Verify that Diagnostic Setting captures appropriate categories
Last updated: April 9, 2026
Subtitle: Framework Reference: A.8.15 Integration: Azure Monitor Activity Logs
Why this matters
Without logging control/management plane activities (like policy changes, administrative operations, and security alerts), you're blind to many critical changes in your Azure environment. Capturing these categories is a foundational step for monitoring, alerting, and investigations during incidents or audits.
What this check does
This check verifies that a Diagnostic Setting is in place for the Azure Subscription and that the following log categories are actively enabled:
AdministrativeAlertPolicySecurity
Check Logic:
IF DiagnosticSetting EXISTS AND ALL categories ['Administrative', 'Alert', 'Policy', 'Security'] are enabled THEN PASS ELSE FAIL
The check reviews the diagnostic settings configuration at the subscription level via the Azure Monitor API or CLI.
How to fix it
Remediate via Azure Portal
Navigate to Monitor → Activity Log → Export Activity Logs
Choose the Subscription
Click Edit setting next to your diagnostic setting
Enable the following categories:
Administrative
Alert
Policy
Security
Select the appropriate destination (Storage Account, Event Hub, or Log Analytics)
Click Save
Remediate via Azure CLI
az monitor diagnostic-settings subscription create \ --subscription <subscription-id> \ --name "<diagnostic-setting-name>" \ --location <region> \ --logs '[{"category":"Administrative","enabled":true}, {"category":"Alert","enabled":true}, {"category":"Policy","enabled":true}, {"category":"Security","enabled":true}]' \ --workspace <log-analytics-workspace-id>
Remediate via PowerShell
$logCategories = @() $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Administrative -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Security -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Alert -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Policy -Enabled $true New-AzSubscriptionDiagnosticSetting -SubscriptionId <subscription ID> -Name "<diagnostic-setting-name>" -Log $logCategories ` -WorkSpaceId <log analytics workspace ID>
Exceptions
None. This is a baseline logging requirement applicable to all production environments.