Control: 5.1.2 Ensure Diagnostic Setting captures appropriate categories

Description

A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: "Ensure that a 'Diagnostic Setting' exists."

The diagnostic setting should be configured to log the appropriate activities from the control/management plane.

A diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.

Remediation

From Azure Portal

Go to Azure Monitor
Click Activity log
Click on Diagnostic settings
Click on Add diagnostic setting
Enter a name for your new Diagnostic Setting
Check the following categories: Administrative, Alert, Policy, and Security
Choose the destination details according to your organization's needs.

Using ARM Template via AZ PowerShell cmdlets

Create a file to hold the JSON

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-
  01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "settingName": {
    "type": "String"
    },
    "workspaceId": {
    "type": "String"
    }
  },
  "resources": [
    {
      "type": "Microsoft.Insights/diagnosticSettings",
      "apiVersion": "2017-05-01-preview",
      "name": "[parameters('settingName')]",
      "dependsOn": [],
      "properties": {
        "workspaceId": "[parameters('workspaceId')]",
        "logs": [
          {
          "category": "Administrative",
          "enabled": true
          },
          {
          "category": "Alert",
          "enabled": true
          },
          {
          "category": "Autoscale",
          "enabled": false
          },
          {
          "category": "Policy",
          "enabled": true
          },
          {
          "category": "Recommendation",
          "enabled": false
          },
          {
          "category": "ResourceHealth",
          "enabled": false
          },
          {
          "category": "Security",
          "enabled": true
          },
          {
          "category": "ServiceHealth",
          "enabled": false
          }
        ]
      }
    }
  ]
}

Reference the JSON in the New-AzSubscriptionDeployment call

$OMSWorkspace = Get-AzResource -ResourceType
"Microsoft.OperationalInsights/workspaces" -Name <Workspace Name>
New-AzSubscriptionDeployment -Name CreateDiagnosticSetting -location eastus -
TemplateFile CreateDiagnosticSetting.jsonc -settingName "Send Activity log to
workspace" -workspaceId $OMSWorkspace.ResourceId

Default Value

When the diagnostic setting is created using Azure Portal, by default no categories are selected.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v150_5_1_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v150_5_1_2 --share

SQL

This control uses a named query:

monitor_diagnostic_settings_captures_proper_categories