| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Azure_Security_Benchmark_v1.0 |
2.2 |
Azure_Security_Benchmark_v1.0_2.2 |
Azure Security Benchmark 2.2 |
Logging and Monitoring |
Configure central security log management |
Customer |
Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. Within Azure Monitor, use Log Analytics Workspace(s) to query and perform analytics, and use Azure Storage Accounts for long-term/archival storage.
Alternatively, you may enable and on-board data to Azure Sentinel or a third-party SIEM. How to onboard Azure Sentinel:
https://docs.microsoft.com/azure/sentinel/quickstart-onboard
How to collect platform logs and metrics with Azure Monitor:
https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings
How to collect Azure Virtual Machine internal host logs with Azure Monitor:
https://docs.microsoft.com/azure/azure-monitor/learn/quick-collect-azurevm
How to get started with Azure Monitor and third-party SIEM integration:
https://azure.microsoft.com/blog/use-azure-monitor-to-integrate-with-siem-tools/ |
n/a |
link |
6 |
| Azure_Security_Benchmark_v1.0 |
2.4 |
Azure_Security_Benchmark_v1.0_2.4 |
Azure Security Benchmark 2.4 |
Logging and Monitoring |
Collect security logs from operating systems |
Customer |
If the compute resource is owned by Microsoft, then Microsoft is responsible for monitoring it. If the compute resource is owned by your organization, it's your responsibility to monitor it. You can use Azure Security Center to monitor the OS. Data collected by Security Center from the operating system includes OS type and version, OS (Windows Event Logs), running processes, machine name, IP addresses, and logged in user. The Log Analytics Agent also collects crash dump files.
How to collect Azure Virtual Machine internal host logs with Azure Monitor:
https://docs.microsoft.com/azure/azure-monitor/learn/quick-collect-azurevm
Understand Azure Security Center data collection:
https://docs.microsoft.com/azure/security-center/security-center-enable-data-collection |
n/a |
link |
4 |
| CMMC_2.0_L2 |
AU.L2-3.3.1 |
CMMC_2.0_L2_AU.L2-3.3.1 |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
| CMMC_2.0_L2 |
AU.L2-3.3.2 |
CMMC_2.0_L2_AU.L2-3.3.2 |
404 not found |
|
|
|
n/a |
n/a |
|
38 |
| CMMC_L3 |
AU.2.041 |
CMMC_L3_AU.2.041 |
CMMC L3 AU.2.041 |
Audit and Accountability |
Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP). |
link |
15 |
| CMMC_L3 |
AU.2.042 |
CMMC_L3_AU.2.042 |
CMMC L3 AU.2.042 |
Audit and Accountability |
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance.
Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures.
Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred).
Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. |
link |
15 |
| CMMC_L3 |
AU.3.048 |
CMMC_L3_AU.3.048 |
CMMC L3 AU.3.048 |
Audit and Accountability |
Collect audit information (e.g., logs) into one or more central repositories. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations must aggregate and store audit logs in a central location to enable analysis activities and protect audit information. The repository should have the necessary infrastructure, capacity, and protection mechanisms to meet the organization’s audit requirements. |
link |
8 |
| hipaa |
12101.09ab1Organizational.3-09.ab |
hipaa-12101.09ab1Organizational.3-09.ab |
12101.09ab1Organizational.3-09.ab |
12 Audit Logging & Monitoring |
12101.09ab1Organizational.3-09.ab 09.10 Monitoring |
Shared |
n/a |
The organization specifies how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. |
|
18 |
| hipaa |
1216.09ab3System.12-09.ab |
hipaa-1216.09ab3System.12-09.ab |
1216.09ab3System.12-09.ab |
12 Audit Logging & Monitoring |
1216.09ab3System.12-09.ab 09.10 Monitoring |
Shared |
n/a |
Automated systems are used to review monitoring activities of security systems (e.g., IPS/IDS) and system records on a daily basis, and identify and document anomalies. |
|
20 |
| NIST_SP_800-171_R2_3 |
.3.1 |
NIST_SP_800-171_R2_3.3.1 |
NIST SP 800-171 R2 3.3.1 |
Audit and Accountability |
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloud-based architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. [SP 800-92] provides guidance on security log management. |
link |
55 |
| NIST_SP_800-171_R2_3 |
.3.2 |
NIST_SP_800-171_R2_3.3.2 |
NIST SP 800-171 R2 3.3.2 |
Audit and Accountability |
Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP). |
link |
41 |
| RBI_ITF_NBFC_v2017 |
3.1.g |
RBI_ITF_NBFC_v2017_3.1.g |
RBI IT Framework 3.1.g |
Information and Cyber Security |
Trails-3.1 |
|
n/a |
The IS Policy must provide for a IS framework with the following basic tenets:
Trails- NBFCs shall ensure that audit trails exist for IT assets satisfying its business requirements including regulatory and legal requirements, facilitating audit, serving as forensic evidence when required and assisting in dispute resolution. If an employee, for instance, attempts to access an unauthorized section, this improper activity should be recorded in the audit trail. |
link |
40 |
| RMiT_v1.0 |
10.66 |
RMiT_v1.0_10.66 |
RMiT 10.66 |
Security of Digital Services |
Security of Digital Services - 10.66 |
Shared |
n/a |
A financial institution must implement robust technology security controls in providing digital services which assure the following:
(a) confidentiality and integrity of customer and counterparty information and transactions;
(b) reliability of services delivered via channels and devices with minimum disruption to services;
(c) proper authentication of users or devices and authorisation of transactions;
(d) sufficient audit trail and monitoring of anomalous transactions;
(e) ability to identify and revert to the recovery point prior to incident or service disruption; and
(f) strong physical control and logical control measures |
link |
32 |
| SWIFT_CSCF_v2021 |
6.4 |
SWIFT_CSCF_v2021_6.4 |
SWIFT CSCF v2021 6.4 |
Detect Anomalous Activity to Systems or Transaction Records |
Logging and Monitoring |
|
n/a |
Record security events and detect anomalous actions and operations within the local SWIFT environment. |
link |
35 |
| SWIFT_CSCF_v2022 |
6.4 |
SWIFT_CSCF_v2022_6.4 |
SWIFT CSCF v2022 6.4 |
6. Detect Anomalous Activity to Systems or Transaction Records |
Record security events and detect anomalous actions and operations within the local SWIFT environment. |
Shared |
n/a |
Capabilities to detect anomalous activity are implemented, and a process or tool is in place to keep and review logs. |
link |
53 |