Control: 7.1.1.8 Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination
Description
Ensure that a Microsoft Entra diagnostic setting is configured to send Microsoft Graph activity logs to a suitable destination, such as a Log Analytics workspace, storage account, or event hub. This enables centralized monitoring and analysis of all HTTP requests that the Microsoft Graph service receives and processes for a tenant.
Microsoft Graph activity logs provide visibility into HTTP requests made to the Microsoft Graph service, helping detect unauthorized access, suspicious activity, and security threats. Configuring diagnostic settings in Microsoft Entra ensures these logs are collected and sent to an appropriate destination for monitoring, analysis, and retention.
Remediation
From Azure Portal
- Go to
Microsoft Entra ID. - Under
Monitoring, clickDiagnostic settings. - Click
+ Add diagnostic setting. - Provide a
Diagnostic setting name. - Under
Logs > Categories, check the box next toMicrosoftGraphActivityLogs. - Configure an appropriate destination for the logs.
- Click
Save.
Default Value
By default, Microsoft Entra diagnostic settings do not exist.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v400_7_1_1_8Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v400_7_1_1_8 --shareSQL
This control uses a named query:
select id as resource, 'info' as status, 'Manual verification required.' as reason, display_name as subscriptionfrom azure_subscription;