Azure Monitor Logs information security

  • Commodity
  • xiv minutes to read

This document is intended to provide information specific to Azure Monitor Logs to supplement the information on Azure Trust Heart.

This article explains how log information is nerveless, processed, and secured by Azure Monitor. You tin can use agents to connect to the web service, use System Center Operations Manager to collect operational data, or call back data from Azure diagnostics for use by Azure Monitor.

Azure Monitor Logs manages your deject-based data securely past using the following methods:

  • Information segregation
  • Data retention
  • Physical security
  • Incident direction
  • Compliance
  • Security standards certifications

Yous can also use additional security features built into Azure Monitor. These features require more administrator management.

  • Customer-managed (security) keys
  • Azure Private Storage
  • Private Link networking
  • Azure support access limits fix by Azure Lockbox

Contact us with whatever questions, suggestions, or issues nigh whatsoever of the following data, including our security policies at Azure support options.

Sending data securely using TLS 1.2

To ensure the security of data in transit to Azure Monitor, we strongly encourage you to configure the agent to use at least Ship Layer Security (TLS) 1.two. Older versions of TLS/Secure Sockets Layer (SSL) have been constitute to be vulnerable and while they still currently work to allow backwards compatibility, they are not recommended, and the industry is chop-chop moving to abandon back up for these older protocols.

The PCI Security Standards Council has set a deadline of June 30th, 2018 to disable older versions of TLS/SSL and upgrade to more secure protocols. In one case Azure drops legacy support, if your agents cannot communicate over at least TLS ane.2 yous would non be able to send information to Azure Monitor Logs.

Nosotros recommend y'all do Non explicit set your amanuensis to only use TLS one.2 unless absolutely necessary. Assuasive the agent to automatically discover, negotiate, and take advantage of time to come security standards is preferable. Otherwise you may miss the added security of the newer standards and mayhap experience bug if TLS 1.2 is always deprecated in favor of those newer standards.

Platform-specific guidance

Platform/Language Back up More Information
Linux Linux distributions tend to rely on OpenSSL for TLS 1.2 support. Check the OpenSSL Changelog to confirm your version of OpenSSL is supported.
Windows 8.0 - 10 Supported, and enabled by default. To confirm that y'all are nonetheless using the default settings.
Windows Server 2012 - 2016 Supported, and enabled by default. To ostend that you lot are still using the default settings
Windows 7 SP1 and Windows Server 2008 R2 SP1 Supported, but non enabled by default. Come across the Transport Layer Security (TLS) registry settings page for details on how to enable.

Information segregation

After your data is ingested by Azure Monitor, the data is kept logically carve up on each component throughout the service. All information is tagged per workspace. This tagging persists throughout the data lifecycle, and it is enforced at each layer of the service. Your data is stored in a dedicated database in the storage cluster in the region you have selected.

Information retentiveness

Indexed log search data is stored and retained co-ordinate to your pricing plan. For more information, see Log Analytics Pricing.

As part of your subscription understanding, Microsoft will retain your data per the terms of the agreement. When customer data is removed, no physical drives are destroyed.

The post-obit table lists some of the available solutions and provides examples of the type of data they collect.

Solution Data types
Capacity and Performance Performance data and metadata
Update Direction Metadata and state data
Log Management User-defined event logs, Windows Event Logs and/or IIS Logs
Change Tracking Software inventory, Windows service and Linux daemon metadata, and Windows/Linux file metadata
SQL and Active Directory Assessment WMI data, registry data, performance data, and SQL Server dynamic management view results

The following tabular array shows examples of information types:

Data blazon Fields
Alert Alarm Name, Alert Description, BaseManagedEntityId, Problem ID, IsMonitorAlert, RuleId, ResolutionState, Priority, Severity, Category, Owner, ResolvedBy, TimeRaised, TimeAdded, LastModified, LastModifiedBy, LastModifiedExceptRepeatCount, TimeResolved, TimeResolutionStateLastModified, TimeResolutionStateLastModifiedInDB, RepeatCount
Configuration CustomerID, AgentID, EntityID, ManagedTypeID, ManagedTypePropertyID, CurrentValue, ChangeDate
Event EventId, EventOriginalID, BaseManagedEntityInternalId, RuleId, PublisherId, PublisherName, FullNumber, Number, Category, ChannelLevel, LoggingComputer, EventData, EventParameters, TimeGenerated, TimeAdded
Annotation: When you write events with custom fields in to the Windows event log, Log Analytics collects them.
Metadata BaseManagedEntityId, ObjectStatus, OrganizationalUnit, ActiveDirectoryObjectSid, PhysicalProcessors, NetworkName, IPAddress, ForestDNSName, NetbiosComputerName, VirtualMachineName, LastInventoryDate, HostServerNameIsVirtualMachine, IP Address, NetbiosDomainName, LogicalProcessors, DNSName, DisplayName, DomainDnsName, ActiveDirectorySite, PrincipalName, OffsetInMinuteFromGreenwichTime
Operation ObjectName, CounterName, PerfmonInstanceName, PerformanceDataId, PerformanceSourceInternalID, SampleValue, TimeSampled, TimeAdded
State StateChangeEventId, StateId, NewHealthState, OldHealthState, Context, TimeGenerated, TimeAdded, StateId2, BaseManagedEntityId, MonitorId, HealthState, LastModified, LastGreenAlertGenerated, DatabaseTimeModified

Concrete security

Azure Monitor is managed by Microsoft personnel and all activities are logged and can exist audited. Azure Monitor is operated equally an Azure Service and meets all Azure Compliance and Security requirements. You tin view details about the concrete security of Azure assets on folio eighteen of the Microsoft Azure Security Overview. Physical admission rights to secure areas are changed within i business organization day for anyone who no longer has responsibility for the Azure Monitor service, including transfer and termination. You can read most the global physical infrastructure we use at Microsoft Datacenters.

Incident management

Azure Monitor has an incident management process that all Microsoft services attach to. To summarize, we:

  • Use a shared responsibleness model where a portion of security responsibility belongs to Microsoft and a portion belongs to the client
  • Manage Azure security incidents:
    • Kickoff an investigation upon detection of an incident
    • Assess the impact and severity of an incident past an on-call incident response squad member. Based on evidence, the cess may or may non result in further escalation to the security response squad.
    • Diagnose an incident by security response experts to bear the technical or forensic investigation, identify containment, mitigation, and workaround strategies. If the security team believes that customer data may have become exposed to an unlawful or unauthorized individual, parallel execution of the Client Incident Notification procedure begins in parallel.
    • Stabilize and recover from the incident. The incident response team creates a recovery program to mitigate the consequence. Crunch containment steps such as quarantining impacted systems may occur immediately and in parallel with diagnosis. Longer term mitigations may be planned which occur afterwards the immediate take a chance has passed.
    • Close the incident and carry a post-mortem. The incident response team creates a mail service-mortem that outlines the details of the incident, with the intention to revise policies, procedures, and processes to foreclose a recurrence of the effect.
  • Notify customers of security incidents:
    • Determine the scope of impacted customers and to provide anybody who is impacted every bit detailed a observe as possible
    • Create a find to provide customers with detailed enough information so that they tin perform an investigation on their end and run into any commitments they have made to their end users while non unduly delaying the notification process.
    • Confirm and declare the incident, as necessary.
    • Notify customers with an incident notification without unreasonable delay and in accordance with whatsoever legal or contractual commitment. Notifications of security incidents are delivered to one or more of a client's administrators past whatsoever means Microsoft selects, including via email.
  • Deport team readiness and grooming:
    • Microsoft personnel are required to complete security and awareness training, which helps them to identify and report suspected security problems.
    • Operators working on the Microsoft Azure service take addition grooming obligations surrounding their access to sensitive systems hosting customer data.
    • Microsoft security response personnel receive specialized training for their roles

While very rare, Microsoft volition notify each customer within 1 day if significant loss of whatever customer data occurs.

For more than data about how Microsoft responds to security incidents, see Microsoft Azure Security Response in the Cloud.

Compliance

The Azure Monitor software evolution and service team'south information security and governance program supports its business requirements and adheres to laws and regulations as described at Microsoft Azure Trust Center and Microsoft Trust Centre Compliance. How Azure Monitor Logs establishes security requirements, identifies security controls, manages, and monitors risks are as well described there. Annually, we review polices, standards, procedures, and guidelines.

Each development team fellow member receives formal application security training. Internally, we use a version control system for software evolution. Each software project is protected by the version control organisation.

Microsoft has a security and compliance team that oversees and assesses all services in Microsoft. Information security officers brand upwards the team and they are not associated with the engineering teams that develops Log Analytics. The security officers take their own direction concatenation and carry independent assessments of products and services to ensure security and compliance.

Microsoft's board of directors is notified by an annual report about all information security programs at Microsoft.

The Log Analytics software evolution and service squad are actively working with the Microsoft Legal and Compliance teams and other industry partners to larn various certifications.

Certifications and attestations

Azure Log Analytics meets the following requirements:

  • ISO/IEC 27001
  • ISO/IEC 27018:2014
  • ISO 22301
  • Payment Card Manufacture (PCI Compliant) Data Security Standard (PCI DSS) by the PCI Security Standards Council.
  • Service Organization Controls (SOC) 1 Blazon 1 and SOC 2 Blazon 1 compliant
  • HIPAA and HITECH for companies that have a HIPAA Business Associate Agreement
  • Windows Common Engineering Criteria
  • Microsoft Trustworthy Calculating
  • As an Azure service, the components that Azure Monitor uses adhere to Azure compliance requirements. You can read more at Microsoft Trust Center Compliance.

Note

In some certifications/attestations, Azure Monitor Logs is listed under its former name of Operational Insights.

Cloud calculating security data flow

The following diagram shows a cloud security compages as the catamenia of information from your company and how it is secured as is moves to Azure Monitor, ultimately seen by y'all in the Azure portal. More than information nigh each step follows the diagram.

Image of Azure Monitor Logs data collection and security

1. Sign up for Azure Monitor and collect data

For your organization to ship information to Azure Monitor Logs, you configure a Windows or Linux amanuensis running on Azure virtual machines, or on virtual or physical computers in your environment or other deject provider. If you utilise Operations Manager, from the management grouping you configure the Operations Manager agent. Users (which might exist you lot, other individual users, or a group of people) create one or more Log Analytics workspaces, and register agents by using one of the post-obit accounts:

  • Organizational ID
  • Microsoft Account - Outlook, Office Live, MSN

A Log Analytics workspace is where data is collected, aggregated, analyzed, and presented. A workspace is primarily used as a means to partition information, and each workspace is unique. For example, you might desire to have your production information managed with ane workspace and your examination data managed with some other workspace. Workspaces also help an administrator control user access to the data. Each workspace can have multiple user accounts associated with it, and each user account can access multiple Log Analytics workspaces. You create workspaces based on datacenter region.

For Operations Manager, the Operations Managing director management group establishes a connection with the Azure Monitor service. You then configure which agent-managed systems in the direction group are allowed to collect and send data to the service. Depending on the solution you have enabled, data from these solutions are either sent directly from an Operations Director management server to the Azure Monitor service, or because of the volume of data collected past the agent-managed system, are sent straight from the agent to the service. For systems not monitored past Operations Manager, each connects securely to the Azure Monitorservice direct.

All communication betwixt connected systems and the Azure Monitor service is encrypted. The TLS (HTTPS) protocol is used for encryption. The Microsoft SDL process is followed to ensure Log Analytics is upwardly-to-date with the most recent advances in cryptographic protocols.

Each type of amanuensis collects log data for Azure Monitor. The type of data that is collected is depends on the configuration of your workspace and other features of Azure Monitor.

ii. Send data from agents

You register all amanuensis types with an enrollment key and a secure connection is established betwixt the agent and the Azure Monitor service using document-based authentication and TLS with port 443. Azure Monitor uses a secret store to generate and maintain keys. Private keys are rotated every ninety days and are stored in Azure and are managed by the Azure operations who follow strict regulatory and compliance practices.

With Operations Manager, the management group registered with a Log Analytics workspace establishes a secure HTTPS connection with an Operations Manager management server.

For Windows or Linux agents running on Azure virtual machines, a read-only storage key is used to read diagnostic events in Azure tables.

With any agent reporting to an Operations Manager management grouping that is integrated with Azure Monitor, if the management server is unable to communicate with the service for any reason, the nerveless data is stored locally in a temporary cache on the management server. They endeavour to resend the data every eight minutes for two hours. For data that bypasses the management server and is sent directly to Azure Monitor, the behavior is consequent with the Windows amanuensis.

The Windows or management server agent buried data is protected by the operating system's credential store. If the service cannot procedure the data later two hours, the agents will queue the data. If the queue becomes full, the agent starts dropping data types, starting with performance data. The agent queue limit is a registry key so you can modify information technology, if necessary. Collected data is compressed and sent to the service, bypassing the Operations Director management grouping databases, so information technology does not add whatever load to them. After the collected data is sent, information technology is removed from the cache.

Every bit described above, information from the management server or directly-connected agents is sent over TLS to Microsoft Azure datacenters. Optionally, y'all can apply ExpressRoute to provide boosted security for the data. ExpressRoute is a way to directly connect to Azure from your existing WAN network, such as a multi-protocol label switching (MPLS) VPN, provided by a network service provider. For more data, meet ExpressRoute.

3. The Azure Monitor service receives and processes data

The Azure Monitor service ensures that incoming information is from a trusted source by validating certificates and the information integrity with Azure hallmark. The unprocessed raw data is so stored in an Azure Effect Hub in the region the data will eventually exist stored at remainder. The type of data that is stored depends on the types of solutions that were imported and used to collect data. Then, the Azure Monitor service processes the raw data and ingests it into the database.

The retentivity period of collected data stored in the database depends on the selected pricing program. For the Free tier, collected data is available for seven days. For the Paid tier, collected data is bachelor for 31 days past default, but can be extended to 730 days. Data is stored encrypted at remainder in Azure storage, to ensure data confidentiality, and the data is replicated within the local region using locally redundant storage (LRS). The last ii weeks of data are as well stored in SSD-based cache and this cache is encrypted.

Data in database storage cannot be altered one time ingested only tin be deleted via purge API path. Although data cannot be contradistinct, some certifications require that information is kept immutable and cannot be inverse or deleted in storage. Data immutability can be achieved using data export to a storage account that is configured as immutable storage.

4. Utilize Azure Monitor to admission the information

To access your Log Analytics workspace, you sign into the Azure portal using the organizational account or Microsoft business relationship that you fix up previously. All traffic between the portal and Azure Monitor service is sent over a secure HTTPS aqueduct. When using the portal, a session ID is generated on the user client (web browser) and data is stored in a local cache until the session is terminated. When terminated, the cache is deleted. Client-side cookies, which practise not contain personally identifiable information, are not automatically removed. Session cookies are marked HTTPOnly and are secured. After a pre-determined idle period, the Azure portal session is terminated.

Additional Security features

You can use these boosted security features to further secure your Azure Monitor environs. These features require more ambassador direction.

  • Customer-managed (security) keys - You tin use client-managed keys to encrypt data sent to your Log Analytics workspaces. It requires utilize of Azure Key Vault.
  • Private / customer-managed Storage - Manage your personally encrypted storage account and tell Azure Monitor to apply information technology to shop monitoring data
  • Individual Link networking - Azure Private Link allows you to securely link Azure PaaS services (including Azure Monitor) to your virtual network using individual endpoints.
  • Azure customer Lockbox - Client Lockbox for Microsoft Azure provides an interface for customers to review and approve or reject customer data access requests. It is used in cases where a Microsoft engineer needs to admission client data during a support request.

Adjacent steps

  • See the different kinds of data that you tin can collect in Azure Monitor.