Security Control: Logging and Monitoring

Security logging and monitoring focuses on activities related to enabling, acquiring, and storing audit logs for Azure services.

2.1: Use approved time synchronization sources

Azure ID CIS IDs Responsibility
2.1 6.1 Microsoft

Microsoft maintains time sources for Azure resources, however, you have the option to manage the time synchronization settings for your compute resources.

2.2: Configure central security log management

Azure ID CIS IDs Responsibility
2.2 6.5, 6.6 Customer

Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. Within Azure Monitor, use Log Analytics Workspace(s) to query and perform analytics, and use Azure Storage Accounts for long-term/archival storage.

Alternatively, you may enable and on-board data to Azure Sentinel or a third-party SIEM.

2.3: Enable audit logging for Azure resources

Azure ID CIS IDs Responsibility
2.3 6.2, 6.3 Customer

Enable Diagnostic Settings on Azure resources for access to audit, security, and diagnostic logs. Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.

2.4: Collect security logs from operating systems

Azure ID CIS IDs Responsibility
2.4 6.2, 6.3 Customer

If the compute resource is owned by Microsoft, then Microsoft is responsible for monitoring it. If the compute resource is owned by your organization, it's your responsibility to monitor it. You can use Azure Security Center to monitor the OS. Data collected by Security Center from the operating system includes OS type and version, OS (Windows Event Logs), running processes, machine name, IP addresses, and logged in user. The Log Analytics Agent also collects crash dump files.

2.5: Configure security log storage retention

Azure ID CIS IDs Responsibility
2.5 6.4 Customer

Within Azure Monitor, set your Log Analytics Workspace retention period according to your organization's compliance regulations. Use Azure Storage Accounts for long-term/archival storage.

2.6: Monitor and review Logs

Azure ID CIS IDs Responsibility
2.6 6.7 Customer

Analyze and monitor logs for anomalous behavior and regularly review results. Use Azure Monitor's Log Analytics Workspace to review logs and perform queries on log data.

Alternatively, you may enable and on-board data to Azure Sentinel or a third party SIEM.

2.7: Enable alerts for anomalous activities

Azure ID CIS IDs Responsibility
2.7 6.8 Customer

Use Azure Security Center with Log Analytics Workspace for monitoring and alerting on anomalous activity found in security logs and events.

Alternatively, you may enable and on-board data to Azure Sentinel.

2.8: Centralize anti-malware logging

Azure ID CIS IDs Responsibility
2.8 8.6 Customer

Enable antimalware event collection for Azure Virtual Machines and Cloud Services.

2.9: Enable DNS query logging

Azure ID CIS IDs Responsibility
2.9 8.7 Customer

Implement a third-party solution from Azure Marketplace for DNS logging solution as per your organizations need.

2.10: Enable command-line audit logging

Azure ID CIS IDs Responsibility
2.10 8.8 Customer

Use Microsoft Monitoring Agent on all supported Azure Windows virtual machines to log the process creation event and the CommandLine field. For supported Azure Linux Virtual machines, you can manually configure console logging on a per-node basis and use Syslog to store the data. Also, use Azure Monitor's Log Analytics workspace to review logs and perform queries on logged data from Azure Virtual machines.

Next steps