Microsoft implements this Audit and Accountability control
Name/Id: ACF1133 / Microsoft Managed Control 1133 Category: Audit and Accountability Title: Protection Of Audit Information | Cryptographic Protection Ownership: Customer, Microsoft Description: The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools. Requirements: Azure cryptographically protects all audit log data stored within the Azure Storage accounts used for audit log retention as a native feature of Azure Storage. In addition, Kusto and Jarvis storage is read-only by design, and once logs are ingested and stored, cannot be altered or deleted in any way.
Audit tooling is protected in the same method as all other Azure code, via the code signing process as part of the Security Development Lifecycle (SDL) implementation and System Lockdown validation, currently operating in Audit Mode. System Lockdown alerts the affected Azure service team when unsigned code is installed and run within Azure. When Enforcement Mode is activated, System Lockdown will block unsigned code.
Rule resource types
IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups