Security Control: Logging and Monitoring

Security logging and monitoring focuses on activities related to enabling, acquiring, and storing audit logs for Azure services.

Microsoft maintains time sources for Azure resources, however, you have the option to manage the time synchronization settings for your compute resources.

• How to configure time synchronization for Azure Windows compute resources

• How to configure time synchronization for Azure Linux compute resources

Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. Within Azure Monitor, use Log Analytics Workspace(s) to query and perform analytics, and use Azure Storage Accounts for long-term/archival storage.

Alternatively, you may enable and on-board data to Azure Sentinel or a third-party SIEM.

• How to onboard Azure Sentinel

• How to collect platform logs and metrics with Azure Monitor

• How to collect Azure Virtual Machine internal host logs with Azure Monitor

• How to get started with Azure Monitor and third-party SIEM integration

Enable Diagnostic Settings on Azure resources for access to audit, security, and diagnostic logs. Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.

• How to collect platform logs and metrics with Azure Monitor

• Understand logging and different log types in Azure

If the compute resource is owned by Microsoft, then Microsoft is responsible for monitoring it. If the compute resource is owned by your organization, it's your responsibility to monitor it. You can use Azure Security Center to monitor the OS. Data collected by Security Center from the operating system includes OS type and version, OS (Windows Event Logs), running processes, machine name, IP addresses, and logged in user. The Log Analytics Agent also collects crash dump files.

• How to collect Azure Virtual Machine internal host logs with Azure Monitor

• Understand Azure Security Center data collection

Within Azure Monitor, set your Log Analytics Workspace retention period according to your organization's compliance regulations. Use Azure Storage Accounts for long-term/archival storage.

• Change the data retention period in Log Analytics

• How to configure retention policy for Azure Storage account logs

Analyze and monitor logs for anomalous behavior and regularly review results. Use Azure Monitor's Log Analytics Workspace to review logs and perform queries on log data.

Alternatively, you may enable and on-board data to Azure Sentinel or a third party SIEM.

• How to onboard Azure Sentinel

• Understand Log Analytics Workspace

• How to perform custom queries in Azure Monitor

Use Azure Security Center with Log Analytics Workspace for monitoring and alerting on anomalous activity found in security logs and events.

Alternatively, you may enable and on-board data to Azure Sentinel.

• How to onboard Azure Sentinel

• How to manage alerts in Azure Security Center

• How to alert on log analytics log data

Enable antimalware event collection for Azure Virtual Machines and Cloud Services.

• Understand Microsoft Antimalware

Implement a third-party solution from Azure Marketplace for DNS logging solution as per your organizations need.

Use Microsoft Monitoring Agent on all supported Azure Windows virtual machines to log the process creation event and the CommandLine field. For supported Azure Linux Virtual machines, you can manually configure console logging on a per-node basis and use Syslog to store the data. Also, use Azure Monitor's Log Analytics workspace to review logs and perform queries on logged data from Azure Virtual machines.

• Data collection in Azure Security Center

• How to perform custom queries in Azure Monitor

• Syslog data sources in Azure Monitor

• See the next Security Control: Identity and Access Control