| LT-1 |
Logging and threat detection |
6.7 - Regularly Review Logs |
8.11 - Conduct Audit Log Reviews |
AU-3: CONTENT OF AUDIT RECORDS |
|
Enable threat detection capabilities |
To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies. Configure your alert filtering and analytics rules to extract high-quality alerts from log data, agents, or other data sources to reduce false positives. |
Use the threat detection capability of Microsoft Defender for Cloud for the respective Azure services. |
Introduction to Microsoft Defender for Cloud: |
Use Amazon GuardDuty for threat detection which analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail management event logs, CloudTrail S3 data event logs, EKS audit logs, and DNS logs. GuardDuty is capable of reporting on security issues such as privilege escalation, exposed credential usage , or communication with malicious IP addresses, or domains. |
Amazon GuardDuty: |
nan |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint |
|
|
|
|
AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING |
|
|
|
|
https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction |
|
https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html |
|
|
|
|
|
|
AU-12: AUDIT GENERATION |
|
|
|
For threat detection not included in Microsoft Defender services, refer to Microsoft Cloud Security Benchmark service baselines for the respective services to enable the threat detection or security alert capabilities within the service. Ingest alerts and log data from Microsoft Defender for Cloud, Microsoft 365 Defender, and log data from other resources into your Azure Monitor or Microsoft Sentinel instances to build analytics rules, which hunt detect threats and create alerts that match specific criteria across your environment. |
|
Configure AWS Config to check rules in SecurityHub for compliance monitoring such as configuration drift, and create findings when needed. |
|
|
Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center |
|
|
|
|
SI-4: INFORMATION SYSTEM MONITORING |
|
|
|
|
Microsoft Defender for Cloud security alerts reference guide: |
|
Amazon GuardDuty data sources: |
|
|
|
|
|
|
|
|
|
|
For Operational Technology (OT) environments that include computers that control or monitor Industrial Control System (ICS) or Supervisory Control and Data Acquisition (SCADA) resources, use Microsoft Defender for IoT to inventory assets and detect threats and vulnerabilities. |
https://docs.microsoft.com/azure/security-center/alerts-reference |
For threat detection not included in GuardDuty and SecurityHub, enable threat detection or security alert capabilities within the supported AWS services. Extract the alerts to your CloudTrail, CloudWatch, or Microsoft Sentinel to build analytics rules, which hunt threats that match specific criteria across your environment. |
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html |
|
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
For services that do not have a native threat detection capability, consider collecting the data plane logs and analyze the threats through Microsoft Sentinel. |
Create custom analytics rules to detect threats: |
You can also use Microsoft Defender for Cloud to monitor certain services in AWS such as EC2 instances. |
Connect your AWS accounts to Microsoft Defender for Cloud: |
|
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom |
|
https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings |
|
|
|
|
|
|
|
|
|
|
|
|
For Operational Technology (OT) environments that include computers that control or monitor Industrial Control System (ICS) or Supervisory Control and Data Acquisition (SCADA) resources, use Microsoft Defender for IoT to inventory assets and detect threats and vulnerabilities. |
|
|
Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence |
|
|
|
|
|
|
|
|
|
Threat indicators for cyber threat intelligence in Microsoft Sentinel: |
|
How Defender for Cloud Apps helps protect your Amazon Web Services (AWS) environment |
|
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/architecture/example-scenario/data/sentinel-threat-intelligence |
|
https://docs.microsoft.com/en-us/defender-cloud-apps/protect-aws |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Security recommendations for AWS resources - a reference guide: |
|
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference-aws |
|
|
| LT-2 |
Logging and threat detection |
4.9 - Log and Alert on Unsuccessful Administrative Account Login |
8.11 - Conduct Audit Log Reviews |
AU-3: CONTENT OF AUDIT RECORDS |
10.6 |
Enable threat detection for identity and access management |
Detect threats for identities and access management by monitoring the user and application sign-in and access anomalies. Behavioral patterns such as excessive number of failed login attempts, and deprecated accounts in the subscription, should be alerted. |
Azure AD provides the following logs that can be viewed in Azure AD reporting or integrated with Azure Monitor, Microsoft Sentinel or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases: |
Audit activity reports in Azure AD: |
AWS IAM provides the following reporting the logs and reports for console user activities through IAM Access Advisor and IAM credential report: |
IAM credential reports: |
nan |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint |
|
|
6.7 - Regularly Review Logs |
|
AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING |
10.8 |
|
|
- Sign-ins: The sign-ins report provides information about the usage of managed applications and user sign-in activities. |
https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs |
- Every successful sign-in and unsuccessful login attempts. |
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html |
|
|
|
|
16.13 - Alert on Account Login Behavior Deviation |
|
AU-12: AUDIT GENERATION |
A3.5 |
|
|
- Audit logs: Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies. |
|
- Multi-factor authentication (MFA) status for each user. |
|
|
Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center |
|
|
|
|
SI-4: INFORMATION SYSTEM MONITORING |
|
|
|
- Risky sign-ins: A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account. |
Enable Azure Identity Protection: |
- Dormant IAM user |
GuardDuty data source: |
|
|
|
|
|
|
|
|
|
|
- Users flagged for risk: A risky user is an indicator for a user account that might have been compromised. |
https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection |
|
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html |
|
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management |
|
|
|
|
|
|
|
|
|
|
For API level access monitoring and threat detection, use Amazon GuadDuty to identify the findings related to the IAM. Examples of these findings include: |
|
|
|
|
|
|
|
|
|
|
|
Azure AD also provides an Identity Protection module to detect and remediate risks related to user accounts and sign-in behaviors. Examples of risks include leaked credentials, sign-in from anonymous or malware linked IP addresses, password spray. The policies in Azure AD Identity Protection allow you to enforce risk-based MFA authentication in conjunction with Azure Conditional Access on user accounts. |
Threat protection in Microsoft Defender for Cloud: |
- An API used to gain access to an AWS environment and was invoked in an anomalous way, or was used to evade defensive measures |
GuardDuty IAM finding types: |
|
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/security-center/threat-protection |
- An API used to: |
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html |
|
|
|
|
|
|
|
|
|
|
In addition, Microsoft Defender for Cloud can be configured to alert on deprecated accounts in the subscription and suspicious activities such as an excessive number of failed authentication attempts. In addition to the basic security hygiene monitoring, Microsoft Defender for Cloud's Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (such as virtual machines, containers, app service), data resources (such as SQL DB and storage), and Azure service layers. This capability allows you to see account anomalies inside the individual resources. |
|
a) discover resources was invoked in an anomalous way |
|
|
Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence |
|
|
|
|
|
|
|
|
|
Overview of Microsoft Defender for Identity: |
b) collect data from an AWS environment was invoked in an anomalous way. |
|
|
|
|
|
|
|
|
|
|
|
Note: If you are connecting your on-premises Active Directory for synchronization, use the Microsoft Defender for Identity solution to consume your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. |
https://learn.microsoft.com/defender-for-identity/what-is |
b) tamper with data or processes in an AWS environment was invoked in an anomalous way. |
|
|
|
|
|
|
|
|
|
|
|
|
|
c) gain unauthorized access to an AWS environment was invoked in an anomalous way. |
|
|
|
|
|
|
|
|
|
|
|
|
|
d) maintain unauthorized access to an AWS environment was invoked in an anomalous way. |
|
|
|
|
|
|
|
|
|
|
|
|
|
e) obtain high-level permissions to an AWS environment was invoked in an anomalous way. |
|
|
|
|
|
|
|
|
|
|
|
|
|
f) be invoked from a known malicious IP address. |
|
|
|
|
|
|
|
|
|
|
|
|
|
g) be invoked using root credentials. |
|
|
|
|
|
|
|
|
|
|
|
|
|
- AWS CloudTrail logging was disabled. |
|
|
|
|
|
|
|
|
|
|
|
|
|
- Account password policy was weakened. |
|
|
|
|
|
|
|
|
|
|
|
|
|
- Multiple worldwide successful console logins were observed. |
|
|
|
|
|
|
|
|
|
|
|
|
|
- Credentials that were created exclusively for an EC2 instance through an Instance launch role are being used from another account within AWS. |
|
|
|
|
|
|
|
|
|
|
|
|
|
- Credentials that were created exclusively for an EC2 instance through an Instance launch role are being used from an external IP address. |
|
|
|
|
|
|
|
|
|
|
|
|
|
- An API was invoked from a known malicious IP address. |
|
|
|
|
|
|
|
|
|
|
|
|
|
- An API was invoked from an IP address on a custom threat list. |
|
|
|
|
|
|
|
|
|
|
|
|
|
- An API was invoked from a Tor exit node IP address. |
|
|
|
| LT-3 |
Logging and threat detection |
6.2 - Activate Audit Logging |
8.2 - Collect Audit Logs |
AU-3: CONTENT OF AUDIT RECORDS |
10.1 |
Enable logging for security investigation |
Enable logging for your cloud resources to meet the requirements for security incident investigations and security response and compliance purposes. |
Enable logging capability for resources at the different tiers, such as logs for Azure resources, operating systems and applications inside in your VMs and other log types. |
Understand logging and different log types in Azure: |
Use AWS CloudTrail logging for management events (control plane operations) and data events (data plane operations) and monitor these trails with CloudWatch for automated actions. |
Enabling logging from certain AWS services: |
nan |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint |
|
|
6.3 - Enable Detailed Logging |
8.5 - Collect Detailed Audit Logs |
AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING |
10.2 |
|
|
|
https://docs.microsoft.com/azure/azure-monitor/platform/platform-logs-overview |
|
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html |
|
|
|
|
8.8 - Enable Command-Line Audit Logging |
8.12 - Collect Service Provider Logs |
AU-12: AUDIT GENERATION |
10.3 |
|
|
Be mindful about different types of logs for security, audit, and other operational logs at the management/control plane and data plane tiers. There are three types of the logs available at the Azure platform: |
|
The Amazon CloudWatch Logs service allows you to collect and store logs from your resources, applications, and services in near real time. There are three main categories of logs: |
|
|
Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center |
|
|
|
|
SI-4: INFORMATION SYSTEM MONITORING |
|
|
|
- Azure resource log: Logging of operations that are performed within an Azure resource (the data plane). For example, getting a secret from a key vault or making a request to a database. The content of resource logs varies by the Azure service and resource type. |
Understand Microsoft Defender for Cloud data collection: |
- Vended logs: Logs natively published by AWS services on your behalf. Currently, Amazon VPC Flow Logs and Amazon Route 53 logs are the two supported types. These two logs are enabled by default. |
https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/monitoring-and-logging.html |
|
|
|
|
|
|
|
|
|
|
- Azure activity log: Logging of operations on each Azure resource at the subscription layer, from the outside (the management plane). You can use the Activity Log to determine what, who, and when for any write operations (PUT, POST, DELETE) taken on the resources in your subscription. There is a single Activity log for each Azure subscription. |
https://docs.microsoft.com/azure/security-center/security-center-enable-data-collection |
- Logs published by AWS services: Logs from more than 30 AWS services publish to CloudWatch. They include Amazon API Gateway, AWS Lambda, AWS CloudTrail, and many others. These logs can be enabled directly in the services and CloudWatch. |
|
|
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management |
|
|
|
|
|
|
|
|
- Azure Active Directory logs: Logs of the history of sign-in activity and audit trail of changes made in the Azure Active Directory for a particular tenant. |
|
- Custom logs: Logs from your own application and on-premises resources. You may need to collect these logs by installing CloudWatch Agent in your operating systems and forward them to CloudWatch. |
https://aws.amazon.com/cloudwatch/features/ |
|
|
|
|
|
|
|
|
|
|
|
Enable and configure antimalware monitoring: |
|
|
|
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
|
|
|
|
|
|
|
|
You can also use Microsoft Defender for Cloud and Azure Policy to enable resource logs and log data collecting on Azure resources. |
https://docs.microsoft.com/azure/security/fundamentals/antimalware#enable-and-configure-antimalware-monitoring-using-powershell-cmdlets |
While many services publish logs only to CloudWatch Logs, some AWS services can publish logs directly to AmazonS3 or Amazon Kinesis Data Firehose where you can use different logging storage and retention policies. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence |
|
|
|
|
|
|
|
|
|
Operating systems and application logs inside in your compute resources: |
|
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/azure-monitor/agents/data-sources#operating-system-guest |
|
|
|
|
| LT-4 |
Logging and threat detection |
6.2 - Activate Audit Logging |
8.2 - Collect Audit Logs |
AU-3: CONTENT OF AUDIT RECORDS |
10.8 |
Enable network logging for security investigation |
Enable logging for your network services to support network-related incident investigations, threat hunting, and security alert generation. The network logs may include logs from network services such as IP filtering, network and application firewall, DNS, flow monitoring and so on. |
Enable and collect network security group (NSG) resource logs, NSG flow logs, Azure Firewall logs, and Web Application Firewall (WAF) logs, and logs from virtual machines via the network traffic data collection agent for security analysis to support incident investigations, and security alert generation. You can send the flow logs to an Azure Monitor Log Analytics workspace and then use Traffic Analytics to provide insights. |
How to enable network security group flow logs: |
Enable and collect network logs such as VPC Flow Logs, WAF Logs, and Route53 Resolver query logs for security analysis to support incident investigations, and security alert generation. The logs can be exported to CloudWatch for monitoring or an S3 storage bucket for ingesting into the Microsoft Sentinel solution for centralized analytics. |
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html |
nan |
Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center |
|
|
6.3 - Enable Detailed Logging |
8.5 - Collect Detailed Audit Logs |
AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING |
|
|
|
|
https://docs.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-portal |
|
|
|
|
|
|
7.6 - Log All URL Requests |
8.6 - Collect DNS Query Audit Logs |
AU-12: AUDIT GENERATION |
|
|
|
Collect DNS query logs to assist in correlating other network data. |
|
|
|
|
Infrastructure and endpoint security |
|
|
8.7 - Enable DNS Query Logging |
8.7 - Collect URL Request Audit Logs |
SI-4: INFORMATION SYSTEM MONITORING |
|
|
|
|
Azure Firewall logs and metrics: |
|
|
|
|
|
|
12.8 - Deploy NetFlow Collection on Networking Boundary Devices |
13.6 - Collect Network Traffic Flow Logs |
|
|
|
|
|
https://docs.microsoft.com/azure/firewall/logs-and-metrics |
|
|
|
Application security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure networking monitoring solutions in Azure Monitor: |
|
|
|
Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence |
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/azure-monitor/insights/azure-networking-analytics |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Gather insights about your DNS infrastructure with the DNS Analytics solution: |
|
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/azure-monitor/insights/dns-analytics |
|
|
|
|
| LT-5 |
Logging and threat detection |
6.5 - Central Log Management |
8.9 - Centralize Audit Logs |
AU-3: CONTENT OF AUDIT RECORDS |
nan |
Centralize security log management and analysis |
Centralize logging storage and analysis to enable correlation across log data. For each log source, ensure that you have assigned a data owner, access guidance, storage location, what tools are used to process and access the data, and data retention requirements. |
Ensure that you are integrating Azure activity logs into a centralized Log Analytics workspace. Use Azure Monitor to query and perform analytics and create alert rules using the logs aggregated from Azure services, endpoint devices, network resources, and other security systems. |
How to collect platform logs and metrics with Azure Monitor: |
Ensure that you are integrating your AWS logs into a centralized resource for storage and analysis. Use CloudWatch to query and perform analytics, and to create alert rules using the logs aggregated from AWS services, services, endpoint devices, network resources, and other security systems. |
Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data: |
nan |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture |
|
|
6.6 - Deploy SIEM or Log Analytic tool |
8.11 - Conduct Audit Log Reviews |
AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING |
|
|
|
|
https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings |
|
https://docs.microsoft.com/en-us/azure/sentinel/connect-aws?tabs=s3 |
|
|
|
|
6.7 - Regularly Review Logs |
13.1 - Centralize Security Event Alerting |
AU-12: AUDIT GENERATION |
|
|
Use Cloud native SIEM if you don't have an existing SIEM solution for CSPs. or aggregate logs/alerts into your existing SIEM. |
In addition, enable and onboard data to Microsoft Sentinel which provides security information event management (SIEM) and security orchestration automated response (SOAR) capabilities. |
|
In addition, you can aggregate the logs in a S3 storage bucket and onboard the log data to Microsoft Sentinel which provides security information event management (SIEM) and security orchestration automated response (SOAR) capabilities. |
|
|
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
|
|
8.6 - Centralize Anti-Malware Logging |
|
SI-4: INFORMATION SYSTEM MONITORING |
|
|
|
|
How to onboard Azure Sentinel: |
|
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/sentinel/quickstart-onboard |
|
|
|
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint |
| LT-6 |
Logging and threat detection |
6.4 - Ensure Adequate Storage for Logs |
8.3 - Ensure Adequate Audit Log Storage |
AU-11: AUDIT RECORD RETENTION |
10.5 |
Configure log storage retention |
Plan your log retention strategy according to your compliance, regulation, and business requirements. Configure the log retention policy at the individual logging services to ensure the logs are archived appropriately. |
Logs such as Azure Activity Logs are retained for 90 days and then deleted. You should create a diagnostic setting and route the logs to another location (such as Azure Monitor Log Analytics workspace, Event Hubs or Azure Storage) based on your needs. This strategy also applies to other resource logs and resources managed by yourself such as logs in the operating systems and applications inside VMs. |
Change the data retention period in Log Analytics: |
By default, logs are kept indefinitely and never expire in CloudWatch. You can adjust the retention policy for each log group, keeping the indefinite retention, or choosing a retention period between 10 years and one day. |
Altering CloudWatch log retention: |
nan |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture |
|
|
|
8.10 - Retain Audit Logs |
|
10.7 |
|
|
|
https://docs.microsoft.com/azure/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period |
|
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html |
|
|
|
|
|
|
|
|
|
|
You have the log retention option as below: |
|
Use Amazon S3 for log archival from CloudWatch and apply object lifecycle management and archival policy to the bucket. You can use Azure Storage for central log archival by transferring the files from Amazon S3 to Azure Storage. |
|
|
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
|
|
|
|
|
|
|
|
- Use Azure Monitor Log Analytics workspace for a log retention period of up to 1 year or per your response team requirements. |
How to configure retention policy for Azure Storage account logs: |
|
Copy data from Amazon S3 to Azure Storage by using AzCopy: |
|
|
|
|
|
|
|
|
|
|
- Use Azure Storage, Data Explorer or Data Lake for long-term and archival storage for greater than 1 year and to meet your security compliance requirements. |
https://docs.microsoft.com/azure/storage/common/storage-monitor-storage-account#configure-logging |
|
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-s3 |
|
Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center |
|
|
|
|
|
|
|
|
- Use Azure Event Hubs to forward logs to an external resource outside of Azure. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Cloud alerts and recommendations export: https://docs.microsoft.com/azure/security-center/continuous-export |
|
|
|
Security compliance management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management |
|
|
|
|
|
|
|
|
Note: Microsoft Sentinel uses Log Analytics workspace as its backend for log storage. You should consider a long-term storage strategy if you plan to retain SIEM logs for longer time. |
|
|
|
|
|
| LT-7 |
Logging and threat detection |
6.1 - Utilize Three Synchronized Time Sources |
8.4 - Standardize Time Synchronization |
AU-8: TIME STAMPS |
10.4 |
Use approved time synchronization sources |
Use approved time synchronization sources for your logging time stamp which include date, time and time zone information. |
Microsoft maintains time sources for most Azure PaaS and SaaS services. For your compute resources operating systems, use a Microsoft default NTP server for time synchronization unless you have a specific requirement. If you need to stand up your own network time protocol (NTP) server, ensure you secure the UDP service port 123. |
How to configure time synchronization for Azure Windows compute resources: |
AWS maintains time sources for most AWS services. For resources or services where the operating system time setting is configured, use AWS default Amazon Time Sync Service for time synchronization unless you have a specific requirement. If you need to stand up your own network time protocol (NTP) server, ensure you secure the UDP service port 123. |
Set the time for a Linux instance: |
nan |
Policy and standards: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-policy-standards |
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/virtual-machines/windows/time-sync |
|
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html |
|
|
|
|
|
|
|
|
|
|
All logs generated by resources within Azure provide time stamps with the time zone specified by default. |
|
All logs generated by resources within AWS provide time stamps with the time zone specified by default. |
|
|
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
|
|
|
|
|
|
|
|
|
How to configure time synchronization for Azure Linux compute resources: |
|
Set the time for a Windows instance: |
|
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/virtual-machines/linux/time-sync |
|
https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/windows-set-time.html |
|
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
How to disable inbound UDP for Azure services: |
|
|
|
|
|
|
|
|
|
|
|
|
|
https://support.microsoft.com/help/4558520/how-to-disable-inbound-udp-for-azure-services |
|
|
|
|