Verify that Diagnostic Setting captures appropriate categories
Why this matters
Without logging control/management plane activities (like policy changes, administrative operations, and security alerts), you're blind to many critical changes in your Azure environment. Capturing these categories is a foundational step for monitoring, alerting, and investigations during incidents or audits.
What this check does
This check verifies that a Diagnostic Setting is in place for the Azure Subscription and that the following log categories are actively enabled:
Administrative
Alert
Policy
Security
Check Logic:
IF DiagnosticSetting EXISTS AND
ALL categories ['Administrative', 'Alert', 'Policy', 'Security'] are enabled
THEN PASS
ELSE FAIL
The check reviews the diagnostic settings configuration at the subscription level via the Azure Monitor API or CLI.
How to fix it
Remediate via Azure Portal
- Navigate to Monitor β Activity Log β Export Activity Logs
- Choose the Subscription
- Click Edit setting next to your diagnostic setting
- Enable the following categories:
- Administrative
- Alert
- Policy
- Security
- Select the appropriate destination (Storage Account, Event Hub, or Log Analytics)
- Click Save
- Remediate via Azure CLI
az monitor diagnostic-settings subscription create \
--subscription <subscription-id> \
--name "<diagnostic-setting-name>" \
--location <region> \
--logs '[{"category":"Administrative","enabled":true},
{"category":"Alert","enabled":true},
{"category":"Policy","enabled":true},
{"category":"Security","enabled":true}]' \
--workspace <log-analytics-workspace-id>
Remediate via PowerShell
$logCategories = @()
$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Administrative -Enabled $true
$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Security -Enabled $true
$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Alert -Enabled $true
$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Policy -Enabled $true
New-AzSubscriptionDiagnosticSetting -SubscriptionId <subscription ID> `
-Name "<diagnostic-setting-name>" `
-Log $logCategories `
-WorkSpaceId <log analytics workspace ID>
Exceptions
None. This is a baseline logging requirement applicable to all production environments.