Enabling Logs for Log Analytics Workspace

Overview:

The following section ensures that you have logging enabled within your storage account, key vault, Entra, and Resource Graph.

Entra ID Logs:

The following section shows how to enable Entra ID Logging:

1. Search for Microsoft Entra ID

2. Select Diagnostic settings from the left pane.

3. Select Add Diagnostic Setting

4. Name the Diagnostic Setting 'SecLab' and point it to sec-lab-logs. Ensure to select all options with a blue checkmark.

Azure Activity Logs

1. Search for Azure Monitor as shown in the screenshot below.

2. Select Activity Log and 'Export Activity Logs'

3. Select 'Add Diagnostic Setting'

4. Name the Diagnostic Setting as 'sec-lab' and point it to 'sec-lab-logs'. Ensure to select all with a blue checkmark.

Storage Account Logging

1. Under the Azure Monitor section select 'Diagnostic Settings'.

2. Under the current subscription look for the tfstate<randomnumbers> storage account and select blob storage.

3. Name the diagnostic setting 'sec-lab' and forward to sec-lab-logs. Enable those with a blue check mark.

Key Vault Logging

1. Select the associated subscription and permission

2. Select the 'sec-lab-keyvault'

  1. Name the Diagnostic Setting as 'sec-lab' forwarding to 'sec-lab-logs' configured with the associated blue check marks.

Flow Logs - VNET

1. Select Network Watcher and select 'flow logs'

2. Select Create Flow Log

3. Configure a VNET Flow Log with the appropriate 'sec-lab-vnet' in your provisioned flow log storage account

Flow Logs - NSG

DNS Queries

1. Search for 'DNS Security' in the Azure Portal

2. Create a DNS Security Policy by selecting 'Create'

3. Create the Security DNS policy as shown below

4. Select the associated VNET as shown.

5. Ensure the proper VNET is selected and then hit 'Review+Create''

Last updated