Benchmark: AU-12(1) System-Wide / Time-Correlated Audit Trail
Description
Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail].
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select AU-12(1) System-Wide / Time-Correlated Audit Trail.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.fedramp_high_au_12_1
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.fedramp_high_au_12_1 --share
Controls
- App Service apps should have resource logs enabled
- Log Analytics extension should be installed on your Linux Azure Arc machines
- Log Analytics extension should be installed on your Windows Azure Arc machines
- Resource logs in Batch accounts should be enabled
- Guest Configuration extension should be installed on your machines
- Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
- Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
- Network traffic data collection agent should be installed on Linux virtual machines
- Network traffic data collection agent should be installed on Windows virtual machines
- Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
- Resource logs in Data Lake Analytics should be enabled
- Resource logs in Azure Data Lake Store should be enabled
- Resource logs in Event Hub should be enabled
- Resource logs in IoT Hub should be enabled
- Resource logs in Key Vault should be enabled
- Resource logs in Logic Apps should be enabled
- Network Watcher should be enabled
- Resource logs in Search services should be enabled
- Auto provisioning of the Log Analytics agent should be enabled on your subscription
- Azure Defender for App Service should be enabled
- Microsoft Defender for Containers should be enabled
- Azure Defender for Key Vault should be enabled
- Azure Defender for Resource Manager should be enabled
- Azure Defender for servers should be enabled
- Azure Defender for Azure SQL Database servers should be enabled
- Microsoft Defender for Storage (Classic) should be enabled
- Resource logs in Service Bus should be enabled
- Auditing on SQL server should be enabled
- Azure Defender for SQL should be enabled for unprotected Azure SQL servers
- Resource logs in Azure Stream Analytics should be enabled