Enable Logging and Monitoring

(Back)

Objective

Continuously monitor system events and performance and include a security audit log function in all information systems to enable the detection of incidents. It is essential that an adequate level of logging and reporting including a security audit log function in all information systems hosted in the cloud environment and for cloud-based workloads.

Key Considerations

Logging

• Ensure mailbox auditing for all users is Enabled
• Ensure Microsoft 365 audit log search is Enabled
• Leverage Office 365 Management Activity API to retrieve information about user, admin, system, and policy actions and events from Office 365 and Azure AD activity logs
• Identify the events within the solution that must be audited in accordance with GC Event Logging
• Configure the service to send audit log records to a centralized logging facility, if one is available

Monitoring

• Continuously monitor system events and performance. Ensure reports are reviewed at least weekly including:
  • Access reports for all administrative accounts
  • Azure AD ‘Risky sign-ins’ report
  • User role group changes
  • Account Provisioning Activity report
  • non-global administrator role group assignments
  • Self-service password reset activity report
  • DLP policy matches report
  • DLP incidents report
  • DLP false positives and overrides report
• Configure alerts and notifications to be sent to the appropriate contact/team in the organization.
• Configure or use an authoritative time source for the time-stamp of the audit records generated by your solution components.
• Develop a plan to respond to and understand the impact of security incidents, in accordance with the GC Cyber Security Event Management Plan
• Establish an MOU for defensive services and threat monitoring protection services with CCCS

Additional Considerations

• The use of a central logging solution should be considered whenever and wherever possible. Capabilities that automate event and behaviour analysis, and offer real-time alerting can help to identify possible security threats and incidents.

Validation

• Confirm policy for event logging is implemented.
• Confirm event logs are being generated.
• Confirm that security contact information has been configured to receive alerts and notifications.
• Confirm that there is a plan in place to respond to incidents.

References

1. Directive on Security Management - Appendix B: Mandatory Procedures for Information Technology Security Control, subsection B.2.3.8
2. SPIN 2017-01, subsection 6.3, 6.3.1
3. CSE Top 10 #1, 5, 8
4. Refer to GC Event Logging Guidance
5. Related security controls: AU‑2, AU‑3, AU‑6, AU‑8, AU‑9, AU‑9(4), AU‑12, SI-2, SI-4