v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/azure_compliance
Overview
13Dashboards
1311Controls
430Queries
2Variables
GitHub

Control: 5.1.2 Ensure Diagnostic Setting captures appropriate categories

Description

Prerequisite: A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: "Ensure that a 'Diagnostic Setting' exists."

The diagnostic setting should be configured to log the appropriate activities from the control/management plane.

A diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.

Remediation

From Azure Portal

  1. Go to Azure Monitor.
  2. Click Activity log.
  3. Click on Export Activity Logs.
  4. Select the Subscription from the drop down menu.
  5. Click on Add diagnostic setting.
  6. Enter a name for your new Diagnostic Setting.
  7. Check the following categories: Administrative, Alert, Policy, and Security.
  8. Choose the destination details according to your organization's needs.

From Az CLI

az monitor diagnostic-settings subscription create --subscription <subscription id> --name <diagnostic settings name> --location <location> <[- -event-hub <event hub ID> --event-hub-auth-rule <event hub auth rule ID>] [-- storage-account <storage account ID>] [--workspace <log analytics workspace ID>] --logs "[{category:Security,enabled:true},{category:Administrative,enabled:true},{ca tegory:Alert,enabled:true},{category:Policy,enabled:true}]"

From Powershell

$logCategories = @();
$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Administrative -Enabled $true
$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Security -Enabled $true
$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Alert -Enabled $true
$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Policy -Enabled $true


New-AzSubscriptionDiagnosticSetting -SubscriptionId <subscription ID> -Name <Diagnostic settings name> <[-EventHubAuthorizationRule <event hub auth rule ID> -EventHubName <event hub name>] [-StorageAccountId <storage account ID>] [-WorkSpaceId <log analytics workspace ID>] [-MarketplacePartner ID <full ARM Marketplace resource ID>]> -Log $logCategories

Default Value

When the diagnostic setting is created using Azure Portal, by default no categories are selected.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v200_5_1_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v200_5_1_2 --share

SQL

This control uses a named query:

monitor_diagnostic_settings_captures_proper_categories

Tags

category = Compliance
cis = true
cis_item_id = 5.1.2
cis_level = 1
cis_section_id = 5.1
cis_type = automated
cis_version = v2.0.0
plugin = azure
service = Azure/Monitor