| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1131 - Protection Of Audit Information | ||
| Id | b472a17e-c2bc-493f-b50b-42d55a346962 | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this Audit and Accountability control | ||
| Additional metadata |
Name/Id: ACF1131 / Microsoft Managed Control 1131 Category: Audit and Accountability Title: Protection Of Audit Information Ownership: Customer, Microsoft Description: The information system protects audit information and audit tools from unauthorized access, modification, and deletion. Requirements: Only service team personnel for the specific asset within Azure have access to security logs on the local asset via the role-based access control (RBAC) implemented via OneIdentity. Azure implements protection of audit information using an authenticated and encrypted connection from the local asset of log generation to the centralized audit collection systems using the Geneva Monitoring Agent (MA). Access to the centralized audit collection systems and storage is restricted to the Security Engineering and Operations groups based on the standard access groups defined for Azure. Only authorized service team personnel are allowed access to the actual audit records, and their assigned rights prohibit them from modifying or deleting audit information. Even if a user is able to clear local asset log data after elevating permissions via an approved JIT request, the action of cleaning the data is logged, and the cleared log data is present on Geneva Monitoring storage due to central ingestion. The following mechanisms are used to protect log information in transit and at rest: * Logs on the local asset can only be accessed through direct login to the asset. * The transfer of logs from the local asset to the service team and central storage accounts occurs over an HTTPS connection. * Read-only access to logs in Geneva Monitoring storage for Azure users is enabled through the Geneva Monitoring front-end portal. The access is restricted through AD security groups which are managed through OneIdentity. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|