Security Control: Logging and Monitoring
Note
The most up-to-date Azure Security Benchmark is available here.
Security logging and monitoring focuses on activities related to enabling, acquiring, and storing audit logs for Azure services.
2.1: Use approved time synchronization sources
Azure ID | CIS IDs | Responsibility |
---|---|---|
2.1 | 6.1 | Microsoft |
Microsoft maintains time sources for Azure resources, however, you have the option to manage the time synchronization settings for your compute resources.
How to configure time synchronization for Azure Windows compute resources
How to configure time synchronization for Azure Linux compute resources
2.2: Configure central security log management
Azure ID | CIS IDs | Responsibility |
---|---|---|
2.2 | 6.5, 6.6 | Customer |
Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. Within Azure Monitor, use Log Analytics Workspace(s) to query and perform analytics, and use Azure Storage Accounts for long-term/archival storage.
Alternatively, you may enable and on-board data to Azure Sentinel or a third-party SIEM.
How to collect Azure Virtual Machine internal host logs with Azure Monitor
How to get started with Azure Monitor and third-party SIEM integration
2.3: Enable audit logging for Azure resources
Azure ID | CIS IDs | Responsibility |
---|---|---|
2.3 | 6.2, 6.3 | Customer |
Enable Diagnostic Settings on Azure resources for access to audit, security, and diagnostic logs. Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.
2.4: Collect security logs from operating systems
Azure ID | CIS IDs | Responsibility |
---|---|---|
2.4 | 6.2, 6.3 | Customer |
If the compute resource is owned by Microsoft, then Microsoft is responsible for monitoring it. If the compute resource is owned by your organization, it's your responsibility to monitor it. You can use Azure Security Center to monitor the OS. Data collected by Security Center from the operating system includes OS type and version, OS (Windows Event Logs), running processes, machine name, IP addresses, and logged in user. The Log Analytics Agent also collects crash dump files.
2.5: Configure security log storage retention
Azure ID | CIS IDs | Responsibility |
---|---|---|
2.5 | 6.4 | Customer |
Within Azure Monitor, set your Log Analytics Workspace retention period according to your organization's compliance regulations. Use Azure Storage Accounts for long-term/archival storage.
2.6: Monitor and review Logs
Azure ID | CIS IDs | Responsibility |
---|---|---|
2.6 | 6.7 | Customer |
Analyze and monitor logs for anomalous behavior and regularly review results. Use Azure Monitor's Log Analytics Workspace to review logs and perform queries on log data.
Alternatively, you may enable and on-board data to Azure Sentinel or a third party SIEM.
2.7: Enable alerts for anomalous activities
Azure ID | CIS IDs | Responsibility |
---|---|---|
2.7 | 6.8 | Customer |
Use Azure Security Center with Log Analytics Workspace for monitoring and alerting on anomalous activity found in security logs and events.
Alternatively, you may enable and on-board data to Azure Sentinel.
2.8: Centralize anti-malware logging
Azure ID | CIS IDs | Responsibility |
---|---|---|
2.8 | 8.6 | Customer |
Enable antimalware event collection for Azure Virtual Machines and Cloud Services.
2.9: Enable DNS query logging
Azure ID | CIS IDs | Responsibility |
---|---|---|
2.9 | 8.7 | Customer |
Implement a third-party solution from Azure Marketplace for DNS logging solution as per your organizations need.
2.10: Enable command-line audit logging
Azure ID | CIS IDs | Responsibility |
---|---|---|
2.10 | 8.8 | Customer |
Use Microsoft Monitoring Agent on all supported Azure Windows virtual machines to log the process creation event and the CommandLine field. For supported Azure Linux Virtual machines, you can manually configure console logging on a per-node basis and use Syslog to store the data. Also, use Azure Monitor's Log Analytics workspace to review logs and perform queries on logged data from Azure Virtual machines.
Next steps
- See the next Security Control: Identity and Access Control