| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1102 - Audit Events | ||
| Id | 9943c16a-c54c-4b4a-ad28-bfd938cdbf57 | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this Audit and Accountability control | ||
| Additional metadata |
Name/Id: ACF1102 / Microsoft Managed Control 1102 Category: Audit and Accountability Title: Audit Events - Capability to Audit Ownership: Customer, Microsoft Description: The organization: Determines that the information system is capable of auditing the following events: Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes; Requirements: The Azure Security Logging and Monitoring (SLAM) team and the Security Response Team have developed sets of auditable events for Azure assets based on ongoing risk assessments of the system which incorporate government and industry baselines and requirements, identified vulnerabilities, business requirements, and Azure and C+AI Security Standards. The event sets are reviewed by the SLAM and Security Response Team when a significant change to the system is made to ensure any vulnerabilities exposed are being addressed by the set of auditable events. New events are incorporated when a new asset class is brought online or when a vulnerability or threat is identified through security assessments, security bulletins, and more. Azure Security Pack (AzSecPack) and Geneva Monitoring, composed of Logs, Metrics, and Analytics, are the main drivers of audit log collection. AzSecPack is deployed via the Geneva Monitoring Agent (MA), covering both Windows and Linux operating systems and operating as the raw event source. AzSecPack monitors events throughout the Azure environment in an automated fashion, feeding logs through Azure Security Monitoring (ASM), Kusto, and SCUBA to identify and alert on events of interest. Personnel can use Kusto and Jarvis to examine the logs in human-readable format. Servers For server assets, the audit policy is set as part of installing AzSecPack on a given server, required for Azure. AzSecPack collects all server asset logs and sends them to the Geneva Monitoring Agent (MA), a client executable that is run on the asset to collect logs and upload them to Azure storage accounts owned by the service team. Geneva Monitoring then ingests and analyzes the logs via multiple detection services, including but not limited to Azure Security Monitoring (ASM), Kusto, and SCUBA, for events requiring alerting. Network Devices Utilizing the audit log collection tool protocol and event collection infrastructure, Azure retrieves events from network device syslog. The logs are sent to servers running AzSecPack for storage and processing for format and content via Geneva Monitoring. Geneva Monitoring then ingests and analyzes the logs via multiple detection services, including but not limited to Azure Security Monitoring (ASM), Kusto, and SCUBA, for events requiring alerting. Azure Services Service teams configure their service to generate audit logs based upon the service-specific risk assessment. Service teams are responsible for configuring service-layer audit logs as a part of the Security Development Lifecycle (SDL) process using the iFX audit instrumentation, feeding into the Geneva MA and the pipeline described above. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|