Azure Introduction
Azure Pricing
Azure Threats
Ensure Diagnostic Setting Captures Appropriate Categories
More Info:
The diagnostic setting should be configured to log the appropriate activities from the control/management plane.
Risk Level
Medium
Address
Security
Compliance Standards
CISAZURE, CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “Ensure Diagnostic Setting Captures Appropriate Categories” in Azure using the Azure console, follow the below steps:
Step 1: Login to the Azure portal using your credentials.
Step 2: In the Azure portal, navigate to the resource group that you want to remediate.
Step 3: Select the resource that you want to remediate.
Step 4: Click on “Diagnostic settings” under the Monitoring section in the left-hand menu.
Step 5: In the “Diagnostic settings” page, click on “Add diagnostic setting”.
Step 6: Provide a name for the diagnostic setting.
Step 7: Under the “Logs” section, select the appropriate categories that you want to capture.
Step 8: Under the “Metrics” section, select the appropriate metrics that you want to capture.
Step 9: Under the “Destination details” section, select the appropriate destination where you want to send the diagnostic data.
Step 10: Click on “Save” to save the diagnostic setting.
By following the above steps, you can remediate the misconfiguration “Ensure Diagnostic Setting Captures Appropriate Categories” in Azure using the Azure console.
To remediate the misconfiguration “Ensure Diagnostic Setting Captures Appropriate Categories” in Azure using Azure CLI, you can follow the below steps:
Step 1: Open the Azure CLI in your preferred terminal.
Step 2: Run the following command to check if any diagnostic settings exist for the resource:
az monitor diagnostic-settings show --resource <resource-id> --resource-type <resource-type>
Note: Replace <resource-id>
and <resource-type>
with the actual values of the resource ID and resource type.
Step 3: If the diagnostic settings exist, use the following command to update the categories:
az monitor diagnostic-settings update --resource <resource-id> --resource-type <resource-type> --name <existing-diagnostic-setting-name> --logs '[{"category": "<category-name>", "enabled": true}]'
Note: Replace <category-name>
with the appropriate category name that needs to be captured and <existing-diagnostic-setting-name>
with the name of the existing diagnostic setting.
Step 4: If the diagnostic settings do not exist, use the following command to create new diagnostic settings:
az monitor diagnostic-settings create --resource <resource-id> --resource-type <resource-type> --name <new-diagnostic-setting-name> --logs '[{"category": "<category-name>", "enabled": true}]'
Note: Replace <category-name>
with the appropriate category name that needs to be captured and <new-diagnostic-setting-name>
with the name of the new diagnostic setting.
Step 5: Verify the diagnostic settings by running the following command:
az monitor diagnostic-settings show --resource <resource-id> --resource-type <resource-type> --name <diagnostic-setting-name>
Note: Replace <diagnostic-setting-name>
with the name of the diagnostic setting.
By following these steps, you can remediate the misconfiguration “Ensure Diagnostic Setting Captures Appropriate Categories” in Azure using Azure CLI.
To remediate “Ensure Diagnostic Setting Captures Appropriate Categories” misconfiguration in Azure using Python, you can follow the below steps:
- Install the Azure SDK for Python using the following command:
pip install azure-mgmt-monitor
- Authenticate to Azure using the Azure CLI or using the below code to authenticate using a service principal:
from azure.common.credentials import ServicePrincipalCredentials
TENANT_ID = '<tenant_id>'
CLIENT_ID = '<client_id>'
CLIENT_SECRET = '<client_secret>'
subscription_id = '<subscription_id>'
credentials = ServicePrincipalCredentials(
client_id=CLIENT_ID,
secret=CLIENT_SECRET,
tenant=TENANT_ID
)
- Import the required modules:
from azure.mgmt.monitor import MonitorManagementClient
from azure.mgmt.monitor.models import DiagnosticSettingsResource, LogSettings, MetricSettings, RetentionPolicy
- Set the required parameters:
resource_uri = '<resource_uri>'
log_categories = ['<log_category_1>', '<log_category_2>']
metric_categories = ['<metric_category_1>', '<metric_category_2>']
retention_days = '<retention_days>'
- Create an instance of the
MonitorManagementClient
:
monitor_client = MonitorManagementClient(credentials, subscription_id)
- Create a
DiagnosticSettingsResource
object with the required settings:
log_settings = LogSettings(enabled=True, categories=log_categories)
metric_settings = MetricSettings(enabled=True, categories=metric_categories)
retention_policy = RetentionPolicy(enabled=True, days=retention_days)
diagnostic_settings = DiagnosticSettingsResource(
log_settings=log_settings,
metric_settings=metric_settings,
retention_policy=retention_policy
)
- Create or update the diagnostic setting for the resource:
monitor_client.diagnostic_settings.create_or_update(
resource_uri,
'default',
diagnostic_settings
)
This will create or update the diagnostic setting for the specified resource with the specified categories and retention policy.