| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1684 - Information System Monitoring | ||
| Id | 16bfdb59-db38-47a5-88a9-2e9371a638cf | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this System and Information Integrity control | ||
| Additional metadata |
Name/Id: ACF1684 / Microsoft Managed Control 1684 Category: System and Information Integrity Title: Information System Monitoring - Unauthorized Use Ownership: Customer, Microsoft Description: The organization: Identifies unauthorized use of the information system through Microsoft Azure SLAM (Security Logging and Auditing) and C+AI Security logging and monitoring; Requirements: Due to the size and complexity of the Azure environment, Azure utilizes event forwarding and monitoring tools to record events across Azure and correlate the events gathered by each logging tool. Log review cannot be conducted manually in the Azure environment due to the high volume of events. Instead, Azure implements automated methods to perform review, analysis, and reporting of logs. Azure Security Monitoring (ASM) and Scuba are used to do direct alerting using IcM tickets on security-relevant events. These tools utilize event audit policies and detections that report events to the Microsoft Operations Center (MOC), Security Response Team, and service teams, as appropriate. The policies are tuned to alert on events of immediate concern. Events that need little or no correlation to prompt a preliminary investigation and attention of Security Response Team personnel. Once processed, the Security Response Team reviews and analyzes alerts generated by the automated review of audit records in real time, specifically in the case of a security incident, customer request or escalation, or any other functionality impacting the incident in production. Groups of these correlated events that meet a pattern of a known attack methodology are collected and delivered to personnel via IcM or email. Personnel correlate alerts, collect multiple similar alarms, and append them to tickets for review and analysis. The alerting system provides response capability twenty-four (24) hours a day, seven (7) days a week. Troubleshooting Guides (TSGs) applied to workflow tickets provide instructions for the escalation of certain events to response personnel. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|