V-270227

Discussion

Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to ensure the audit records will be retained in the event of a catastrophic system failure. This also ensures a compromise of the information system being audited does not result in a compromise of the audit records. This requirement only applies to applications that have a native backup capability for audit records. Operating system backup requirements cover applications that do not provide native backup functions. Satisfies: SRG-APP-000358

Check Content

Verify Microsoft Entra ID sign-in logs are updated in Microsoft Sentinel or equivalent SIEM. Verify the Connected Status is "green" with Last Log Received within the past hour. 

1. Sign in to the Microsoft Entra admin center as a Global Administrator.
2. Browse to Identity >> Monitoring & health >> Diagnostic settings.
3. Select "Edit settings" for the entry that has an established log analytics workspace.
4. Review the selected log categories. The minimum required categories are:
- SigninLogs.
- AuditLogs.
- ServicePrincipalSignInLogs.
- ManagedIdentitySignInLogs.
- UserRiskEvents.
- RiskyUsers.
- RiskyServicePrincipals.
- ServicePrincipalRiskEvents.

If there is not an entry established to offload logs to a log analytic workspace and the minimum log categories are not selected, this is a finding.