ASD's Blueprint for Secure Cloud

Reporting and Monitoring

This section describes the design decisions associated with reporting and monitoring of identities, sign ins and provisioning for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 2 minutes

Reporting provides information on both:

  1. Activity:

    • Sign ins – The sign ins report provides information about the usage of managed applications and user sign in activities.
    • Audit logs - Provides traceability through logs for all changes done by various features within Entra ID. Examples of audit logs include changes made to any resources within Entra ID like adding or removing users, apps, groups, roles and policies.
  2. Security:

    • Risky sign ins - A risky sign in is an indicator for a sign in attempt that might have been performed by someone who is not the legitimate owner of a user account.
    • Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.

Users in the Security Administrator, Security Reader, Report Reader, Global Reader or Global Administrator roles are able to access these reports.

Monitoring routes activity logs to different endpoints:

  • An Azure storage account.
  • An Azure event hub, so the system can be integrated with Splunk and Sumologic instances.
  • Azure Log Analytics workspace, wherein the data can be analysed, dashboards created, and alerts configured for specific events. This is used to retain them for long-term use and integrate it with the Security Information and Event Management (SIEM) tool - Azure Sentinel - to gain insights into the environment.

Workbooks provide several pre-built reports related to common scenarios involving audit, sign in, and provisioning events. Alerts can also be configured on any of the data provided in the reports, using the steps described in the previous section.

Security & Governance

  • None identified

Design

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra