Logging and Monitoring Baseline

Logging and monitoring capabilities and controls will always be on your security departments mind. If you get these controls rights, it can help identify, detect and mitigate security threats. That being said, you will always find yourself re reviewing these as each security incident occurs.

It’s always the case that you identify gaps after a security incident has already occurred. it happens….

Therefore it’s always good to have an inventory or keep track of what is being logs and the processes around it. You will also want to make everyone aware as it should be a shared responsibility that these are enabled.

There is a really helpful article that’s worth reading should you want to know more: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-logs-overview

Log Profiles

You will first need to setup a log profile which is defined per subscription. This is somewhat the starting point which is required. Once setup, you can build on top of this.

To configure, go to: Monitor > Activity Log > Logs and follow the setup instructions:

Activity Log Alerts

These rule are when the alerts are triggered. You will set multiple rules which match your criteria:

Here you can create multiple alerts around each resource. You may for instance, create rules around your SQL Servers or Network Security Groups. You could look to alert when administrators or disabling or modifying critical/sensitive resources. The skies the limits but you don’t want to generate to much traffic. There is always a fine line before alerts start to get ignored.