ASD's Blueprint for Secure Cloud

Platform Monitoring and Auditing

This section articulates how security monitoring, compliance, threat detection and response from Hosted Services, Web Services, Platform Data and Identity and Endpoints come together in a centralised cloud security solution for platform security operations and audit for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 2 minutes

Log Analytics is a component of the Azure Monitor solution and also forms the storage location for the data analysed by Microsoft Sentinel. It is utilised for log ingestion and querying. Logs can be ingested into Log Analytics in several ways including via:

  • Diagnostic Settings
  • Sentinel Connectors
  • HTTP Post

Log data stored in Log Analytics data can be consumed in various ways:

  • Azure Portal - Enables creation of log queries and analysis of the results.
  • Azure Monitor Alert rules - Automatic searches of logs run at regular intervals. Results are automatically inspected to determine if an alert in Azure Monitor should be generated.
  • Azure Dashboards - Dashboards can be used per Azure user to visualise data gathered from Log Analytics. These dashboards can be shared amongst Azure administrators.
  • Export - Data from Azure Monitor can be imported into Excel or Power BI for further visualisation.
  • PowerShell - Enables programmatic retrieval of data for various use-cases.
  • Azure Monitor Logs API - The native API, uses REST to retrieve log data from the workspace.
  • Microsoft Sentinel - Provides a security information and event management (SIEM) capability which includes the ability to create dashboards, alerts, and log analysis.

Log Analytics is billed per gigabyte (GB) of data ingested and retained into the service. When ingesting into a SIEM, data retention periods can be shortened.

Log Analytics configuration for all organisations and implementation types.

ConfigurationValueDescription
Workspace Nameorganisation-log-workspaceLog workspace name to be confirmed by the organisation.
Azure SubscriptionOrganisation subscriptionConfigured by Office 365.
RegionAustralia CentralClosest location of Log Analytics to the organisation.
Log retentionRetention Period: 1 year
Data Volume Cap: Off
One year aligns with other data retention periods in this solution and meets the system requirements.
Enabled Diagnostic SettingsMicrosoft Intune, Microsoft Entra IDEnsures logs are ingested by log analytics.
Log Analytics Contributor Grouprol-organisation-log-adminLog Analytics Contributor group name to be confirmed by the organisation.

Security & Governance

  • None identified

Design

  • None identified

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra