Този браузър вече не се поддържа.
Надстройте до Microsoft Edge, за да се възползвате от най-новите функции, актуализации на защитата и техническа поддръжка.
This security baseline maps guidance from the Microsoft cloud security benchmark version 1.0 to the Azure Monitor features you should use to implement the guidance. The Microsoft cloud security benchmark provides recommendations on how to secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Microsoft cloud security benchmark and the related guidance applicable to Azure Monitor.
You can monitor this security baseline and its recommendations using Microsoft Defender for Cloud. The Regulatory Compliance section of the Microsoft Defender for Cloud portal page lists Azure Policy definitions.
This baseline lists Azure Policy Definitions relevant to specific features to help you measure compliance with the Microsoft cloud security benchmark controls and recommendations. You might require a paid Microsoft Defender plan to enable certain security scenarios.
Бележка
Features not applicable to Azure Monitor have been excluded. To see how Azure Monitor completely maps to the Microsoft cloud security benchmark, see the full Azure Monitor security baseline mapping file.
The security profile summarizes high-impact behaviors of Azure Monitor, which may result in increased security considerations.
| Service Behavior Attribute | Value |
|---|---|
| Product Category | DevOps, Security |
| Customer can access HOST / OS | No Access |
| Service can be deployed into customer's virtual network | True |
| Stores customer content at rest | True |
For more information, see the Microsoft cloud security benchmark: Network security.
Description: Service supports deployment into customer's private Virtual Network (VNet). Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Configuration Guidance: Deploy the service into a virtual network. Assign private IPs to the resource (where applicable) unless there is a strong reason to assign public IPs directly to the resource.
Reference: Use Azure Private Link to connect networks to Azure Monitor
Description: Service network traffic respects Network Security Groups rule assignment on its subnets. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Configuration Guidance: Use network security groups (NSG) to restrict or monitor traffic by port, protocol, source IP address, or destination IP address. Create NSG rules to restrict your service's open ports (such as preventing management ports from being accessed from untrusted networks). Be aware that by default, NSGs deny all inbound traffic but allow traffic from virtual network and Azure Load Balancers.
Reference: IP addresses used by Azure Monitor
Description: Service native IP filtering capability for filtering network traffic (not to be confused with NSG or Azure Firewall). Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Configuration Guidance: With Azure Private Link, you can securely link Azure platform as a service (PaaS) resources to your virtual network by using private endpoints. Azure Monitor is a constellation of different interconnected services that work together to monitor your workloads. An Azure Monitor Private Link connects a private endpoint to a set of Azure Monitor resources, defining the boundaries of your monitoring network. That set is called an Azure Monitor Private Link Scope (AMPLS).
Reference: Use Azure Private Link to connect networks to Azure Monitor
Description: Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Configuration Guidance: Disable public network access either using the service-level IP ACL filtering rule or a toggling switch for public network access. See additional information here: Use Azure Monitor Private Link Scope (AMPLS)
Reference: Use Azure Private Link to connect networks to Azure Monitor
For more information, see the Microsoft cloud security benchmark: Identity management.
Description: Service supports using Microsoft Entra authentication for data plane access. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | True | Microsoft |
Feature notes: Azure Monitor Agent uses managed identities and Microsoft Entra authentication by default and is documented here: Azure Monitor Agent requirements
Application Insights needs to be configured to enforce Microsoft Entra authentication, as documented here Microsoft Entra authentication for Application Insights
Configuration Guidance: No additional configurations are required as this is enabled on a default deployment.
Reference: Microsoft Entra authentication for Application Insights
Description: Local authentications methods supported for data plane access, such as a local username and password. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
Description: Data plane actions support authentication using managed identities. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Feature notes: Managed identity must be enabled on Azure virtual machines prior to installing Azure Monitor Agent. Azure Monitor Agent Prerequisites
Configuration Guidance: Use Azure managed identities instead of service principals when possible, which can authenticate to Azure services and resources that support Microsoft Entra authentication. Managed identity credentials are fully managed, rotated, and protected by the platform, avoiding hard-coded credentials in source code or configuration files.
Reference: Microsoft Entra authentication for Application Insights
Description: Data plane supports authentication using service principals. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Feature notes: This is applicable only to Secure WebHooks.
Configuration Guidance: There is no current Microsoft guidance for this feature configuration. Please review and determine if your organization wants to configure this security feature.
Reference: Create and manage action groups in the Azure portal
For more information, see the Microsoft cloud security benchmark: Privileged access.
Description: Azure Role-Based Access Control (Azure RBAC) can be used to managed access to service's data plane actions. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | True | Microsoft |
Configuration Guidance: No additional configurations are required as this is enabled on a default deployment.
Reference: Roles, permissions, and security in Azure Monitor
Description: Customer Lockbox can be used for Microsoft support access. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Feature notes: Only available when Azure Monitor Log Analytics is configured with a dedicated cluster.
Configuration Guidance: In support scenarios where Microsoft needs to access your data, use Customer Lockbox to review, then approve or reject each of Microsoft's data access requests. This only applies to Log data in dedicated clusters.
Reference: Customer Lockbox (preview)
For more information, see the Microsoft cloud security benchmark: Data protection.
Description: Tools (such as Azure Purview or Azure Information Protection) can be used for data discovery and classification in the service. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
Description: Service supports DLP solution to monitor sensitive data movement (in customer's content). Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
Description: Service supports data in-transit encryption for data plane. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Feature notes: All configured by default, except Data ingestion.
For Log Analytics
Configuration Guidance: Enable secure transfer in services where there is a native data in transit encryption feature built in. Enforce HTTPS on any web applications and services and ensure TLS v1.2 or later is used. Legacy versions such as SSL 3.0, TLS v1.0 should be disabled. For remote management of Virtual Machines, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol.
Description: Data at-rest encryption using platform keys is supported, any customer content at rest is encrypted with these Microsoft managed keys. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | True | Microsoft |
Configuration Guidance: No additional configurations are required as this is enabled on a default deployment.
Description: Data at-rest encryption using customer-managed keys is supported for customer content stored by the service. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | False | Customer |
Feature notes: Azure Monitor data is data about the health of services and is not protected by Customer Lockbox by default. Only Logs can be protected by Lockbox, and only for dedicated clusters.
Configuration Guidance: Azure Monitor data is intended for service health data only, and only Log Data stored in dedicated clusters allows the use of Customer Managed Keys for Data at Rest Encryption. If required for regulatory compliance, define the use case and service scope where encryption using customer-managed keys are needed. Enable and implement data at rest encryption using customer-managed key for those services.
Reference: Azure Monitor customer-managed key
For more information, see the Microsoft cloud security benchmark: Asset management.
For more information, see the Microsoft cloud security benchmark: Logging and threat detection.
Description: Service has an offering-specific Microsoft Defender solution to monitor and alert on security issues. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
Description: Service produces resource logs that can provide enhanced service-specific metrics and logging. The customer can configure these resource logs and send them to their own data sink like a storage account or Log Analytics workspace. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| True | True | Microsoft |
Configuration Guidance: No additional configurations are required as this is enabled on a default deployment.
Reference: Diagnostic settings in Azure Monitor
For more information, see the Microsoft cloud security benchmark: Backup and recovery.
Description: The service can be backed up by the Azure Backup service. Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
Description: Service supports its own native backup capability (if not using Azure Backup). Learn more.
| Supported | Enabled By Default | Configuration Responsibility |
|---|---|---|
| False | Not Applicable | Not Applicable |
Configuration Guidance: This feature is not supported to secure this service.
Обучение
Модул
Monitor workload protection in Azure Backup - Training
Learn how to monitor Azure Backup-protected workloads by using Azure Monitor.
Сертифициране
Microsoft Certified: Information Protection and Compliance Administrator Associate - Certifications
Demonstrate the fundamentals of data security, lifecycle management, information security, and compliance to protect a Microsoft 365 deployment.