安全控制:日志记录和监视Security Control: Logging and Monitoring

安全日志记录和监视侧重于与为 Azure 服务启用、获取和存储审核日志相关的活动。Security logging and monitoring focuses on activities related to enabling, acquiring, and storing audit logs for Azure services.

2.1:使用批准的时间同步源2.1: Use approved time synchronization sources

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
2.12.1 6.16.1 MicrosoftMicrosoft

Microsoft 维护 Azure 资源的时间源,但是,你可以选择管理计算资源的时间同步设置。Microsoft maintains time sources for Azure resources, however, you have the option to manage the time synchronization settings for your compute resources.

2.2:配置中心安全日志管理2.2: Configure central security log management

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
2.22.2 6.5、6.66.5, 6.6 客户Customer

通过 Azure Monitor 引入日志,以聚合终结点设备、网络资源和其他安全系统生成的安全数据。Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. 在 Azure Monitor 中,使用 Log Analytics 工作区来查询和执行分析,并使用 Azure 存储帐户进行长期/存档存储。Within Azure Monitor, use Log Analytics Workspace(s) to query and perform analytics, and use Azure Storage Accounts for long-term/archival storage.

或者,可以启用将数据加入 Azure Sentinel 或第三方 SIEM 的功能。Alternatively, you may enable and on-board data to Azure Sentinel or a third-party SIEM.

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
2.32.3 6.2、6.36.2, 6.3 客户Customer

在 Azure 资源上启用诊断设置,以访问审核、安全和诊断日志。Enable Diagnostic Settings on Azure resources for access to audit, security, and diagnostic logs. 活动日志自动可用,包括事件源、日期、用户、时间戳、源地址、目标地址和其他有用元素。Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.

2.4:从操作系统收集安全日志2.4: Collect security logs from operating systems

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
2.42.4 6.2、6.36.2, 6.3 客户Customer

如果计算资源归 Microsoft 所有,则 Microsoft 负责监视它。If the compute resource is owned by Microsoft, then Microsoft is responsible for monitoring it. 如果计算资源归你的组织所有,则由你负责监视。If the compute resource is owned by your organization, it's your responsibility to monitor it. 可以使用 Azure 安全中心监视 OS。You can use Azure Security Center to monitor the OS. 安全中心从操作系统收集的数据包括 OS 类型和版本、OS(Windows 事件日志)、正在运行的进程、计算机名称、IP 地址和登录用户。Data collected by Security Center from the operating system includes OS type and version, OS (Windows Event Logs), running processes, machine name, IP addresses, and logged in user. Log Analytics 代理还会收集故障转储文件。The Log Analytics Agent also collects crash dump files.

2.5:配置安全日志存储保留期2.5: Configure security log storage retention

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
2.52.5 6.46.4 客户Customer

在 Azure Monitor 中,根据组织的合规性规章设置 Log Analytics 工作区保留期。Within Azure Monitor, set your Log Analytics Workspace retention period according to your organization's compliance regulations. 使用 Azure 存储帐户进行长期/存档存储。Use Azure Storage Accounts for long-term/archival storage.

2.6:监视和审查日志2.6: Monitor and review Logs

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
2.62.6 6.76.7 客户Customer

分析和监视日志中的异常行为,并定期查看结果。Analyze and monitor logs for anomalous behavior and regularly review results. 使用 Azure Monitor 的 Log Analytics 工作区查看日志并对日志数据执行查询。Use Azure Monitor's Log Analytics Workspace to review logs and perform queries on log data.

2.7:针对异常活动启用警报2.7: Enable alerts for anomalous activities

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
2.72.7 6.86.8 客户Customer

使用 Azure 安全中心和 Log Analytics 工作区监视安全日志和事件中的异常活动并发出警报。Use Azure Security Center with Log Analytics Workspace for monitoring and alerting on anomalous activity found in security logs and events.

2.8:集中管理反恶意软件日志记录2.8: Centralize anti-malware logging

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
2.82.8 8.68.6 客户Customer

为 Azure 虚拟机和云服务启用反恶意软件事件集合。Enable antimalware event collection for Azure Virtual Machines and Cloud Services.

2.9:启用 DNS 查询日志记录2.9: Enable DNS query logging

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
2.92.9 8.78.7 客户Customer

根据组织的需求,从 Azure 市场实现 DNS 日志记录解决方案的第三方解决方案。Implement a third-party solution from Azure Marketplace for DNS logging solution as per your organizations need.

2.10:启用命令行审核日志记录2.10: Enable command-line audit logging

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
2.102.10 8.88.8 客户Customer

在所有受支持的 Azure Windows 虚拟机上使用 Microsoft Monitoring Agent 来记录进程创建事件和命令行字段。Use Microsoft Monitoring Agent on all supported Azure Windows virtual machines to log the process creation event and the CommandLine field. 对于受支持的 Azure Linux 虚拟机,可以手动配置每个节点的控制台日志记录,并使用 Syslog 来存储数据。For supported Azure Linux Virtual machines, you can manually configure console logging on a per-node basis and use Syslog to store the data. 同时,使用 Azure Monitor 的 Log Analytics 工作区查看日志并对 Azure 虚拟机中记录的数据执行查询。Also, use Azure Monitor's Log Analytics workspace to review logs and perform queries on logged data from Azure Virtual machines.

后续步骤Next steps