Reporting and Monitoring
This section describes the design decisions associated with reporting and monitoring of identities, sign ins and provisioning for system(s) built using ASD's Blueprint for Secure Cloud.
Estimated reading time: 2 minutes
Reporting provides information on both:
- Sign ins – The sign ins report provides information about the usage of managed applications and user sign in activities.
- Audit logs - Provides traceability through logs for all changes done by various features within Entra ID. Examples of audit logs include changes made to any resources within Entra ID like adding or removing users, apps, groups, roles and policies.
- Risky sign ins - A risky sign in is an indicator for a sign in attempt that might have been performed by someone who is not the legitimate owner of a user account.
- Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.
Users in the Security Administrator, Security Reader, Report Reader, Global Reader or Global Administrator roles are able to access these reports.
Monitoring routes activity logs to different endpoints:
- An Azure storage account.
- An Azure event hub, so the system can be integrated with Splunk and Sumologic instances.
- Azure Log Analytics workspace, wherein the data can be analysed, dashboards created, and alerts configured for specific events. This is used to retain them for long-term use and integrate it with the Security Information and Event Management (SIEM) tool - Azure Sentinel - to gain insights into the environment.
Workbooks provide several pre-built reports related to common scenarios involving audit, sign in, and provisioning events. Alerts can also be configured on any of the data provided in the reports, using the steps described in the previous section.
|Azure Monitor Logs (Log Analytics Workspace) - law-sentinel
|Archive and audit solution downstream from log analytics workspace
Security & Governance
- None identified