Az Policy Advertizer

Azure_Security_Benchmark_v3.0

LT-5

Azure_Security_Benchmark_v3.0_LT-5

Microsoft cloud security benchmark LT-5

Logging and Threat Detection

Centralize security log management and analysis

Shared

**Security Principle:** Centralize logging storage and analysis to enable correlation across log data. For each log source, ensure that you have assigned a data owner, access guidance, storage location, what tools are used to process and access the data, and data retention requirements. **Azure Guidance:** Ensure that you are integrating Azure activity logs into a centralized Log Analytics workspace. Use Azure Monitor to query and perform analytics and create alert rules using the logs aggregated from Azure services, endpoint devices, network resources, and other security systems. In addition, enable and onboard data to Azure Sentinel which provides the security information event management (SIEM) and security orchestration automated response (SOAR) capability. **Implementation and additional context:** How to collect platform logs and metrics with Azure Monitor: https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings How to onboard Azure Sentinel: https://docs.microsoft.com/azure/sentinel/quickstart-onboard

n/a

AU.L2-3.3.1

CMMC_2.0_L2_AU.L2-3.3.1

404 not found

n/a

AU.L2-3.3.2

CMMC_2.0_L2_AU.L2-3.3.2

404 not found

n/a

SI.L2-3.14.6

CMMC_2.0_L2_SI.L2-3.14.6

404 not found

n/a

SI.L2-3.14.7

CMMC_2.0_L2_SI.L2-3.14.7

404 not found

n/a

DORA_2022_2554

10.1

DORA_2022_2554_10.1

DORA 2022 2554 10.1

Implement Mechanisms to Detect Anomalous Activities in ICT Systems

Shared

n/a

Establish mechanisms to detect anomalous activities within information and communication technology (ICT) systems, including network performance issues and ICT-related incidents. Additionally, identify potential material single points of failure to enhance overall system resilience and response capabilities.

DORA_2022_2554

10.2

DORA_2022_2554_10.2

DORA 2022 2554 10.2

Establish Multi-Layered Detection Mechanisms for ICT Incidents

Shared

n/a

Implement detection mechanisms that provide multiple layers of control, defining alert thresholds and criteria to trigger information and communication technology (ICT) related incident response processes. This includes automated alert mechanisms to notify resources managing ICT-related incidents.

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

306

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

306

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

306

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

306

AU-12

FedRAMP_High_R4_AU-12

FedRAMP High AU-12

Audit And Accountability

Audit Generation

Shared

n/a

The information system: a. Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components]; b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3. Supplemental Guidance: Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7. References: None.

AU-12(1)

FedRAMP_High_R4_AU-12(1)

FedRAMP High AU-12 (1)

Audit And Accountability

System-Wide / Time-Correlated Audit Trail

Shared

n/a

The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time- correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail]. Supplemental Guidance: Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances. Related controls: AU-8, AU-12.

AU-6(4)

FedRAMP_High_R4_AU-6(4)

FedRAMP High AU-6 (4)

Audit And Accountability

Central Review And Analysis

Shared

n/a

The information system provides the capability to centrally review and analyze audit records from multiple components within the system. Supplemental Guidance: Automated mechanisms for centralized reviews and analyses include, for example, Security Information Management products. Related controls: AU-2, AU-12.

AU-6(5)

FedRAMP_High_R4_AU-6(5)

FedRAMP High AU-6 (5)

Audit And Accountability

Integration / Scanning And Monitoring Capabilities

Shared

n/a

The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. Supplemental Guidance: This control enhancement does not require vulnerability scanning, the generation of performance data, or information system monitoring. Rather, the enhancement requires that the analysis of information being otherwise produced in these areas is integrated with the analysis of audit information. Security Event and Information Management System tools can facilitate audit record aggregation/consolidation from multiple information system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans and correlating attack detection events with scanning results. Correlation with performance data can help uncover denial of service attacks or cyber attacks resulting in unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations. Related controls: AU-12, IR-4, RA-5.

SI-4

FedRAMP_High_R4_SI-4

FedRAMP High SI-4

System And Information Integrity

Information System Monitoring

Shared

n/a

The organization: a. Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization- defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization- defined techniques and methods]; c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: or ganization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. Supplemental Guidance: Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. References: NIST Special Publications 800-61, 800-83, 800-92, 800-94, 800-137.

FedRAMP_Moderate_R4_AU-12

FedRAMP_Moderate_R4

AU-12

FedRAMP Moderate AU-12

Audit And Accountability

Audit Generation

Shared

n/a

FedRAMP_Moderate_R4

SI-4

FedRAMP_Moderate_R4_SI-4

FedRAMP Moderate SI-4

System And Information Integrity

Information System Monitoring

Shared

n/a

2.10.1

K_ISMS_P_2018_2.10.1

K ISMS P 2018 2.10.1

2.10

Establish Procedures for Managing the Security of System Operations

Shared

n/a

Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions.

455

2.10.2

K_ISMS_P_2018_2.10.2

K ISMS P 2018 2.10.2

2.10

Establish Protective Measures for Administrator Privileges and Security Configurations

Shared

n/a

Establish and implement protective measures with regard to administrator privileges and security configurations to ensure that important information and personal information are not exposed as a result of unauthorized access by service type or misconfigurations.

431

2.11.1

K_ISMS_P_2018_2.11.1

K ISMS P 2018 2.11.1

2.11

Establish Procedures for Managing Internal and External Intrusion Attempts

Shared

n/a

Establish procedures for detecting, analyzing, sharing, and effectively responding to internal and external intrusion attempts to prevent personal information leakage. Additionally, implement a framework for collaboration with relevant external agencies and experts.

2.11.3

K_ISMS_P_2018_2.11.3

K ISMS P 2018 2.11.3

2.11

Collect, Monitor, and Analyze Data and Network Traffic

Shared

n/a

Collect, monitor, and analyze data and network traffic to respond to internal or external infringement attempts in a timely manner.

2.11.5

K_ISMS_P_2018_2.11.5

K ISMS P 2018 2.11.5

2.11

Establish Procedures to Respond and Recover from Incidents

Shared

n/a

Establish procedures to respond and recover from incidents in a timely manner, including legal obligations for disclosing information. Additional procedures must be established and implemented to prevent recurrence.

2.9.2a

K_ISMS_P_2018_2.9.2a

K ISMS P 2018 2.9.2a

2.9.2a

Establish Procedures for Information System Failures

Shared

n/a

Establish procedures to detect, record, analyze, report, and respond to information system failures.

2.9.4

K_ISMS_P_2018_2.9.4

K ISMS P 2018 2.9.4

2.9

Maintain Logs and Establish Log Management Procedures

Shared

n/a

Maintain log records for servers, applications, security systems, and networks. Define log types, access permissions, retention periods, and storage methods to ensure secure retention and prevent forgery, alteration, theft, and loss.

NIST_SP_800-171_R2_3.14.6

.14.6

NIST SP 800-171 R2 3.14.6

System and Information Integrity

Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives. System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. [SP 800-94] provides guidance on intrusion detection and prevention systems.

NIST_SP_800-171_R2_3.14.7

.14.7

NIST SP 800-171 R2 3.14.7

System and Information Integrity

Identify unauthorized use of organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs. Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. [SP 800-94] provides guidance on intrusion detection and prevention systems.

.3.1

NIST_SP_800-171_R2_3.3.1

NIST SP 800-171 R2 3.3.1

Audit and Accountability

Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloud-based architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. [SP 800-92] provides guidance on security log management.

.3.2

NIST_SP_800-171_R2_3.3.2

NIST SP 800-171 R2 3.3.2

Audit and Accountability

Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP).

AU-12

NIST_SP_800-53_R4_AU-12

NIST SP 800-53 Rev. 4 AU-12

Audit And Accountability

Audit Generation

Shared

n/a

NIST_SP_800-53_R4_AU-12(1)

AU-12(1)

NIST SP 800-53 Rev. 4 AU-12 (1)

Audit And Accountability

System-Wide / Time-Correlated Audit Trail

Shared

n/a

NIST_SP_800-53_R4_AU-6(4)

AU-6(4)

NIST SP 800-53 Rev. 4 AU-6 (4)

Audit And Accountability

Central Review And Analysis

Shared

n/a

NIST_SP_800-53_R4_AU-6(5)

AU-6(5)

NIST SP 800-53 Rev. 4 AU-6 (5)

Audit And Accountability

Integration / Scanning And Monitoring Capabilities

Shared

n/a

SI-4

NIST_SP_800-53_R4_SI-4

NIST SP 800-53 Rev. 4 SI-4

System And Information Integrity

Information System Monitoring

Shared

n/a

AU-12

NIST_SP_800-53_R5_AU-12

NIST SP 800-53 Rev. 5 AU-12

Audit and Accountability

Audit Record Generation

Shared

n/a

a. Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on [Assignment: organization-defined system components]; b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and c. Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3).

NIST_SP_800-53_R5_AU-12(1)

AU-12(1)

NIST SP 800-53 Rev. 5 AU-12 (1)

Audit and Accountability

System-wide and Time-correlated Audit Trail

Shared

n/a

Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail].

NIST_SP_800-53_R5_AU-6(4)

AU-6(4)

NIST SP 800-53 Rev. 5 AU-6 (4)

Audit and Accountability

Central Review and Analysis

Shared

n/a

Provide and implement the capability to centrally review and analyze audit records from multiple components within the system.

NIST_SP_800-53_R5_AU-6(5)

AU-6(5)

NIST SP 800-53 Rev. 5 AU-6 (5)

Audit and Accountability

Integrated Analysis of Audit Records

Shared

n/a

Integrate analysis of audit records with analysis of [Selection (OneOrMore): vulnerability scanning information;performance data;system monitoring information; [Assignment: organization-defined data/information collected from other sources] ] to further enhance the ability to identify inappropriate or unusual activity.

SI-4

NIST_SP_800-53_R5_SI-4

NIST SP 800-53 Rev. 5 SI-4

System and Information Integrity

System Monitoring

Shared

n/a

a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (OneOrMore): as needed; [Assignment: organization-defined frequency] ] .