Diagnostic Settings for Azure Network Azure Firewall

[KeionneDerousselle]

Acceptance Criteria

• Ingest Azure Monitor Diagnostic Settings

  • Diagnostic Settings are the new way to send platform logs, including the Azure Activity Log and resource logs, and metrics to different destinations. It should not be used in tandem with Log Profile. Each Azure resource has its own diagnostic settings. These settings define the categories or types of metrics and logs that should be sent somewhere, and one or more destinations to send the logs and metrics. Currently, you can send metrics and logs to Log Analytics workspace, Event Hubs, and Azure Storage.

• 5.3 Ensure that Diagnostic Logs are enabled for all services which support it. (Automated)

  • Unlike diagnostic logs that capture activity for the subscription level (Activity Log), there are also logs for actions taken on specific resources. This benchmark aims to ensure that resource-level diagnostic logs provide insight into operations that were performed within that resource itself.

  • There are several Azure resources that support diagnostic logging. Azure Firewalls are one of those Azure resources.

What Changed?

• Added the Azure Network Azure Firewall entity
• Added the Azure Resource Group has Azure Network Azure Firewall relationship
• Refactored the terraform creation for Diagnostic Settings for Azure Batch Accounts, Azure CDN Endpoints, Azure CDN Profiles, Azure Key Vaults, Azure Network Load Balancers, Azure Network Security Groups, Azure Network Public IP Addresses, Azure Network Virtual Networks, Azure Event Grid Domains, and Azure Event Grid Topics.
  • This was because Azure was creating default Diagnostic Settings for categories not specified in the terraform. This was producing inconsistent test results. See Terraform wants to delete metrics that intentionally are left out. hashicorp/terraform-provider-azurerm#7235 (comment) for more details.
• Collected the Diagnostic Settings entities and relationships for Azure Network Azure Firewalls,
  • Azure Diagnostic Log Setting entity
  • Azure Diagnostic Metric Setting entity
  • Azure Resource has Azure Diagnostic Log Setting relationship
  • Azure Resource has Azure Diagnostic Metric Setting relationship
  • Azure Diagnostic Log Setting uses Azure Storage Account relationship
  • Azure Diagnostic Metric Setting uses Azure Storage Account relationship

Graph