Control: 6.1.3.1 Ensure Application Insights are Configured
Description
Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions. Both data sets help organizations adopt a proactive and retroactive means to handle security and performance related metrics within their modern applications.
Remediation
Remediate from Azure Portal:
- Navigate to
Application Insights. - Under the
Basicstab within thePROJECT DETAILSsection, select theSubscription. - Select the
Resource group. - Within the
INSTANCE DETAILS, enter aName. - Select a
Region. - Next to
Resource Mode, selectWorkspace-based. - Within the
WORKSPACE DETAILS, select theSubscriptionfor the log analytics workspace. - Select the appropriate
Log Analytics Workspace. - Click
Next:Tags >. - Enter the appropriate
TagsasName,Valuepairs. - Click
Next:Review+Create. - Click
Create.
Remediate from Azure CLI
az monitor app-insights component create --app <app name> --resource-group <resource group name> --location <location> --kind "web" --retention-time <INT days to retain logs> --workspace <log analytics workspace ID> -- subscription <subscription ID>
Remediate from PowerShell
New-AzApplicationInsights -Kind "web" -ResourceGroupName <resource group name> -Name <app insights name> -location <location> -RetentionInDays <INT days to retain logs> -SubscriptionID <subscription ID> -WorkspaceResourceId <log analytics workspace ID>
Default Value
Application Insights are not enabled by default.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v500_6_1_3_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v500_6_1_3_1 --shareSQL
This control uses a named query:
with application_insights as ( select subscription_id, count(*) as no_application_insight from azure_application_insight group by subscription_id)select sub.id as resource, case when i.subscription_id is null then 'alarm' else 'ok' end as status, case when i.subscription_id is null then sub.display_name || ' does not have application insights configured.' else sub.display_name || ' has ' || no_application_insight || ' application insights configured.' end as reason , sub.display_name as subscriptionfrom azure_subscription as sub left join application_insights as i on i.subscription_id = sub.subscription_id;