Subscription has an Activity Log diagnostic setting
monitor_diagnostic_settings_exists
Azure Monitor Diagnostic Settings are configured to export the Activity Log to an external destination (Log Analytics, Storage, Event Hub, or partner).
Risk
Without exporting the Activity Log, control-plane events lack centralization and retention.
Undetected RBAC changes, policy updates, and resource deletions reduce detectability, hinder forensics, and weaken incident response and audit evidence.
prowler azure --checks monitor_diagnostic_settings_exists
Recommendation
Enable subscription Diagnostic Settings to send the Activity Log to a trusted destination.
Use immutable storage or a SIEM, enforce coverage with Azure Policy, apply least privilege to log access, include essential categories, and set retention aligned to regulatory needs.
Remediation
az monitor diagnostic-settings subscription create --subscription <subscription id> --name <example_resource_name> --workspace <log analytics workspace ID> --logs '[{"category":"Administrative","enabled":true}]'
- In the Azure portal, go to Subscriptions and select your subscription
- Open Monitoring > Activity log, then click Diagnostic settings
- Click + Add diagnostic setting and enter a name
- Under Destination details, select Send to Log Analytics workspace and choose your workspace
- Under Categories, select Administrative
- Click Save
Source Code
Resource Type
microsoft.resources/subscriptions
References
- https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?WT.mc_id=AZ-MVP-5003450&tabs=portal
- https://learn.microsoft.com/en-us/azure/azure-monitor/fundamentals/data-sources#export-the-activity-log-with-a-log-profile
- https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Monitor/subscription-activity-log-diagnostic-settings.html
- https://learn.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest