The following 3 compliance controls are associated with this Policy definition 'SQL Auditing settings should have Action-Groups configured to capture critical activities' (7ff426e2-515f-405a-91c8-4f2333442eb5)
Enable Diagnostic Settings on Azure resources for access to audit, security, and diagnostic logs. Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.
How to collect platform logs and metrics with Azure Monitor:
Understand logging and different log types in Azure:
The SOC must be able to perform the following functions:
(a) log collection and the implementation of an event correlation engine with parameter-driven use cases such as Security Information and Event Management (SIEM);
(b) incident coordination and response;
(c) vulnerability management;
(d) threat hunting;
(e) remediation functions including the ability to perform forensic artifact handling, malware and implant analysis; and
(f) provision of situational awareness to detect adversaries and threats including threat intelligence analysis and operations, and monitoring indicators of compromise (IOC). This includes advanced behavioural analysis to detect signature-less and file-less malware and to identify anomalies that may pose security threats including at endpoints and network layers.