Skip to content

Latest commit

 

History

History
53 lines (39 loc) · 3.44 KB

04_Enable-Logging-and-Monitoring.md

File metadata and controls

53 lines (39 loc) · 3.44 KB
Raw

Enable Logging and Monitoring

(Back)

Objective

Continuously monitor system events and performance and include a security audit log function in all information systems to enable the detection of incidents. It is essential that an adequate level of logging and reporting including a security audit log function in all information systems hosted in the cloud environment and for cloud-based workloads.

Key Considerations

Logging

  • Ensure mailbox auditing for all users is Enabled
  • Ensure Microsoft 365 audit log search is Enabled
  • Leverage Office 365 Management Activity API to retrieve information about user, admin, system, and policy actions and events from Office 365 and Azure AD activity logs
  • Identify the events within the solution that must be audited in accordance with GC Event Logging
  • Configure the service to send audit log records to a centralized logging facility, if one is available

Monitoring

  • Continuously monitor system events and performance. Ensure reports are reviewed at least weekly including:
    • Access reports for all administrative accounts
    • Azure AD 'Risky sign-ins' report
    • User role group changes
    • Account Provisioning Activity report
    • non-global administrator role group assignments
    • Self-service password reset activity report
    • DLP policy matches report
    • DLP incidents report
    • DLP false positives and overrides report
  • Configure alerts and notifications to be sent to the appropriate contact/team in the organization.
  • Configure or use an authoritative time source for the time-stamp of the audit records generated by your solution components.
  • Develop a plan to respond to and understand the impact of security incidents, in accordance with the GC Cyber Security Event Management Plan
  • Establish an MOU for defensive services and threat monitoring protection services with CCCS

Additional Considerations

  • The use of a central logging solution should be considered whenever and wherever possible. Capabilities that automate event and behaviour analysis, and offer real-time alerting can help to identify possible security threats and incidents.

Validation

  • Confirm policy for event logging is implemented.
  • Confirm event logs are being generated.
  • Confirm that security contact information has been configured to receive alerts and notifications.
  • Confirm that there is a plan in place to respond to incidents.

References

  1. Directive on Security Management - Appendix B: Mandatory Procedures for Information Technology Security Control, subsection B.2.3.8
  2. SPIN 2017-01, subsection 6.3, 6.3.1
  3. CSE Top 10 #1, 5, 8
  4. Refer to GC Event Logging Guidance
  5. Related security controls: AU‑2, AU‑3, AU‑6, AU‑8, AU‑9, AU‑9(4), AU‑12, SI-2, SI-4