compliance controls are associated with this Policy definition 'Govern and monitor audit processing activities' (333b4ada-4a02-0648-3d4d-d812974f1bb2)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CIS_Azure_1.1.0 |
4.18 |
CIS_Azure_1.1.0_4.18 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.18 |
4 Database Services |
Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'log_retention_days' on 'PostgreSQL Servers'. |
link |
4 |
| CIS_Azure_1.1.0 |
4.3 |
CIS_Azure_1.1.0_4.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3 |
4 Database Services |
Ensure that 'Auditing' Retention is 'greater than 90 days' |
Shared |
The customer is responsible for implementing this recommendation. |
SQL Server Audit Retention should be configured to be greater than 90 days. |
link |
5 |
| CIS_Azure_1.1.0 |
5.1.1 |
CIS_Azure_1.1.0_5.1.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.1.1 |
5 Logging and Monitoring |
Ensure that a Log Profile exists |
Shared |
The customer is responsible for implementing this recommendation. |
Enable log profile for exporting activity logs. |
link |
5 |
| CIS_Azure_1.1.0 |
5.1.3 |
CIS_Azure_1.1.0_5.1.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3 |
5 Logging and Monitoring |
Ensure audit profile captures all the activities |
Shared |
The customer is responsible for implementing this recommendation. |
The log profile should be configured to export all activities from the control/management plane. |
link |
5 |
| CIS_Azure_1.1.0 |
5.1.4 |
CIS_Azure_1.1.0_5.1.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 |
5 Logging and Monitoring |
Ensure the log profile captures activity logs for all regions including global |
Shared |
The customer is responsible for implementing this recommendation. |
Configure the log profile to export activities from all Azure supported regions/locations including global. |
link |
5 |
| CIS_Azure_1.3.0 |
4.1.3 |
CIS_Azure_1.3.0_4.1.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.1.3 |
4 Database Services |
Ensure that 'Auditing' Retention is 'greater than 90 days' |
Shared |
The customer is responsible for implementing this recommendation. |
SQL Server Audit Retention should be configured to be greater than 90 days. |
link |
5 |
| CIS_Azure_1.3.0 |
4.3.7 |
CIS_Azure_1.3.0_4.3.7 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3.7 |
4 Database Services |
Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'log_retention_days' on 'PostgreSQL Servers'. |
link |
4 |
| CIS_Azure_1.3.0 |
5.3 |
CIS_Azure_1.3.0_5.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.3 |
5 Logging and Monitoring |
Ensure that Diagnostic Logs are enabled for all services which support it. |
Shared |
The customer is responsible for implementing this recommendation. |
Diagnostic Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself, for example, getting a secret from a Key Vault. Currently, 32 Azure resources support Diagnostic Logging (See the references section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps and CosmosDB. The content of these logs varies by resource type. For example, Windows event system logs are a category of diagnostics logs
for VMs, and blob, table, and queue logs are categories of diagnostics logs for storage accounts.
A number of back-end services were not configured to log and store Diagnostic Logs for certain activities or for a sufficient length. It is crucial that logging systems are correctly configured to log all relevant activities and retain those logs for a sufficient length of time. By default, Diagnostic Logs are not enabled. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended.
Note: The CIS Benchmark covers some specific Diagnostic Logs
separately.
'''
3.3 - Ensure Storage logging is enabled for Queue service for read, write, and delete requests
6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
''' |
link |
20 |
| CIS_Azure_1.4.0 |
4.1.3 |
CIS_Azure_1.4.0_4.1.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.1.3 |
4 Database Services |
Ensure that 'Auditing' Retention is 'greater than 90 days' |
Shared |
The customer is responsible for implementing this recommendation. |
SQL Server Audit Retention should be configured to be greater than 90 days. |
link |
5 |
| CIS_Azure_1.4.0 |
4.3.6 |
CIS_Azure_1.4.0_4.3.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3.6 |
4 Database Services |
Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'log_retention_days' on 'PostgreSQL Servers'. |
link |
4 |
| CIS_Azure_1.4.0 |
5.3 |
CIS_Azure_1.4.0_5.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.3 |
5 Logging and Monitoring |
Ensure that Diagnostic Logs Are Enabled for All Services that Support it. |
Shared |
The customer is responsible for implementing this recommendation. |
Diagnostic Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself, for example, getting a secret from a Key Vault. Currently, 32 Azure resources support Diagnostic Logging (See the references section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps and CosmosDB. The content of these logs varies by resource type. For example, Windows event system logs are a category of diagnostics logs
for VMs, and blob, table, and queue logs are categories of diagnostics logs for storage accounts.
A number of back-end services were not configured to log and store Diagnostic Logs for certain activities or for a sufficient length. It is crucial that logging systems are correctly configured to log all relevant activities and retain those logs for a sufficient length of time. By default, Diagnostic Logs are not enabled. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended.
Note: The CIS Benchmark covers some specific Diagnostic Logs
separately.
'''
3.3 - Ensure Storage logging is enabled for Queue service for read, write, and delete requests
6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
''' |
link |
20 |
| CIS_Azure_2.0.0 |
4.1.6 |
CIS_Azure_2.0.0_4.1.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.1.6 |
4.1 |
Ensure that 'Auditing' Retention is 'greater than 90 days' |
Shared |
n/a |
SQL Server Audit Retention should be configured to be greater than 90 days.
Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access. |
link |
5 |
| CIS_Azure_2.0.0 |
4.3.6 |
CIS_Azure_2.0.0_4.3.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3.6 |
4.3 |
Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server |
Shared |
Configuring this setting will result in logs being retained for the specified number of days. If this is configured on a high traffic server, the log may grow quickly to occupy a large amount of disk space. In this case you may want to set this to a lower number. |
Ensure `log_retention_days` on `PostgreSQL Servers` is set to an appropriate value.
Configuring `log_retention_days` determines the duration in days that `Azure Database for PostgreSQL` retains log files. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance. |
link |
4 |
| CIS_Azure_2.0.0 |
5.4 |
CIS_Azure_2.0.0_5.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.4 |
5 |
Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it |
Shared |
Costs for monitoring varies with Log Volume. Not every resource needs to have logging enabled. It is important to determine the security classification of the data being processed by the given resource and adjust the logging based on which events need to be tracked. This is typically determined by governance and compliance requirements. |
Resource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example, reading or updating a secret from a Key Vault. Currently, 95 Azure resources support Azure Monitoring (See the more information section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps, and CosmosDB. The content of these logs varies by resource type.
A number of back-end services were not configured to log and store Resource Logs for certain activities or for a sufficient length. It is crucial that monitoring is correctly configured to log all relevant activities and retain those logs for a sufficient length of time. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended.
A lack of monitoring reduces the visibility into the data plane, and therefore an organization's ability to detect reconnaissance, authorization attempts or other malicious activity. Unlike Activity Logs, Resource Logs are not enabled by default. Specifically, without monitoring it would be impossible to tell which entities had accessed a data store that was breached. In addition, alerts for failed attempts to access APIs for Web Services or Databases are only possible when logging is enabled. |
link |
20 |
| FedRAMP_High_R4 |
AU-4 |
FedRAMP_High_R4_AU-4 |
FedRAMP High AU-4 |
Audit And Accountability |
Audit Storage Capacity |
Shared |
n/a |
The organization allocates audit record storage capacity in accordance with [Assignment:
organization-defined audit record storage requirements].
Supplemental Guidance: Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability. Related controls: AU-2, AU-5, AU-6, AU-7, AU-11, SI-4.
References: None. |
link |
1 |
| FedRAMP_High_R4 |
AU-5 |
FedRAMP_High_R4_AU-5 |
FedRAMP High AU-5 |
Audit And Accountability |
Response To Audit Processing Failures |
Shared |
n/a |
The information system:
a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].
Supplemental Guidance: Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Related controls: AU-4, SI-12.
References: None. |
link |
1 |
| FedRAMP_Moderate_R4 |
AU-4 |
FedRAMP_Moderate_R4_AU-4 |
FedRAMP Moderate AU-4 |
Audit And Accountability |
Audit Storage Capacity |
Shared |
n/a |
The organization allocates audit record storage capacity in accordance with [Assignment:
organization-defined audit record storage requirements].
Supplemental Guidance: Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability. Related controls: AU-2, AU-5, AU-6, AU-7, AU-11, SI-4.
References: None. |
link |
1 |
| FedRAMP_Moderate_R4 |
AU-5 |
FedRAMP_Moderate_R4_AU-5 |
FedRAMP Moderate AU-5 |
Audit And Accountability |
Response To Audit Processing Failures |
Shared |
n/a |
The information system:
a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].
Supplemental Guidance: Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Related controls: AU-4, SI-12.
References: None. |
link |
1 |
| hipaa |
0202.09j1Organizational.3-09.j |
hipaa-0202.09j1Organizational.3-09.j |
0202.09j1Organizational.3-09.j |
02 Endpoint Protection |
0202.09j1Organizational.3-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
Audit logs of the scans are maintained. |
|
15 |
| hipaa |
0947.09y2Organizational.2-09.y |
hipaa-0947.09y2Organizational.2-09.y |
0947.09y2Organizational.2-09.y |
09 Transmission Protection |
0947.09y2Organizational.2-09.y 09.09 Electronic Commerce Services |
Shared |
n/a |
The organization ensures the storage of the transaction details are located outside of any publicly accessible environments (e.g., on a storage platform existing on the organization's intranet) and not retained and exposed on a storage medium directly accessible from the Internet. |
|
11 |
| hipaa |
1207.09aa2System.4-09.aa |
hipaa-1207.09aa2System.4-09.aa |
1207.09aa2System.4-09.aa |
12 Audit Logging & Monitoring |
1207.09aa2System.4-09.aa 09.10 Monitoring |
Shared |
n/a |
Audit records are retained for 90 days and older audit records are archived for one year. |
|
13 |
| ISO27001-2013 |
A.12.1.3 |
ISO27001-2013_A.12.1.3 |
ISO 27001:2013 A.12.1.3 |
Operations Security |
Capacity management |
Shared |
n/a |
The use of resources shall be monitored, tuned, and projections made of future capacity requirements to ensure the required system performance. |
link |
2 |
|
mp.s.4 Protection against denial of service |
mp.s.4 Protection against denial of service |
404 not found |
|
|
|
n/a |
n/a |
|
7 |
| NIST_SP_800-171_R2_3 |
.3.4 |
NIST_SP_800-171_R2_3.3.4 |
NIST SP 800-171 R2 3.3.4 |
Audit and Accountability |
Alert in the event of an audit logging process failure. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Audit logging process failures include software and hardware errors, failures in the audit record capturing mechanisms, and audit record storage capacity being reached or exceeded. This requirement applies to each audit record data storage repository (i.e., distinct system component where audit records are stored), the total audit record storage capacity of organizations (i.e., all audit record data storage repositories combined), or both. |
link |
12 |
| NIST_SP_800-53_R4 |
AU-4 |
NIST_SP_800-53_R4_AU-4 |
NIST SP 800-53 Rev. 4 AU-4 |
Audit And Accountability |
Audit Storage Capacity |
Shared |
n/a |
The organization allocates audit record storage capacity in accordance with [Assignment:
organization-defined audit record storage requirements].
Supplemental Guidance: Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability. Related controls: AU-2, AU-5, AU-6, AU-7, AU-11, SI-4.
References: None. |
link |
1 |
| NIST_SP_800-53_R4 |
AU-5 |
NIST_SP_800-53_R4_AU-5 |
NIST SP 800-53 Rev. 4 AU-5 |
Audit And Accountability |
Response To Audit Processing Failures |
Shared |
n/a |
The information system:
a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].
Supplemental Guidance: Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Related controls: AU-4, SI-12.
References: None. |
link |
1 |
| NIST_SP_800-53_R5 |
AU-4 |
NIST_SP_800-53_R5_AU-4 |
NIST SP 800-53 Rev. 5 AU-4 |
Audit and Accountability |
Audit Log Storage Capacity |
Shared |
n/a |
Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. |
link |
1 |
| NIST_SP_800-53_R5 |
AU-5 |
NIST_SP_800-53_R5_AU-5 |
NIST SP 800-53 Rev. 5 AU-5 |
Audit and Accountability |
Response to Audit Logging Process Failures |
Shared |
n/a |
a. Alert [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] in the event of an audit logging process failure; and
b. Take the following additional actions: [Assignment: organization-defined additional actions]. |
link |
1 |
|
op.pl.4 Sizing and capacity management |
op.pl.4 Sizing and capacity management |
404 not found |
|
|
|
n/a |
n/a |
|
12 |
| PCI_DSS_v4.0 |
10.7.1 |
PCI_DSS_v4.0_10.7.1 |
PCI DSS v4.0 10.7.1 |
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data |
Failures of critical security control systems are detected, reported, and responded to promptly |
Shared |
n/a |
Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems:
• Network security controls
• IDS/IPS
• FIM
• Anti-malware solutions
• Physical access controls
• Logical access controls
• Audit logging mechanisms
• Segmentation controls (if used) |
link |
5 |
| PCI_DSS_v4.0 |
10.7.2 |
PCI_DSS_v4.0_10.7.2 |
PCI DSS v4.0 10.7.2 |
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data |
Failures of critical security control systems are detected, reported, and responded to promptly |
Shared |
n/a |
Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems:
• Network security controls
• IDS/IPS
• Change-detection mechanisms
• Anti-malware solutions
• Physical access controls
• Logical access controls
• Audit logging mechanisms
• Segmentation controls (if used)
• Audit log review mechanisms
• Automated security testing tools (if used) |
link |
5 |
| SOC_2 |
CC7.2 |
SOC_2_CC7.2 |
SOC 2 Type 2 CC7.2 |
System Operations |
Monitor system components for anomalous behavior |
Shared |
The customer is responsible for implementing this recommendation. |
• Implements Detection Policies, Procedures, and Tools — Detection policies and
procedures are defined and implemented and detection tools are implemented on infrastructure and software to identify anomalies in the operation or unusual activity
on systems. Procedures may include (1) a defined governance process for security
event detection and management that includes provision of resources; (2) use of intelligence sources to identify newly discovered threats and vulnerabilities; and (3)
logging of unusual system activities.
• Designs Detection Measures — Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers;
(2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software.
• Implements Filters to Analyze Anomalies — Management has implemented procedures to filter, summarize, and analyze anomalies to identify security events.
• Monitors Detection Tools for Effective Operation — Management has implemented
processes to monitor the effectiveness of detection tools |
|
20 |