Security Control V2: Logging and Threat Detection
Note
The most up-to-date Azure Security Benchmark is available here.
Logging and Threat Detection covers controls for detecting threats on Azure and enabling, collecting, and storing audit logs for Azure services. This includes enabling detection, investigation, and remediation processes with controls to generate high quality alerts with native threat detection in Azure services; it also includes collecting logs with Azure Monitor, centralizing security analysis with Azure Sentinel, time synchronization, and log retention.
To see the applicable built-in Azure Policy, see Details of the Azure Security Benchmark Regulatory Compliance built-in initiative: Logging and Threat Detection
LT-1: Enable threat detection for Azure resources
| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
|---|---|---|
| LT-1 | 6.7 | AU-3, AU-6, AU-12, SI-4 |
Ensure you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.
Use Azure Defender, which is based on monitoring Azure service telemetry and analyzing service logs. Data is collected using the Log Analytics agent, which reads various security-related configurations and event logs from the system and copies the data to your workspace for analysis.
In addition, use Azure Sentinel to build analytics rules, which hunt threats that match specific criteria across your environment. The rules generate incidents when the criteria are matched, so that you can investigate each incident. Azure Sentinel can also import third-party threat intelligence to enhance its threat detection capability.
Responsibility: Customer
Customer Security Stakeholders (Learn more):
LT-2: Enable threat detection for Azure identity and access management
| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
|---|---|---|
| LT-2 | 6.8 | AU-3, AU-6, AU-12, SI-4 |
Azure AD provides the following user logs that can be viewed in Azure AD reporting or integrated with Azure Monitor, Azure Sentinel or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases:
Sign-ins – The sign-ins report provides information about the usage of managed applications and user sign-in activities.
Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies.
Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.
Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.
Azure Security Center can also alert on certain suspicious activities such as an excessive number of failed authentication attempts, and deprecated accounts in the subscription. In addition to the basic security hygiene monitoring, Azure Defender can also collect more in-depth security alerts from individual Azure compute resources (such as virtual machines, containers, app service), data resources (such as SQL DB and storage), and Azure service layers. This capability allows you to see account anomalies inside the individual resources.
Responsibility: Customer
Customer Security Stakeholders (Learn more):
LT-3: Enable logging for Azure network activities
| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
|---|---|---|
| LT-3 | 9.3, 12.2, 12.5, 12.8 | AU-3, AU-6, AU-12, SI-4 |
Enable and collect network security group (NSG) resource logs, NSG flow logs, Azure Firewall logs, and Web Application Firewall (WAF) logs for security analysis to support incident investigations, threat hunting, and security alert generation. You can send the flow logs to an Azure Monitor Log Analytics workspace and then use Traffic Analytics to provide insights.
Ensure that you are collecting DNS query logs to assist in correlating other network data.
Responsibility: Customer
Customer Security Stakeholders (Learn more):
LT-4: Enable logging for Azure resources
| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
|---|---|---|
| LT-4 | 6.2, 6.3, 8.8 | AU-3, AU-12 |
Enable logging for Azure resources to meet the requirements for compliance, threat detection, hunting, and incident investigation.
You can use Azure Security Center and Azure Policy to enable resource logs and log data collecting on Azure resources for access to audit, security, and resource logs. Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.
Responsibility: Shared
Customer Security Stakeholders (Learn more):
Infrastructure and endpoint security
LT-5: Centralize security log management and analysis
| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
|---|---|---|
| LT-5 | 6.5, 6.6 | AU-3, SI-4 |
Centralize logging storage and analysis to enable correlation. For each log source, ensure that you have assigned a data owner, access guidance, storage location, what tools are used to process and access the data, and data retention requirements.
Ensure that you are integrating Azure activity logs into your central logging. Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. In Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use Azure Storage accounts for long term and archival storage.
In addition, enable and onboard data to Azure Sentinel or a third-party SIEM.
Many organizations choose to use Azure Sentinel for "hot" data that is used frequently and Azure Storage for "cold" data that is used less frequently.
Responsibility: Customer
Customer Security Stakeholders (Learn more):
LT-6: Configure log storage retention
| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
|---|---|---|
| LT-6 | 6.4 | AU-3, AU-11 |
Configure your log retention according to your compliance, regulation, and business requirements.
In Azure Monitor, you can set your Log Analytics workspace retention period according to your organization's compliance regulations. Use Azure Storage, Data Lake or Log Analytics workspace accounts for long-term and archival storage.
Responsibility: Customer
Customer Security Stakeholders (Learn more):
LT-7: Use approved time synchronization sources
| Azure ID | CIS Controls v7.1 ID(s) | NIST SP 800-53 r4 ID(s) |
|---|---|---|
| LT-7 | 6.1 | AU-8 |
Microsoft maintains time sources for most Azure PaaS and SaaS services. For your virtual machines, use Microsoft default NTP server for time synchronization unless you have a specific requirement. If you need to stand up your own network time protocol (NTP) server, ensure you secure the UDP service port 123.
All logs generated by resources within Azure provide time stamps with the time zone specified by default.
How to configure time synchronization for Azure Windows compute resources
How to configure time synchronization for Azure Linux compute resources
Responsibility: Shared
Customer Security Stakeholders (Learn more):
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for