Ensure Application Insights are Configured

Overview

Application Insights within Azure act as an Application Performance Monitoring solution, providing valuable data into how well an application performs and additional information when responding to incidents. The types of log data collected include application metrics, telemetry data, and application trace logging data, which provide organizations with detailed information about application activity and transactions. Both data sets help organizations adopt proactive and retroactive means to handle security and performance-related metrics within their modern applications.

Rationale

Configuring Application Insights provides additional data not found elsewhere within Azure as part of a much more extensive logging and monitoring program within an organization's Information Security practice. The types and contents of these logs will act as both a potential cost-saving measure (application performance) and a means to potentially confirm the source of a potential incident (trace logging). Metrics and Telemetry data provide organizations with a proactive approach to cost savings by monitoring an application's performance, while the trace logging data provides necessary details in a reactive incident response scenario by helping organizations identify the potential source of an incident within their application.

Impact

Because Application Insights relies on a Log Analytics Workspace, an organization will incur additional expenses when using this service.

Default Value

Application Insights are not enabled by default.

Remediation guidance

Remediate from Azure Portal

Navigate to Application Insights.
Under the Basics tab within the PROJECT DETAILS section, select the Subscription.
Select the Resource group.
Within the INSTANCE DETAILS, enter a Name.
Select a Region.
Next to Resource Mode, select Workspace-based.
Within the WORKSPACE DETAILS, select the Subscription for the log analytics workspace.
Select the appropriate Log Analytics Workspace.
Click Next:Tags >.
Enter the appropriate Tags as Name, Value pairs.
Click Next:Review+Create.
Click Create.

Remediate from Azure CLI

az monitor app-insights component create --app <app_name> --resource-group <resource_group_name> --location <location> --kind "web" --retention-time <days_to_retain_logs> --workspace <log_analytics_workspace_ID> --subscription <subscription_ID>

Remediate from PowerShell

New-AzApplicationInsights -Kind "web" -ResourceGroupName <rg_name> -Name <app insights name> -location <location> -RetentionInDays  -SubscriptionID <subscription ID> -WorkspaceResourceId <log analytics workspace ID>

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

Azure

Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.

Operational rollout

Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
Re-scan and track approved exceptions with an owner and expiry date.

Query logic

These are the stored checks tied to this control.

Azure Connectors without Application Insights

Connectors

Microsoft Azure

Covered asset types

Connector

Expected check: eq []

{
  connectors(where: { cloudProvider: "azure", applicationInsights_SOME: null }) {
    ...AssetFragment
  }
}