Security Control: Logging and Monitoring

Security logging and monitoring focuses on activities related to enabling, acquiring, and storing audit logs for Azure services.

2.1: Use approved time synchronization sources

Azure ID CIS IDs Responsibility
2.1 6.1 Microsoft

Microsoft maintains time sources for Azure resources, however, you have the option to manage the time synchronization settings for your compute resources.

How to configure time synchronization for Azure compute resources:

https://docs.microsoft.com/azure/virtual-machines/windows/time-sync

2.2: Configure central security log management

Azure ID CIS IDs Responsibility
2.2 6.5, 6.6 Customer

Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. Within Azure Monitor, use Log Analytics Workspace(s) to query and perform analytics, and use Azure Storage Accounts for long-term/archival storage.

Alternatively, you may enable and on-board data to Azure Sentinel or a third-party SIEM. How to onboard Azure Sentinel:

https://docs.microsoft.com/azure/sentinel/quickstart-onboard

How to collect platform logs and metrics with Azure Monitor:

https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings

How to collect Azure Virtual Machine internal host logs with Azure Monitor:

https://docs.microsoft.com/azure/azure-monitor/learn/quick-collect-azurevm

How to get started with Azure Monitor and third-party SIEM integration:

https://azure.microsoft.com/blog/use-azure-monitor-to-integrate-with-siem-tools/

2.3: Enable audit logging for Azure resources

Azure ID CIS IDs Responsibility
2.3 6.2, 6.3 Customer

Enable Diagnostic Settings on Azure resources for access to audit, security, and diagnostic logs. Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.

How to collect platform logs and metrics with Azure Monitor:

https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings

Understand logging and different log types in Azure:

https://docs.microsoft.com/azure/azure-monitor/platform/platform-logs-overview

2.4: Collect security logs from operating systems

Azure ID CIS IDs Responsibility
2.4 6.2, 6.3 Customer

If the compute resource is owned by Microsoft, then Microsoft is responsible for monitoring it. If the compute resource is owned by your organization, it's your responsibility to monitor it. You can use Azure Security Center to monitor the OS. Data collected by Security Center from the operating system includes OS type and version, OS Logs(Windows Event Logs), running processes, machine name, IP addresses, and logged in user. The Log Analytics Agent also collects crash dump files.

How to collect Azure Virtual Machine internal host logs with Azure Monitor:

https://docs.microsoft.com/azure/azure-monitor/learn/quick-collect-azurevm

Understand Azure Security Center data collection:

https://docs.microsoft.com/azure/security-center/security-center-enable-data-collection

2.5: Configure security log storage retention

Azure ID CIS IDs Responsibility
2.5 6.4 Customer

Within Azure Monitor, set your Log Analytics Workspace retention period according to your organization's compliance regulations. Use Azure Storage Accounts for long-term/archival storage.

How to set log retention parameters for Log Analytics Workspaces:

https://docs.microsoft.com/azure/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period

2.6: Monitor and review Logs

Azure ID CIS IDs Responsibility
2.6 6.7 Customer

Analyze and monitor logs for anomalous behavior and regularly review results. Use Azure Monitor's Log Analytics Workspace to review logs and perform queries on log data.

Alternatively, you may enable and on-board data to Azure Sentinel or a third party SIEM.

How to onboard Azure Sentinel:

https://docs.microsoft.com/azure/sentinel/quickstart-onboard

Understand Log Analytics Workspace:

https://docs.microsoft.com/azure/azure-monitor/log-query/get-started-portal

How to perform custom queries in Azure Monitor:

https://docs.microsoft.com/azure/azure-monitor/log-query/get-started-queries

2.7: Enable alerts for anomalous activity

Azure ID CIS IDs Responsibility
2.7 6.8 Customer

Use Azure Security Center with Log Analytics Workspace for monitoring and alerting on anomalous activity found in security logs and events.

Alternatively, you may enable and on-board data to Azure Sentinel.

How to onboard Azure Sentinel:

https://docs.microsoft.com/azure/sentinel/quickstart-onboard

How to manage alerts in Azure Security Center:

https://docs.microsoft.com/azure/security-center/security-center-managing-and-responding-alerts

How to alert on log analytics log data:

https://docs.microsoft.com/azure/azure-monitor/learn/tutorial-response

2.8: Centralize anti-malware logging

Azure ID CIS IDs Responsibility
2.8 8.6 Customer

Enable antimalware event collection for Azure Virtual Machines and Cloud Services.

How to configure Microsoft Antimalware for Virtual Machines:

https://docs.microsoft.com/powershell/module/servicemanagement/azure/set-azurevmmicrosoftantimalwareextension?view=azuresmps-4.0.0

How to configure Microsoft Antimalware for Cloud Services:

https://docs.microsoft.com/powershell/module/servicemanagement/azure/set-azureserviceantimalwareextension?view=azuresmps-4.0.0

Understand Microsoft Antimalware:

https://docs.microsoft.com/azure/security/fundamentals/antimalware

2.9: Enable DNS query logging

Azure ID CIS IDs Responsibility
2.9 8.7 Customer

Implement a third-party solution for DNS logging.

2.10: Enable command-line audit logging

Azure ID CIS IDs Responsibility
2.1 8.8 Customer

Manually configure console logging and PowerShell Transcription on a per-node basis.

Next steps

See the next security control: Identity and Access Control