Microsoft implements this System and Information Integrity control
Name/Id: ACF1701 / Microsoft Managed Control 1701 Category: System and Information Integrity Title: Information System Monitoring | Host-Based Devices Ownership: Customer, Microsoft Description: The organization implements Windows Event Logging at all hosts. Requirements: All hosts within Azure have event logging enabled. If this functionality is turned off or unsuccessful, an alert is generated through Geneva Monitoring and the alert is investigated as a security incident. Assets are each configured with an Event Forwarding Tool. The Event Forwarding Tool sends audit records to the Security Incident and Event Management Tool via an event collection infrastructure which also archives security events within the environment. This event forwarding occurs in real time for the interconnected system. Additionally, anti-virus software is configured to scan, real-time, files incoming to the system and quarantines them if determined to be malicious. Alerts from clients are logged in the anti-virus software database and the alerts for malware-related events are sent in near-real time to the Security Response Team three ways. This happens via alerts/tickets, emails to Security Response Team, and a feed to the security incident and event management tool.
Azure Security Pack (AzSecPack) enables monitoring of network communication correlated with network logs and in-memory lateral movement during post exploitation for all deployment types via Process Investigation, which is available externally via Fileless Attack detections from Azure Security Center, and via the Network Risk Management (NRM) Service. AzSecPack is automatically enabled for applicable Azure assets via a centrally managed configuration. Monitoring of missing AzSecPack is implemented by Azure Security Monitoring (ASM).
Rule resource types
IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups