compliance controls are associated with this Policy definition 'An activity log alert should exist for specific Administrative operations' (b954148f-4c11-4c38-8221-be76711e194a)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CIS_Azure_1.1.0 |
5.2.2 |
CIS_Azure_1.1.0_5.2.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2 |
5 Logging and Monitoring |
Ensure that Activity Log Alert exists for Create or Update Network Security Group |
Shared |
The customer is responsible for implementing this recommendation. |
Create an Activity Log Alert for the "Create" or "Update Network Security Group" event. |
link |
4 |
| CIS_Azure_1.1.0 |
5.2.3 |
CIS_Azure_1.1.0_5.2.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 |
5 Logging and Monitoring |
Ensure that Activity Log Alert exists for Delete Network Security Group |
Shared |
The customer is responsible for implementing this recommendation. |
Create an activity log alert for the Delete Network Security Group event. |
link |
4 |
| CIS_Azure_1.1.0 |
5.2.4 |
CIS_Azure_1.1.0_5.2.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 |
5 Logging and Monitoring |
Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule |
Shared |
The customer is responsible for implementing this recommendation. |
Create an activity log alert for the Create or Update Network Security Group Rule event. |
link |
4 |
| CIS_Azure_1.1.0 |
5.2.5 |
CIS_Azure_1.1.0_5.2.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 |
5 Logging and Monitoring |
Ensure that activity log alert exists for the Delete Network Security Group Rule |
Shared |
The customer is responsible for implementing this recommendation. |
Create an activity log alert for the Delete Network Security Group Rule event. |
link |
4 |
| CIS_Azure_1.1.0 |
5.2.8 |
CIS_Azure_1.1.0_5.2.8 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8 |
5 Logging and Monitoring |
Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule |
Shared |
The customer is responsible for implementing this recommendation. |
Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. |
link |
4 |
| CIS_Azure_1.3.0 |
5.2.3 |
CIS_Azure_1.3.0_5.2.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 |
5 Logging and Monitoring |
Ensure that Activity Log Alert exists for Create or Update Network Security Group |
Shared |
The customer is responsible for implementing this recommendation. |
Create an Activity Log Alert for the "Create" or "Update Network Security Group" event. |
link |
4 |
| CIS_Azure_1.3.0 |
5.2.4 |
CIS_Azure_1.3.0_5.2.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 |
5 Logging and Monitoring |
Ensure that Activity Log Alert exists for Delete Network Security Group |
Shared |
The customer is responsible for implementing this recommendation. |
Create an activity log alert for the Delete Network Security Group event. |
link |
4 |
| CIS_Azure_1.3.0 |
5.2.5 |
CIS_Azure_1.3.0_5.2.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 |
5 Logging and Monitoring |
Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule |
Shared |
The customer is responsible for implementing this recommendation. |
Create an activity log alert for the Create or Update Network Security Group Rule event. |
link |
4 |
| CIS_Azure_1.3.0 |
5.2.6 |
CIS_Azure_1.3.0_5.2.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 |
5 Logging and Monitoring |
Ensure that activity log alert exists for the Delete Network Security Group Rule |
Shared |
The customer is responsible for implementing this recommendation. |
Create an activity log alert for the Delete Network Security Group Rule event. |
link |
4 |
| CIS_Azure_1.3.0 |
5.2.9 |
CIS_Azure_1.3.0_5.2.9 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9 |
5 Logging and Monitoring |
Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule |
Shared |
The customer is responsible for implementing this recommendation. |
Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. |
link |
4 |
| CIS_Azure_1.4.0 |
5.2.3 |
CIS_Azure_1.4.0_5.2.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 |
5 Logging and Monitoring |
Ensure that Activity Log Alert exists for Create or Update Network Security Group |
Shared |
The customer is responsible for implementing this recommendation. |
Create an Activity Log Alert for the "Create" or "Update Network Security Group" event. |
link |
4 |
| CIS_Azure_1.4.0 |
5.2.4 |
CIS_Azure_1.4.0_5.2.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 |
5 Logging and Monitoring |
Ensure that Activity Log Alert exists for Delete Network Security Group |
Shared |
The customer is responsible for implementing this recommendation. |
Create an activity log alert for the Delete Network Security Group event. |
link |
4 |
| CIS_Azure_1.4.0 |
5.2.5 |
CIS_Azure_1.4.0_5.2.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 |
5 Logging and Monitoring |
Ensure that Activity Log Alert exists for Create or Update Network Security Group |
Shared |
The customer is responsible for implementing this recommendation. |
Create an activity log alert for the Create or Update Network Security Group Rule event. |
link |
4 |
| CIS_Azure_1.4.0 |
5.2.6 |
CIS_Azure_1.4.0_5.2.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 |
5 Logging and Monitoring |
Ensure that activity log alert exists for the Delete Network Security Group Rule |
Shared |
The customer is responsible for implementing this recommendation. |
Create an activity log alert for the Delete Network Security Group Rule event. |
link |
4 |
| CIS_Azure_1.4.0 |
5.2.9 |
CIS_Azure_1.4.0_5.2.9 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9 |
5 Logging and Monitoring |
Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule |
Shared |
The customer is responsible for implementing this recommendation. |
Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. |
link |
4 |
| CIS_Azure_2.0.0 |
5.1.2 |
CIS_Azure_2.0.0_5.1.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2 |
5.1 |
Ensure Diagnostic Setting captures appropriate categories |
Shared |
n/a |
**Prerequisite**: A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: "Ensure that a 'Diagnostic Setting' exists."
The diagnostic setting should be configured to log the appropriate activities from the control/management plane.
A diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting. |
link |
8 |
| CIS_Azure_2.0.0 |
5.2.3 |
CIS_Azure_2.0.0_5.2.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 |
5.2 |
Ensure that Activity Log Alert exists for Create or Update Network Security Group |
Shared |
n/a |
Create an Activity Log Alert for the Create or Update Network Security Group event.
Monitoring for Create or Update Network Security Group events gives insight into network access changes and may reduce the time it takes to detect suspicious activity. |
link |
4 |
| CIS_Azure_2.0.0 |
5.2.4 |
CIS_Azure_2.0.0_5.2.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 |
5.2 |
Ensure that Activity Log Alert exists for Delete Network Security Group |
Shared |
n/a |
Create an activity log alert for the Delete Network Security Group event.
Monitoring for "Delete Network Security Group" events gives insight into network access changes and may reduce the time it takes to detect suspicious activity. |
link |
4 |
| CIS_Azure_2.0.0 |
5.2.5 |
CIS_Azure_2.0.0_5.2.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 |
5.2 |
Ensure that Activity Log Alert exists for Create or Update Security Solution |
Shared |
n/a |
Create an activity log alert for the Create or Update Security Solution event.
Monitoring for Create or Update Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity. |
link |
4 |
| CIS_Azure_2.0.0 |
5.2.6 |
CIS_Azure_2.0.0_5.2.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 |
5.2 |
Ensure that Activity Log Alert exists for Delete Security Solution |
Shared |
n/a |
Create an activity log alert for the Delete Security Solution event.
Monitoring for Delete Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity. |
link |
4 |
| CIS_Azure_2.0.0 |
5.2.7 |
CIS_Azure_2.0.0_5.2.7 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7 |
5.2 |
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule |
Shared |
There will be a substantial increase in log size if there are a large number of administrative actions on a server. |
Create an activity log alert for the Create or Update SQL Server Firewall Rule event.
Monitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity. |
link |
4 |
| CIS_Azure_2.0.0 |
5.2.8 |
CIS_Azure_2.0.0_5.2.8 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8 |
5.2 |
Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule |
Shared |
There will be a substantial increase in log size if there are a large number of administrative actions on a server. |
Create an activity log alert for the "Delete SQL Server Firewall Rule."
Monitoring for Delete SQL Server Firewall Rule events gives insight into SQL network access changes and may reduce the time it takes to detect suspicious activity. |
link |
4 |
| CMMC_L3 |
AC.3.018 |
CMMC_L3_AC.3.018 |
CMMC L3 AC.3.018 |
Access Control |
Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. Note that this requirement represents a condition to be achieved by the definition of authorized privileges in AC.1.002.
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat. |
link |
3 |
| CMMC_L3 |
AC.3.021 |
CMMC_L3_AC.3.021 |
CMMC L3 AC.3.021 |
Access Control |
Authorize remote execution of privileged commands and remote access to security-relevant information. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
A privileged command is a human-initiated (interactively or via a process operating on behalf of the human) command executed on a system involving the control, monitoring, or administration of the system including security functions and associated security-relevant information. Securityrelevant information is any information within the system that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Privileged commands give individuals the ability to execute sensitive, security-critical, or security-relevant system functions. Controlling such access from remote locations helps to ensure that unauthorized individuals are not able to execute such commands freely with the potential to do serious or catastrophic damage to organizational systems. Note that the ability to affect the integrity of the system is considered security-relevant as that could enable the means to by-pass security functions although not directly impacting the function itself. |
link |
10 |
| CMMC_L3 |
AU.2.041 |
CMMC_L3_AU.2.041 |
CMMC L3 AU.2.041 |
Audit and Accountability |
Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP). |
link |
15 |
| CMMC_L3 |
AU.2.042 |
CMMC_L3_AU.2.042 |
CMMC L3 AU.2.042 |
Audit and Accountability |
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance.
Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures.
Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred).
Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. |
link |
15 |
| CMMC_L3 |
CM.2.065 |
CMMC_L3_CM.2.065 |
CMMC L3 CM.2.065 |
Configuration Management |
Track, review, approve or disapprove, and log changes to organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Tracking, reviewing, approving/disapproving, and logging changes is called configuration change control. Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled and unauthorized changes, and changes to remediate vulnerabilities.
Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes to systems. For new development systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards or Change Advisory Boards. Audit logs of changes include activities before and after changes are made to organizational systems and the activities required to implement such changes. |
link |
6 |
| CMMC_L3 |
SI.2.216 |
CMMC_L3_SI.2.216 |
CMMC L3 SI.2.216 |
System and Information Integrity |
Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives.
System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless.
Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. |
link |
23 |
| CMMC_L3 |
SI.2.217 |
CMMC_L3_SI.2.217 |
CMMC L3 SI.2.217 |
System and Information Integrity |
Identify unauthorized use of organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs.
Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. |
link |
11 |
| hipaa |
1270.09ad1System.12-09.ad |
hipaa-1270.09ad1System.12-09.ad |
1270.09ad1System.12-09.ad |
12 Audit Logging & Monitoring |
1270.09ad1System.12-09.ad 09.10 Monitoring |
Shared |
n/a |
The organization ensures proper logging is enabled in order to audit administrator activities; and reviews system administrator and operator logs on a regular basis. |
|
18 |
| hipaa |
1271.09ad1System.1-09.ad |
hipaa-1271.09ad1System.1-09.ad |
1271.09ad1System.1-09.ad |
12 Audit Logging & Monitoring |
1271.09ad1System.1-09.ad 09.10 Monitoring |
Shared |
n/a |
An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance. |
|
8 |
| SOC_2 |
CC7.2 |
SOC_2_CC7.2 |
SOC 2 Type 2 CC7.2 |
System Operations |
Monitor system components for anomalous behavior |
Shared |
The customer is responsible for implementing this recommendation. |
• Implements Detection Policies, Procedures, and Tools — Detection policies and
procedures are defined and implemented and detection tools are implemented on infrastructure and software to identify anomalies in the operation or unusual activity
on systems. Procedures may include (1) a defined governance process for security
event detection and management that includes provision of resources; (2) use of intelligence sources to identify newly discovered threats and vulnerabilities; and (3)
logging of unusual system activities.
• Designs Detection Measures — Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers;
(2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software.
• Implements Filters to Analyze Anomalies — Management has implemented procedures to filter, summarize, and analyze anomalies to identify security events.
• Monitors Detection Tools for Effective Operation — Management has implemented
processes to monitor the effectiveness of detection tools |
|
20 |