last sync: 2024-Oct-11 17:51:27 UTC

Provide capability to process customer-controlled audit records | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Provide capability to process customer-controlled audit records
Id 21633c09-804e-7fcd-78e3-635c6bfe2be7
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1126 - Provide capability to process customer-controlled audit records
Additional metadata Name/Id: CMA_C1126 / CMA_C1126
Category: Operational
Title: Provide capability to process customer-controlled audit records
Ownership: Customer
Description: The customer is responsible for providing the capability to process customer-controlled audit records for events of interest.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 10 compliance controls are associated with this Policy definition 'Provide capability to process customer-controlled audit records' (21633c09-804e-7fcd-78e3-635c6bfe2be7)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 AU-7(1) FedRAMP_High_R4_AU-7(1) FedRAMP High AU-7 (1) Audit And Accountability Automatic Processing Shared n/a The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records]. Supplemental Guidance: Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component. Related controls: AU-2, AU-12. link 1
FedRAMP_Moderate_R4 AU-7(1) FedRAMP_Moderate_R4_AU-7(1) FedRAMP Moderate AU-7 (1) Audit And Accountability Automatic Processing Shared n/a The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records]. Supplemental Guidance: Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component. Related controls: AU-2, AU-12. link 1
hipaa 1205.09aa2System.1-09.aa hipaa-1205.09aa2System.1-09.aa 1205.09aa2System.1-09.aa 12 Audit Logging & Monitoring 1205.09aa2System.1-09.aa 09.10 Monitoring Shared n/a Logs of messages sent and received are maintained including the date, time, origin and destination of the message, but not its contents. 6
hipaa 1215.09ab2System.7-09.ab hipaa-1215.09ab2System.7-09.ab 1215.09ab2System.7-09.ab 12 Audit Logging & Monitoring 1215.09ab2System.7-09.ab 09.10 Monitoring Shared n/a Auditing and monitoring systems employed by the organization support audit reduction and report generation. 4
hipaa 1219.09ab3System.10-09.ab hipaa-1219.09ab3System.10-09.ab 1219.09ab3System.10-09.ab 12 Audit Logging & Monitoring 1219.09ab3System.10-09.ab 09.10 Monitoring Shared n/a The information system is able to automatically process audit records for events of interest based on selectable criteria. 4
hipaa 1222.09ab3System.8-09.ab hipaa-1222.09ab3System.8-09.ab 1222.09ab3System.8-09.ab 12 Audit Logging & Monitoring 1222.09ab3System.8-09.ab 09.10 Monitoring Shared n/a The organization analyzes and correlates audit records across different repositories using a security information and event management (SIEM) tool or log analytics tools for log aggregation and consolidation from multiple systems/machines/devices, and correlates this information with input from non-technical sources to gain and enhance organization-wide situational awareness. Using the SIEM tool, the organization devise profiles of common events from given systems/machines/devices so that it can tune detection to focus on unusual activity, avoid false positives, more rapidly identify anomalies, and prevent overwhelming analysts with insignificant alerts. 10
hipaa 1519.11c2Organizational.2-11.c hipaa-1519.11c2Organizational.2-11.c 1519.11c2Organizational.2-11.c 15 Incident Management 1519.11c2Organizational.2-11.c 11.02 Management of Information Security Incidents and Improvements Shared n/a For unauthorized disclosures of covered information, a log is maintained and annually submitted to the appropriate parties (e.g., a state, regional or national regulatory agency). 14
NIST_SP_800-171_R2_3 .3.6 NIST_SP_800-171_R2_3.3.6 NIST SP 800-171 R2 3.3.6 Audit and Accountability Provide audit record reduction and report generation to support on-demand analysis and reporting. Shared Microsoft and the customer share responsibilities for implementing this requirement. Audit record reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or organizational entities conducting auditing activities. Audit record reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can help generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the time stamp in the record is insufficient. link 7
NIST_SP_800-53_R4 AU-7(1) NIST_SP_800-53_R4_AU-7(1) NIST SP 800-53 Rev. 4 AU-7 (1) Audit And Accountability Automatic Processing Shared n/a The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records]. Supplemental Guidance: Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component. Related controls: AU-2, AU-12. link 1
NIST_SP_800-53_R5 AU-7(1) NIST_SP_800-53_R5_AU-7(1) NIST SP 800-53 Rev. 5 AU-7 (1) Audit and Accountability Automatic Processing Shared n/a Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. link 1
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 21633c09-804e-7fcd-78e3-635c6bfe2be7
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC