Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Security Control: Enable audit and logging
Published Feb 22 2021 11:55 AM 10.1K Views
Microsoft

As part of our recent Microsoft Defender for Cloud Blog Series, we are diving into the different controls within Secure Score.  In this post we will be discussing the control of Enable audit and logging.

 

Log collection is a relevant input when analyzing a security incident, business concern or even a suspicious security event. It can be helpful to create baselines and to better understand behaviors, tendencies, and more.

 

The security control enable auditing and logging, contains recommendations that will remind you to enable logging for all Azure services supported by Microsoft Defender for Cloud and resources in other cloud providers, such as AWS and GCP (currently in preview). Upon the remediation of all these recommendations, you will gain a 1% increase in your Secure Score.

 

enableAuditingLogging.PNG

 

 

Recommendations

The number of recommendations will vary according to the available resources in your subscription. This blog post will focus on some recommendations for SQL Server, IoT Hub, Service Bus, Event Hub, Logic App, VM Scale Set, Key Vault, AWS and GCP.

 

 

Auditing on SQL Server should be enabled

Enable auditing is suggested to track database activities. To remediate, Microsoft Defender for Cloud has a Quick Fix button that will change the Microsoft.Sql/servers/auditingSettings property state to Enabled. The logic app will request the retention days and the storage account where the audit will be saved. The storage account can be created during that process, the template is in this article. Nonetheless, there is also a manual remediation described in the Remediation Steps.  The recommendation can be Enforced, so that Azure policy's DeployIfNotExist automatically remediates non-compliant resources upon creation. More information about Enforce/Deny can be found here.  To learn more about auditing capabilities in SQL, read this article.

 

SQLremediation.PNG

 

 

 

Diagnostic logs in IoT Hub should be enabled

This enables you to recreate activity trails for investigation purposes when a security incident occurs or your IOT Hub is compromised. The recommendation can be Enforced and it also comes with a Quick Fix where a Logic App modifies the Microsoft.Devices/IotHubs/providers/diagnosticSettings Metrics AllMetrics and the Logs Connections, DeviceTelemetry, C2DCommands, DeviceIdentityOperations, FileUploadOperations, Routes, D2CTwinOperations, C2DTwinOperations, TwinQueries, JobsOperations, DirectMethods, DistributedTracing, Configurations, DeviceStreams to "enabled": true. To learn more about Monitoring Azure IoT Hub visit this article.

 

 

Diagnostic logs in Service Bus should be enabled

This recommendation can be Enforced, and it has a Quick Fix that will remediate the selected resources by modifying Microsoft.ServiceBus/namespaces/providers/diagnosticSettings “All Metrics” and “OperationalLogs” to "enabled": true. It is necessary to put the retention days to deploy the Logic App. To manually remediate it, follow this article.  To learn more about the Service Bus security baseline, read this article.

 

 

Diagnostic logs in Event Hub should be enabled

The Quick Fix has a Logic App that will modify for selected resources the Microsoft.EventHub/namespaces/providers/diagnosticSettings metrics AllMetrics and the logs ArchiveLogs, OperationalLogs, AutoScaleLogs to "enabled": true, with the retention days input. This recommendation can be Enforced. For manual remediation steps, visit this article. To learn more about the Event Hub security baseline, read this article.

 

 

Diagnostic logs in Logic Apps should be enabled

The recommendation can be Enforced and it comes with a Quick Fix where a Logic App modifies the Microsoft.Logic/workflows/providers/diagnosticSettings metrics “AllMetrics” and logs “WorkflowRuntime” to "enabled": true. The retention days field has to be input at the beginning of the remediation. For manual remediation steps, visit this article. To learn more about Logic Apps monitoring in Microsoft Defender for Cloud, read this article.

 

 

Diagnostic logs in Virtual Machine Scale Sets should be enabled

This specific recommendation does not come with the Enforce feature nor a Quick Fix. To configure the Azure Virtual Machine Scale Set diagnostics extension follow this document. The command az vmss diagnostics set will enable diagnostics on a VMSS. To learn more about the Azure security baseline for Virtual Machine Scale Sets, read this article.

 

 

Diagnostic logs in Key Vault should be enabled

The recommendation can be Enforced and it also comes with a Quick Fix where the Logic App goes to the resource Microsoft.KeyVault/vaults/providers/diagnosticSettings and sets the metrics AllMetrics and logs AuditEvent to "enabled": true including the retention days input. For manual remediation steps, read this article. To learn more about monitoring and alerting in Azure Key Vault, visit this article.

 

 

Ensure a log metric filter and alarm exist for security group changes – AWS Preview

By directing CloudTrail Logs to CloudWatch Logs real-time monitoring of API calls can be achieved. Metric filter and alarm should be established for changes to Security Groups. Recommendations for AWS resources do not have the Enforce feature, Quick Fix button, Trigger Logic App. To remediate them, follow the AWS Security Hub documentation.

AWSpreview.png

 

 

Ensure that Cloud Audit Logging is configured properly across all services and all users from a project – GCP Preview

Ensure that Cloud Audit Logging is configured to track read and write activities across all supported services and for all users. Configured this way, all administrative activities, or attempts to access user data, will be tracked. Recommendations for GCP resources do not have the Enforce feature, Quick Fix button, Trigger Logic App. To remediate them, follow the Manual Remediation Steps. For more information, visit the GCP documentation.

GCPpreview.png

 

 

 

P.S. Consider joining our Tech Community where you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by experts.

 

Reviewer

Yuri Diogenes, Principal PM Manager (@Yuri Diogenes)

3 Comments
Co-Authors
Version history
Last update:
‎Oct 28 2021 02:00 PM
Updated by: