Verify that Diagnostic Setting captures appropriate categories

Subtitle: Framework Reference: A.8.15 Integration: Azure Monitor Activity Logs

Why this matters

Without logging control/management plane activities (like policy changes, administrative operations, and security alerts), you're blind to many critical changes in your Azure environment. Capturing these categories is a foundational step for monitoring, alerting, and investigations during incidents or audits.


What this check does

This check verifies that a Diagnostic Setting is in place for the Azure Subscription and that the following log categories are actively enabled:

  • Administrative
  • Alert
  • Policy
  • Security

Check Logic:

IF DiagnosticSetting EXISTS AND   ALL categories ['Administrative', 'Alert', 'Policy', 'Security'] are enabled THEN PASS ELSE FAIL

The check reviews the diagnostic settings configuration at the subscription level via the Azure Monitor API or CLI.


How to fix it

Remediate via Azure Portal

  1. Navigate to Monitor β†’ Activity Log β†’ Export Activity Logs
  2. Choose the Subscription
  3. Click Edit setting next to your diagnostic setting
  4. Enable the following categories:
    • Administrative
    • Alert
    • Policy
    • Security
  5. Select the appropriate destination (Storage Account, Event Hub, or Log Analytics)
  6. Click Save
  7. Remediate via Azure CLI

az monitor diagnostic-settings subscription create \  --subscription <subscription-id> \  --name "<diagnostic-setting-name>" \  --location <region> \  --logs '[{"category":"Administrative","enabled":true},           {"category":"Alert","enabled":true},           {"category":"Policy","enabled":true},           {"category":"Security","enabled":true}]' \  --workspace <log-analytics-workspace-id>

Remediate via PowerShell

$logCategories = @() $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Administrative -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Security -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Alert -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Policy -Enabled $true New-AzSubscriptionDiagnosticSetting -SubscriptionId <subscription ID> `  -Name "<diagnostic-setting-name>" `  -Log $logCategories `  -WorkSpaceId <log analytics workspace ID>


Exceptions

None. This is a baseline logging requirement applicable to all production environments.


Further resources

Was this article helpful?