Speed: ability to catch attackers quickly enough to stop themĪutomation, scale, and cloud-based solutions are key pillars of our monitoring and response strategy.Accuracy: meaningful alerts to avoid distractions from noise.
The anonymized and hashed logs are rewritten and then uploaded into Cosmos. Prior to uploading log data, an automated log management application uses a scrubbing service to remove any fields that contain customer data, such as tenant information and user personal data, and replace those fields with a hash value. How do Microsoft online services protect user personal data that may be captured in audit logs?
The exact period of audit log data retention determined by the service teams most audit log data is retained for 90 days in Cosmos and 180 days in Kusto. Audit logs are retained long enough to support incident investigations and meet regulatory requirements. Administrative access requires Just-In-Time (JIT) access approval, and all changes to logging mechanisms for Cosmos are recorded and audited. Security team personnel don’t have standing administrative access to Cosmos or Kusto. In addition, Microsoft restricts the management of audit logs to a limited subset of security team members responsible for audit functionality. Access to Microsoft online service data stored in Cosmos or Kusto is restricted to authorized personnel. The tools used in Microsoft online services to collect and process audit records don’t allow permanent or irreversible changes to the original audit record content or time ordering. How do Microsoft online services protect audit logs? These reports are used to monitor and improve the overall performance of the service. In addition to automated security monitoring, service teams use analysis tools and dashboards for data correlation, interactive queries, and data analytics. Security-related detections generate alerts, notifying on-call engineers of a potential incident and triggering automated remediation actions when applicable. Machine learning models use incoming log data and historical log data stored in Cosmos or Kusto to continuously improve detection capabilities. Logs are processed in NRT using rule-based, statistical, and machine learning methods to detect system performance indicators and potential security events. This data transfer occurs over a FIPS 140-2-validated TLS connection on approved ports and protocols using automated log management tools. Many different types of log data are uploaded from Microsoft servers to a proprietary security monitoring solution for near real-time (NRT) analysis and an internal big data computing service (Cosmos) or Azure Data Explorer (Kusto) for long-term storage. How do Microsoft online services centralize and report on audit logs? Microsoft online services internal audit logging captures log data from various sources, such as: Potential incidents are escalated to the appropriate Microsoft security response team for further investigation. Automated log analysis supports near real-time detection of suspicious behavior. Audit logs capture details about system configuration changes and access events, with details to identify who was responsible for the activity, when and where the activity took place, and what the outcome of the activity was. Microsoft online services employ audit logging to detect unauthorized activities and provide accountability for Microsoft personnel. In this article How do Microsoft online services employ audit logging?
0 kommentar(er)
