An error occurred:

Check: ENTR-ID-000370

Microsoft Entra ID STIG: ENTR-ID-000370 (in version v1 r1)

Title

Microsoft Entra ID must be configured to transfer logs to another server for storage, analysis, and reporting. (Cat II impact)

Discussion

Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to ensure the audit records will be retained in the event of a catastrophic system failure. This also ensures a compromise of the information system being audited does not result in a compromise of the audit records. This requirement only applies to applications that have a native backup capability for audit records. Operating system backup requirements cover applications that do not provide native backup functions. Satisfies: SRG-APP-000358

Check Content

Verify Microsoft Entra ID sign-in logs are updated in Microsoft Sentinel or equivalent SIEM. Verify the Connected Status is "green" with Last Log Received within the past hour. 1. Sign in to the Microsoft Entra admin center as a Global Administrator. 2. Browse to Identity >> Monitoring & health >> Diagnostic settings. 3. Select "Edit settings" for the entry that has an established log analytics workspace. 4. Review the selected log categories. The minimum required categories are: - SigninLogs. - AuditLogs. - ServicePrincipalSignInLogs. - ManagedIdentitySignInLogs. - UserRiskEvents. - RiskyUsers. - RiskyServicePrincipals. - ServicePrincipalRiskEvents. If there is not an entry established to offload logs to a log analytic workspace and the minimum log categories are not selected, this is a finding.

Fix Text

Configure the Microsoft Entra to transfer Microsoft Entra server logs to another server for storage, analysis, and reporting at least every seven days. 1. Sign in to the Microsoft Entra admin center as a Global Administrator. 2. Browse to Identity >> Monitoring & health >> Diagnostic settings. 3. Select "+ Add diagnostic settings". 4. Select at least these required categories: - SigninLogs. - AuditLogs. - ServicePrincipalSignInLogs. - ManagedIdentitySignInLogs. - UserRiskEvents. - RiskyUsers. - RiskyServicePrincipals. - ServicePrincipalRiskEvents. 5. Select "Send to Log Analytics workspace". For details on establishing a log analytics workspace, reference the DOD365 TCG.

Additional Identifiers

Rule ID: SV-270227r1085728_rule

Vulnerability ID: V-270227

Group Title: SRG-APP-000125

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001348

Store audit records on an organization-defined frequency in a repository that is part of a physically different system or system component than the system or component being audited.
CCI-001851

Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-4(1)

Transfer to Alternate Storage
AU-9(2)

Audit Backup On Separate Physical Systems / Components