Diagnostic Settings v2 - What's Missing

[Springstone]

Diagnostic Settings have had a lot of attention here in ALZ land, but with the transition to using the new built-in initiatives and policies, there may be some gaps. This is the place to share those gaps, with people that can potentially drive improvements regularly reviewing.

If you find a service not covered, please added it to this discussion thread so we can track it.

ALZ no longer support diagnostic settings policies. We've completely transitioned to using built-in policies.

[achechen]

There is no built in policy for:
Function Apps - resource type: Microsoft.Web/sites kind: functionapp
Standard Logic Apps - resource type: Microsoft.Web/sites, kind: functionapp,workflowapp
Web Apps - resource type: Microsoft.Web/sites, kind: NOT contains functionapp

[MikaelJcSoderberg]

I dont see any of the 4 Storage Account Diagnostic settings
blob
queue
table
file

I assume that they are all in this resource type:
Type=Microsoft.Storage/storageAccounts

[MikaelJcSoderberg]

Microsoft.Sql/servers/elasticPools is missing AllLogs, should that be listed as well?

[NucLabs]

I am a little confused. At first I thought the builtin inititiative Enable allLogs category group resource logging for supported resources to Log Analytics (0884adba-2312-4468-abeb-5422caed1038) is the complete initiative for all diagnostic logging on all resource types, but it is not. Is it a goal for this initiative to be complete in that respect? Or should I create my own initiative with policies that I miss The initiative lacks policies for web applications, function apps and storage accounts, for instance.

[kamfaima]

I agree with your confusion. Now I'm thinking should I just use the old deprecated initiative (https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-Diagnostics-LogAnalytics.html) since it covers all of my use-cases? I mean if you were going to deprecate this policy, you'd think that the new one would have equivalent of not greater, functionality out of the box!

[mwildenb]

The new All Logs policy do not configure any METRICS and there is no built in policy for configuring additional metrics. Problem is that metrics are required for proper defender / threat analysis. Any suggestions on how to tackle?

MORE INFO:

Screenshot on the KeyVault policy to enable "AllLogs" (you can see the empty Metrics)

For Dutch public sector there is a Built In BIO policy urging to enable metric logging on several resources :

And a blog post with a recommendation to enable metrics on storage, eventhub, keyvault, apps and networking
https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/security-control-enable-audit-and-logging/ba-p/2079589