| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1135 - Non-Repudiation | ||
| Id | 9c308b6b-2429-4b97-86cf-081b8e737b04 | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this Audit and Accountability control | ||
| Additional metadata |
Name/Id: ACF1135 / Microsoft Managed Control 1135 Category: Audit and Accountability Title: Non-Repudiation Ownership: Customer, Microsoft Description: The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed actions including the addition, modification, deletion, approval, sending, or receiving of data. Requirements: As part of the content of audit records captured within Azure, unique identifiers are captured by servers, network devices, and services. Azure requires unique identifiers assigned based on individual’s unique account for Active Directory federation with domain and Authentication, Authorization, and Accounting (AAA) credentials. The combination of event logs capturing identifiers, and identifiers uniquely identified based on individual’s Azure accounts, constitute non-repudiation for the Azure environment. For both Windows and Linux assets, the security logs are protected from non-repudiation and tampering using the following configurations, with the implementation being platform specific: * On the asset, Geneva Monitoring Agent (MA) authenticates from the asset to the central service for uploading security logs. The security logs use the Geneva Control-Plane Service (GCS) to manage the authentication from the agent on the asset to the Geneva Monitoring service. GCS uses an Azure Storage Shared Access Signatures (SAS) key implementation so that the full key is not exposed to the users on the asset. * The Azure service IFx audit logs and key system application security events such as antimalware, PowerShell command line, and Terminal Services Remote Desktop Protocol access are uploaded every ten (10) minutes off the asset. The Linux system security event logs via AuditD and key system application security events such as antimalware are uploaded every one (1) minute off the asset. The MA watermarks the system security and IFx audit events to confirm that events are uploaded. The configuration has retry values in case the central store is offline so that the MA continues to retry uploads of the events when connectivity is re-established. * Once the logs are uploaded to the Geneva Monitoring storage accounts for each service, the logs are submitted to downstream detection systems within approximately fifteen (15) minutes to analyze specified security events for unusual activity. Analysis timelines vary depending on the type of detection. Additionally, the security logs are moved to cold storage every five (5) minutes as part of Geneva Monitoring. * Malicious activity on the asset that attempts to affect security log collection is monitored and alerted for, including monitoring for clearing of the security event log and audit policy changes. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|