Enable Logging and Monitoring
Continuously monitor system events and performance and include a security audit log function in all information systems to enable the detection of incidents. It is essential that an adequate level of logging and reporting including a security audit log function in all information systems hosted in the cloud environment and for cloud-based workloads.
- Ensure mailbox auditing for all users is Enabled
- Ensure Microsoft 365 audit log search is Enabled
- Leverage Office 365 Management Activity API to retrieve information about user, admin, system, and policy actions and events from Office 365 and Azure AD activity logs
- Identify the events within the solution that must be audited in accordance with GC Event Logging
- Configure the service to send audit log records to a centralized logging facility, if one is available
- Continuously monitor system events and performance. Ensure reports are reviewed at least weekly including:
- Access reports for all administrative accounts
- Azure AD ‘Risky sign-ins’ report
- User role group changes
- Account Provisioning Activity report
- non-global administrator role group assignments
- Self-service password reset activity report
- DLP policy matches report
- DLP incidents report
- DLP false positives and overrides report
- Configure alerts and notifications to be sent to the appropriate contact/team in the organization.
- Configure or use an authoritative time source for the time-stamp of the audit records generated by your solution components.
- Develop a plan to respond to and understand the impact of security incidents, in accordance with the GC Cyber Security Event Management Plan
- Establish an MOU for defensive services and threat monitoring protection services with CCCS
- The use of a central logging solution should be considered whenever and wherever possible. Capabilities that automate event and behaviour analysis, and offer real-time alerting can help to identify possible security threats and incidents.
- Confirm policy for event logging is implemented.
- Confirm event logs are being generated.
- Confirm that security contact information has been configured to receive alerts and notifications.
- Confirm that there is a plan in place to respond to incidents.
- Directive on Security Management - Appendix B: Mandatory Procedures for Information Technology Security Control, subsection B.2.3.8
- SPIN 2017-01, subsection 6.3, 6.3.1
- CSE Top 10 #1, 5, 8
- Refer to GC Event Logging Guidance
- Related security controls: AU‑2, AU‑3, AU‑6, AU‑8, AU‑9, AU‑9(4), AU‑12, SI-2, SI-4