Azure - Add a monitor resource for checking subscription diagnostic settings

[jtroberts83]

Describe the feature

For Azure CIS 1.4 - 5.1.2 Ensure Diagnostic Setting captures appropriate categories

I need to check to Ensure that the following categories are enabled for diagnostic-settings logging: Administrative, Alert,
Policy, and Security. This is done by running the following command:

az monitor diagnostic-settings subscription list

which will return something like this:

"resources": [
{
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2017-05-01-preview",
"name": "[parameters('settingName')]",
"dependsOn": [],
"properties": {
"workspaceId": "[parameters('workspaceId')]",
"logs": [
{
"category": "Administrative",
"enabled": true
},
{
"category": "Alert",
"enabled": true
},
{
"category": "Autoscale",
"enabled": false
},
{
"category": "Policy",
"enabled": true
},
{
"category": "Recommendation",
"enabled": false
},
{
"category": "ResourceHealth",
"enabled": false
},
{
"category": "Security",
"enabled": true
},
{
"category": "ServiceHealth",
"enabled": false
}
]
}
}

so a policy would check to make sure the category of Administrative, Security, Policy, and Alert are both present and enabled

Extra information or context

- name: azure-monitor-diagnostic-logs-disabled
  resource: azure.monitor
  filters:
  - or:
      - type: diagnostic-settings
        key: resources[].properties.logs[?category == 'Administrative'].enabled[]
        value: false
        value_type: swap
      - type: diagnostic-settings
        key: resources[].properties.logs[?category == 'Policy'].enabled[]
        value: false
        value_type: swap
      - type: diagnostic-settings
        key: resources[].properties.logs[?category == 'Alert'].enabled[]
        value: false
        value_type: swap
      - type: diagnostic-settings
        key: resources[].properties.logs[?category == 'Security'].enabled[]
        value: false
        value_type: swap