Ensure Application Insights are Configured

Overview

Application Insights within Azure act as an Application Performance Monitoring solution, providing valuable data into how well an application performs and additional information when responding to incidents. The types of log data collected include application metrics, telemetry data, and application trace logging data, which provide organizations with detailed information about application activity and transactions. Both data sets help organizations adopt proactive and retroactive means to handle security and performance-related metrics within their modern applications.

Rationale

Configuring Application Insights provides additional data not found elsewhere within Azure as part of a much more extensive logging and monitoring program within an organization's Information Security practice. The types and contents of these logs will act as both a potential cost-saving measure (application performance) and a means to potentially confirm the source of a potential incident (trace logging). Metrics and Telemetry data provide organizations with a proactive approach to cost savings by monitoring an application's performance, while the trace logging data provides necessary details in a reactive incident response scenario by helping organizations identify the potential source of an incident within their application.

Impact

Because Application Insights relies on a Log Analytics Workspace, an organization will incur additional expenses when using this service.

Default Value

Application Insights are not enabled by default.

Remediation guidance

Remediate from Azure Portal

Navigate to Application Insights.
Under the Basics tab within the PROJECT DETAILS section, select the Subscription.
Select the Resource group.
Within the INSTANCE DETAILS, enter a Name.
Select a Region.
Next to Resource Mode, select Workspace-based.
Within the WORKSPACE DETAILS, select the Subscription for the log analytics workspace.
Select the appropriate Log Analytics Workspace.
Click Next:Tags >.
Enter the appropriate Tags as Name, Value pairs.
Click Next:Review+Create.
Click Create.

Remediate from Azure CLI

az monitor app-insights component create --app <app_name> --resource-group <resource_group_name> --location <location> --kind "web" --retention-time <days_to_retain_logs> --workspace <log_analytics_workspace_ID> --subscription <subscription_ID>

Remediate from PowerShell

New-AzApplicationInsights -Kind "web" -ResourceGroupName <rg_name> -Name <app insights name> -location <location> -RetentionInDays  -SubscriptionID <subscription ID> -WorkspaceResourceId <log analytics workspace ID>

Multiple Remediation Paths

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

Execute the control-specific Console/CLI steps documented above for each flagged resource.
Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

Re-scan after each remediation batch.
Track exceptions with owner and expiry date.
Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

Azure Connectors without Application Insights

Connectors

Microsoft Azure

Covered asset types

Connector

Expected check: eq []

{
  connectors(where: { cloudProvider: "azure", applicationInsights_SOME: null }) {
    ...AssetFragment
  }
}