AzPolicyAdvertizer

last sync: 2024-Nov-25 18:54:24 UTC

Diagnostic logs in Azure AI services resources should be enabled

Azure BuiltIn Policy definition

Source Azure Portal
Display name Diagnostic logs in Azure AI services resources should be enabled
Id 1b4d1c4e-934c-4703-944c-27c82c06bebb
Version 1.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.0
Built-in Versioning [Preview]
Category Azure Ai Services
Microsoft Learn
Description Enable logs for Azure AI services resources. This enables you to recreate activity trails for investigation purposes, when a security incident occurs or your network is compromised
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Insights/diagnosticSettings/logs[*] microsoft.insights diagnosticSettings properties.logs[*] True False
Rule resource types IF (2)
Microsoft.CognitiveServices/accounts
Microsoft.Search/searchServices
Compliance
The following 1 compliance controls are associated with this Policy definition 'Diagnostic logs in Azure AI services resources should be enabled' (1b4d1c4e-934c-4703-944c-27c82c06bebb)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 LT-3 Azure_Security_Benchmark_v3.0_LT-3 Microsoft cloud security benchmark LT-3 Logging and Threat Detection Enable logging for security investigation Shared **Security Principle:** Enable logging for your cloud resources to meet the requirements for security incident investigations and security response and compliance purposes. **Azure Guidance:** Enable logging capability for resources at the different tiers, such as logs for Azure resources, operating systems and applications inside in your VMs and other log types. Be mindful about different type of logs for security, audit, and other operation logs at the management/control plane and data plane tiers. There are three types of the logs available at the Azure platform: - Azure resource log: Logging of operations that are performed within an Azure resource (the data plane). For example, getting a secret from a key vault or making a request to a database. The content of resource logs varies by the Azure service and resource type. - Azure activity log: Logging of operations on each Azure resource at the subscription layer, from the outside (the management plane). You can use the Activity Log to determine the what, who, and when for any write operations (PUT, POST, DELETE) taken on the resources in your subscription. There is a single Activity log for each Azure subscription. - Microsoft Entra logs: Logs of the history of sign-in activity and audit trail of changes made in the Microsoft Entra ID for a particular tenant. You can also use Microsoft Defender for Cloud and Azure Policy to enable resource logs and log data collecting on Azure resources. **Implementation and additional context:** Understand logging and different log types in Azure: https://docs.microsoft.com/azure/azure-monitor/platform/platform-logs-overview Understand Microsoft Defender for Cloud data collection: https://docs.microsoft.com/azure/security-center/security-center-enable-data-collection Enable and configure antimalware monitoring: https://docs.microsoft.com/azure/security/fundamentals/antimalware#enable-and-configure-antimalware-monitoring-using-powershell-cmdlets Operating systems and application logs inside in your compute resources: https://docs.microsoft.com/azure/azure-monitor/agents/data-sources#operating-system-guest n/a link 16
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
Enforce recommended guardrails for Open AI (Cognitive Service) Enforce-Guardrails-OpenAI Cognitive Services GA ALZ
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2024-03-11 18:31:50 add 1b4d1c4e-934c-4703-944c-27c82c06bebb
JSON compare n/a
JSON
api-version=2021-06-01
EPAC