last sync: 2022-Dec-02 17:43:06 UTC

Azure Policy definition

Audit diagnostic setting

Name Audit diagnostic setting
Azure Portal
Id 7f89b1eb-583c-429a-8828-af049802c1d9
Version 2.0.0
details on versioning
Category Monitoring
Microsoft docs
Description Audit diagnostic setting for selected resource types
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Fixed
AuditIfNotExists
RBAC
Role(s)
none
Rule
Aliases
THEN-ExistenceCondition (2)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.Insights/diagnosticSettings/logs.enabled microsoft.insights diagnosticSettings properties.logs[*].enabled false
Microsoft.Insights/diagnosticSettings/metrics.enabled microsoft.insights diagnosticSettings properties.metrics[*].enabled false
Rule
ResourceTypes
IF (1)
Microsoft.security/pricings
Compliance The following 22 compliance controls are associated with this Policy definition 'Audit diagnostic setting' (7f89b1eb-583c-429a-8828-af049802c1d9)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
AU_ISM 1537 AU_ISM_1537 AU ISM 1537 Guidelines for System Monitoring - Event logging and auditing Events to be logged - 1537 n/a The following events are logged for databases: • access to particularly important data • addition of new users, especially privileged users • any query containing comments • any query containing multiple embedded queries • any query or database alerts or failures • attempts to elevate privileges • attempted access that is successful or unsuccessful • changes to the database structure • changes to user roles or database permissions • database administrator actions • database logons and logoffs • modifications to data • use of executable commands. link 3
AU_ISM 582 AU_ISM_582 AU ISM 582 Guidelines for System Monitoring - Event logging and auditing Events to be logged - 582 n/a The following events are logged for operating systems: • access to important data and processes • application crashes and any error messages • attempts to use special privileges • changes to accounts • changes to security policy • changes to system configurations • Domain Name System (DNS) and Hypertext Transfer Protocol requests • failed attempts to access data and system resources • service failures and restarts • system startup and shutdown • transfer of data to and from external media • user or group management • use of special privileges. link 2
Azure_Security_Benchmark_v1.0 2.3 Azure_Security_Benchmark_v1.0_2.3 Azure Security Benchmark 2.3 Logging and Monitoring Enable audit logging for Azure resources Customer Enable Diagnostic Settings on Azure resources for access to audit, security, and diagnostic logs. Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. How to collect platform logs and metrics with Azure Monitor: https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings Understand logging and different log types in Azure: https://docs.microsoft.com/azure/azure-monitor/platform/platform-logs-overview n/a link 15
CCCS AU-12 CCCS_AU-12 CCCS AU-12 Audit and Accountability Audit Generation n/a (A) The information system provides audit record generation capability for the auditable events defined in AU-2 a. of all information system and network components where audit capability is deployed/available. (B) The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system. (C) The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. link 7
CCCS AU-5 CCCS_AU-5 CCCS AU-5 Audit and Accountability Response to Audit Processing Failures n/a (A) The information system alerts organization-defined personnel or roles in the event of an audit processing failure; and (B) The information system overwrites the oldest audit records. link 4
CMMC_L3 AU.2.041 CMMC_L3_AU.2.041 CMMC L3 AU.2.041 Audit and Accountability Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP). link 15
CMMC_L3 AU.2.042 CMMC_L3_AU.2.042 CMMC L3 AU.2.042 Audit and Accountability Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Shared Microsoft and the customer share responsibilities for implementing this requirement. An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. link 15
CMMC_L3 AU.3.046 CMMC_L3_AU.3.046 CMMC L3 AU.3.046 Audit and Accountability Alert in the event of an audit logging process failure. Shared Microsoft and the customer share responsibilities for implementing this requirement. Audit logging process failures include software and hardware errors, failures in the audit record capturing mechanisms, and audit record storage capacity being reached or exceeded. This requirement applies to each audit record data storage repository (i.e., distinct system component where audit records are stored), the total audit record storage capacity of organizations (i.e., all audit record data storage repositories combined), or both. link 7
CMMC_L3 AU.3.048 CMMC_L3_AU.3.048 CMMC L3 AU.3.048 Audit and Accountability Collect audit information (e.g., logs) into one or more central repositories. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations must aggregate and store audit logs in a central location to enable analysis activities and protect audit information. The repository should have the necessary infrastructure, capacity, and protection mechanisms to meet the organization’s audit requirements. link 8
CMMC_L3 AU.3.049 CMMC_L3_AU.3.049 CMMC L3 AU.3.049 Audit and Accountability Protect audit information and audit logging tools from unauthorized access, modification, and deletion. Shared Microsoft and the customer share responsibilities for implementing this requirement. Audit information includes all information (e.g., audit records, audit log settings, and audit reports) needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct audit and logging activities. This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by media protection and physical and environmental protection requirements. link 2
hipaa 1210.09aa3System.3-09.aa hipaa-1210.09aa3System.3-09.aa 1210.09aa3System.3-09.aa 12 Audit Logging & Monitoring 1210.09aa3System.3-09.aa 09.10 Monitoring Shared n/a All disclosures of covered information within or outside of the organization are logged including type of disclosure, date/time of the event, recipient, and sender. 11
IRS_1075_9.3 .3.11 IRS_1075_9.3.3.11 IRS 1075 9.3.3.11 Awareness and Training Audit Generation (AU-12) n/a The information system must: a. Provide audit record generation capability for the auditable events defined in Section 9.3.3.2, Audit Events (AU-2) b. Allow designated agency officials to select which auditable events are to be audited by specific components of the information system c. Generate audit records for the events with the content defined in Section 9.3.3.4, Content of Audit Records (AU-3). link 7
IRS_1075_9.3 .3.5 IRS_1075_9.3.3.5 IRS 1075 9.3.3.5 Awareness and Training Response to Audit Processing Failures (AU-5) n/a The information system must: a. Alert designated agency officials in the event of an audit processing failure b. Monitor system operational status using operating system or system audit logs and verify functions and performance of the system. Logs shall be able to identify where system process failures have taken place and provide information relative to corrective actions to be taken by the system administrator c. Provide a warning when allocated audit record storage volume reaches a maximum audit record storage capacity (CE1) link 4
ISO27001-2013 A.12.4.1 ISO27001-2013_A.12.4.1 ISO 27001:2013 A.12.4.1 Operations Security Event Logging Shared n/a Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. link 53
ISO27001-2013 A.12.4.3 ISO27001-2013_A.12.4.3 ISO 27001:2013 A.12.4.3 Operations Security Administrator and operator logs Shared n/a System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. link 29
ISO27001-2013 A.12.4.4 ISO27001-2013_A.12.4.4 ISO 27001:2013 A.12.4.4 Operations Security Clock Synchronization Shared n/a The clocks of all relevant information processing systems within an organization or security domain shall be synchronized to a single reference time source. link 8
PCI_DSS_V3.2.1 10.3 PCI_DSS_V3.2.1_10.3 404 not found n/a n/a 4
PCI_DSS_V3.2.1 10.5.4 PCI_DSS_v3.2.1_10.5.4 PCI DSS v3.2.1 10.5.4 Requirement 10 PCI DSS requirement 10.5.4 shared n/a n/a link 4
PCI_DSS_v4.0 10.2.2 PCI_DSS_v4.0_10.2.2 PCI DSS v4.0 10.2.2 Requirement 10: Log and Monitor All Access to System Components and Cardholder Data Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events Shared n/a Audit logs record the following details for each auditable event: • User identification. • Type of event. • Date and time. • Success and failure indication. • Origination of event. • Identity or name of affected data, system component, resource, or service (for example, name and protocol). link 5
PCI_DSS_v4.0 10.3.3 PCI_DSS_v4.0_10.3.3 PCI DSS v4.0 10.3.3 Requirement 10: Log and Monitor All Access to System Components and Cardholder Data Audit logs are protected from destruction and unauthorized modifications Shared n/a Audit log files, including those for externalfacing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify. link 5
RMiT_v1.0 10.66 RMiT_v1.0_10.66 RMiT 10.66 Security of Digital Services Security of Digital Services - 10.66 Shared n/a A financial institution must implement robust technology security controls in providing digital services which assure the following: (a) confidentiality and integrity of customer and counterparty information and transactions; (b) reliability of services delivered via channels and devices with minimum disruption to services; (c) proper authentication of users or devices and authorisation of transactions; (d) sufficient audit trail and monitoring of anomalous transactions; (e) ability to identify and revert to the recovery point prior to incident or service disruption; and (f) strong physical control and logical control measures link 32
UK_NCSC_CSP 13 UK_NCSC_CSP_13 UK NCSC CSP 13 Audit information for users Audit information for users Shared n/a You should be provided with the audit records needed to monitor access to your service and the data held within it. The type of audit information available to you will have a direct impact on your ability to detect and respond to inappropriate or malicious activity within reasonable timescales. link 3
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-10-05 16:36:28 change Major (1.1.0 > 2.0.0)
2022-01-07 18:14:35 change Minor (1.0.0 > 1.1.0)
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn
[Deprecated]: DoD Impact Level 4 8d792a84-723c-4d92-a3c3-e4ed16a2d133 Regulatory Compliance Deprecated BuiltIn
[Preview]: Australian Government ISM PROTECTED 27272c0b-c225-4cc3-b8b0-f2534b093077 Regulatory Compliance Preview BuiltIn
[Preview]: RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance Preview BuiltIn
[Preview]: SWIFT CSP-CSCF v2020 3e0c67fc-8c7c-406c-89bd-6b6bdc986a22 Regulatory Compliance Preview BuiltIn
Canada Federal PBMM 4c4a5f27-de81-430b-b4e5-9cbd50595a87 Regulatory Compliance GA BuiltIn
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
IRS1075 September 2016 105e0327-6175-4eb2-9af4-1fba43bdb39d Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
PCI v3.2.1:2018 496eeda9-8f2f-4d5e-8dfd-204f0a92ed41 Regulatory Compliance GA BuiltIn
UK OFFICIAL and UK NHS 3937f550-eedd-4639-9c5e-294358be442e Regulatory Compliance GA BuiltIn
JSON
changes

JSON