true
    },
    {
      "category": "ResourceHealth",
      "categoryGroup": null,
      "enabled": true
    }
  ],
  "name": "cc-log-diagnostic-setting",
  "serviceBusRuleId": null,
  "storageAccountId": "/subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.Storage/storageAccounts/abcdabcdabcdabcdabcdabcd",
  "type": "Microsoft.Insights/diagnosticSettings",
  "workspaceId": null
}

03 Repeat steps no. 1 and 2 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Nov 28, 2022