ASD's Blueprint for Secure Cloud

System Monitoring

This page provides a template and guidance to assist organisations in documenting their approach to system monitoring, including event logging and monitoring, associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Estimated reading time: 3 minutes

Event logging and monitoring

Applicability

ISM controls relating to the system monitoring of <SYSTEM-NAME>’s are applicable to and covered by this section of the SSP.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Organisational policies and processes implemented

The collection of event logs for monitoring of <SYSTEM-NAME> is performed in accordance with <ORGANISATION-NAME>’s Event Logging Policy.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Technical controls implemented

Technical controls for system monitoring of <SYSTEM-NAME> are configured with reference to ASD’s Blueprint for Secure Cloud including the following technical configuration:

  • Defender for Endpoint and Defender for Microsoft 365 centralise logs relating to the security of devices and Microsoft services
  • Windows devices and Microsoft 365 services leverage Microsoft’s Window Time service
  • Microsoft Entra ID logs authentication events to Log Analytics
  • the following events are logged to the local event log on each Windows endpoint:
  • access to important data and processes
  • application crashes and any error messages
  • attempts to use special privileges
  • changes to accounts
  • changes to security policy
  • changes to system configurations
  • DNS and Hypertext Transfer Protocol (HTTP) requests
  • failed attempts to access data and system resources
  • service failures and restarts
  • system startup and shutdown
  • transfer of data to external media
  • user or group management
  • use of special privileges
  • logs include the date and time of the event, the relevant user or process, the event description, and the ICT equipment involved are recorded
  • logs stored in Log Analytics are protected from unauthorised access, modification and deletion by the Microsoft Entra ID RBAC model.
  • Standard Windows users do not have access to modify the local event logs.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Security & Governance

Design

External documentation

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra