# Step 1: Evidence Details


|Evidence name|System|Source of data|Frameworks|Purpose|
|---|:---|:---|:---|:---|
|diagnosticslogsinservicebusmonitoring|compliancecow|AzureServiceBusData|Azure ServiceBus Diagnostic Data|Ensure resource logs in Service Bus is enabled|

```
Purpose: Service Bus and its namespaces resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed.

```

# Step 2: Define the System Specific Data (a.k.a Extended Data Schema)

In [None]:
#Extended Schema
[
    {
        "Id": "/subscriptions/12345678-90ab-cdef-1234-567890abcdef/resourceGroups/myResourceGroup/providers/Microsoft.Logic/workflows/MyWorkflow",
        "Name": "MyWorkflow",
        "Values": [
            {
                "id": "/subscriptions/12345678-90ab-cdef-1234-567890abcdef/resourcegroups/myResourceGroup/providers/microsoft.logic/workflows/MyWorkflow/providers/microsoft.insights/diagnosticSettings/MyDiagnosticSetting",
                "type": "Microsoft.Insights/diagnosticSettings",
                "name": "MyDiagnosticSetting",
                "location": "southindia",
                "kind": null,
                "tags": null,
                "properties": {
                    "storageAccountId": null,
                    "serviceBusRuleId": null,
                    "workspaceId": "/subscriptions/12345678-90ab-cdef-1234-567890abcdef/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/MyWorkspace",
                    "eventHubAuthorizationRuleId": null,
                    "eventHubName": null,
                    "metrics": [
                        {
                            "category": "AllMetrics",
                            "enabled": false,
                            "retentionPolicy": {
                                "enabled": false,
                                "days": 0
                            }
                        }
                    ],
                    "logs": [
                        {
                            "category": null,
                            "categoryGroup": "allLogs",
                            "enabled": true,
                            "retentionPolicy": {
                                "enabled": false,
                                "days": 0
                            }
                        }
                    ],
                    "logAnalyticsDestinationType": null
                },
                "identity": null
            }
        ]
    }
]


# Step 3: Define the Standard Schema

  

In [None]:
#Standard Schema
{
    "System": "azure",
    "Source": "compliancecow",
    "ResourceID": "/subscriptions/12345678-90ab-cdef-1234-567890abcdef/resourceGroups/MyResourceGroup/providers/Microsoft.ServiceBus/namespaces/MyServiceBus",
    "ResourceType": "ServiceBusNameSpace",
    "ResourceName": "MyServiceBusNameSpace",
    "DiagnosticLogEnabledInServiceBusNameSpace": "FALSE",
    "ComplianceStatus": "NON_COMPLIANT",
    "ValidationStatusCode": "DIAG_LOGS_DISABLED",
    "ComplianceStatusReason": "None of the diagnostic categor(ies) are enabled",
    "ValidationStatusNotes": "enable one or more diagnostic logs for the resource",
    "EvaluatedTime": "2024-01-03 17:05:36.554636",
    "Action": "",
    "Tags": "[]"
}

# Step 3.a: Sample Data

| System | Source | ResourceId | ResourceType | ResourceName | DiagnosticLogEnabledInServiceBusNameSpace | ComplianceStatus | ValidationStatusCode | ComplianceStatusReason | ValidationStatusNotes | EvaluatedTime | Action | Tags |
| ------ | ------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | ----------------- | ----------------------------------------- | ---------------- | -------------------- | ----------------------------------------------- | --------------------------------------------------- | -------------------------- | ------ | ---- |
| azure | compliancecow | /subscriptions/12345678-90ab-cdef-1234-567890abcdef/resourceGroups/MyResourceGroup/providers/Microsoft.ServiceBus/namespaces/MyServiceBus | ServiceBusNameSpace | MyServiceBus | FALSE | NON_COMPLIANT | DIAG_LOGS_DISABLED | None of the diagnostic categor(ies) are enabled | enable one or more diagnostic logs for the resource | 2024-01-03 17:05:36.554636 | | [] |
| azure | compliancecow | /subscriptions/12345678-90ab-cdef-1234-567890abcdef/resourceGroups/MyResourceGroup/providers/Microsoft.ServiceBus/namespaces/MyServiceBus1 | ServiceBusNameSpace | MyServiceBus1| FALSE | NON_COMPLIANT | DIAG_LOGS_DISABLED | None of the diagnostic categor(ies) are enabled | enable one or more diagnostic logs for the resource | 2024-01-03 17:05:36.555128 | | [] |

# Step 4: Describe the Compliance Taxonomy

|CompliantStatus  |ValidationStatusCode|ComplianceStatusReason|ValidationStatusNotes|
|------------|:--------------|:--------------|----------|
|Compliant|DIAG_LOGS_ENABLED|Diagnostic log category(ies) are enabled|No actions required|
|NonCompliant|DIAG_LOGS_DISABLED|None of the diagnostic categor(ies) are enabled|enable one or more diagnostic logs for the resource|



# Step 5: Calculation for Compliance Percentage and Status

In [None]:
# ## For each control
# Refer Step 6 to determine if the assessment for the leaf control was compliant or non-compliant. The compliance percentage is 100% if the assessment was compliant and 0% otherwise

# ## For overall assessment
# Existing calculation will be used

# **Method suggested by Azure**

#  Refer - https://learn.microsoft.com/en-us/azure/governance/policy/concepts/compliance-states

# overall compliance % = (compliant + exempt + unknown)  / (compliant + exempt + unknown + non-compliant + conflicting + error)
enabled = False

if row["Values"] and pd.notna(row["Values"]):
    for item in ast.literal_eval(row["Values"]):
        properties = item.get("properties")
        if properties:
            logs = properties.get("logs")
            if logs:
                for log in logs:
                    log_enabled = log.get("enabled")
                    if log_enabled:
                        enabled = log_enabled
                        break

if enabled:
    compliance_details = {
        "ComplianceStatus": "COMPLIANT",
        "ValidationStatusCode": "DIAG_LOGS_ENABLED",
        "ComplianceStatusReason": "Diagnostic log category(ies) are enabled",
        "ValidationStatusNotes": "No actions required",
    }
else:
    compliance_details = {
        "ComplianceStatus": "NON_COMPLIANT",
        "ValidationStatusCode": "DIAG_LOGS_DISABLED",
        "ComplianceStatusReason": "None of the diagnostic categor(ies) are enabled",
        "ValidationStatusNotes": "Enable one or more diagnostic logs for the resource",
    }

# Step 6: Describe (in words) the Remediation Steps for Non-Compliance

FOR NOT_DETERMINED : NONE

FOR COMPLIANT : None

For NONCOMPLAINCE:

If Compliance Cow needs to notify the client, the following message can be sent via slack or ticket raised in JIRA:

Diagnostic logs for Service Bus/Service Bus Namespaces can be enabled by manual intervention

1. Log in to the Azure portal.
2. Search for "Monitor" in the search bar and go to the Monitor page.
3. On the "Monitor" page, in the left navigation pane, choose "Settings | Diagnostics Settings".
4. On the "Diagnostics Settings" page, under 'Resource Type' column, search for "Service Bus/Service Bus Namespaces". You will find all the Service Buses and Service Bus Namespaces listed one of the other
5. Find the resource under consideration, and check the 'Diagnostics status' column.
6. If the Diagnostics status is 'Disabled', click on the resource name. It till take you to the resource's Diagnostics Settings page.
6. Click on 'Add diagnostic setting' link.  
7. In the 'Add diagnostic setting' page, select all the Log category for which you want logs to be delivered to Azure Monitor.
8. Under 'Destination Details', select one or more destination and configure the destination details for the logs to be sent.
9. Click on 'Save' at the top of the page. This will take you back to the 'Monitor' page.
10. On the "Monitor" page, verify that the 'Diagnostic Status' is Enabled.

## Step 7: Control Setup Details

| Control Details            |                                               |
|----------------------------|-----------------------------------------------|
| **RuleName**               | IsDiagnosticLogsEnabledInAzureServiceBus      |
| **PreRequisiteRuleNames**  | AzureServiceBusData                           |
| **ExtendedSchemnameeNames**| AzureServiceBusData                           |
| **ApplicationClassName**   | azureappconnector                             |

