Enabling Logs for Log Analytics Workspace

Overview:

The following section ensures that you have logging enabled within your storage account, key vault, Entra, and Resource Graph.

Entra ID Logs:

The following section shows how to enable Entra ID Logging:

1. Search for Microsoft Entra ID

2. Select Diagnostic settings from the left pane.

3. Select Add Diagnostic Setting

4. Name the Diagnostic Setting 'SecLab' and point it to sec-lab-logs. Ensure to select all options with a blue checkmark.

Note that Identity based protection logs were omitted as they require a P2 license. These include logs like riskyusers, userriskevents, and serviceprincipalriskevents. This was done in order to reduce lab costs. You can simply get them enabled by purchasing a P2 licensing.

Azure Activity Logs

1. Search for Azure Monitor as shown in the screenshot below.

2. Select Activity Log and 'Export Activity Logs'

3. Select 'Add Diagnostic Setting'

4. Name the Diagnostic Setting as 'sec-lab' and point it to 'sec-lab-logs'. Ensure to select all with a blue checkmark.

Storage Account Logging

1. Under the Azure Monitor section select 'Diagnostic Settings'.

2. Under the current subscription look for the tfstate<randomnumbers> storage account and select blob storage.

3. Name the diagnostic setting 'sec-lab' and forward to sec-lab-logs. Enable those with a blue check mark.

Key Vault Logging

Terraform has already deployed the associated logs but here are instructions on how to do it in the portal.

1. Select the associated subscription and permission

2. Select the 'sec-lab-keyvault'

1. Name the Diagnostic Setting as 'sec-lab' forwarding to 'sec-lab-logs' configured with the associated blue check marks.

Flow Logs - VNET

1. Select Network Watcher and select 'flow logs'

2. Select Create Flow Log

3. Configure a VNET Flow Log with the appropriate 'sec-lab-vnet' in your provisioned flow log storage account

Flow Logs - NSG

NSG flow logs were created as part of the Terraform code. As a heads up per Microsoft:

On September 30, 2027, network security group (NSG) flow logs will be retired. As part of this retirement, you'll no longer be able to create new NSG flow logs starting June 30, 2025. We recommend migrating to virtual network flow logs, which overcome the limitations of NSG flow logs.

These logs are already deployed within the tenant.

DNS Queries

This is currently in preview and can confirm that there is no Terraform Support at this time. Thus needs to be created via the portal.

1. Search for 'DNS Security' in the Azure Portal

2. Create a DNS Security Policy by selecting 'Create'

3. Create the Security DNS policy as shown below

4. Select the associated VNET as shown.

5. Ensure the proper VNET is selected and then hit 'Review+Create''