| Source | Azure Portal | ||||||||||||||||||||||
| Display name | Microsoft Managed Control 1369 - Incident Monitoring | ||||||||||||||||||||||
| Id | 18cc35ed-a429-486d-8d59-cb47e87304ed | ||||||||||||||||||||||
| Version | 1.0.0 Details on versioning |
||||||||||||||||||||||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||||||||||||||||||||||
| Category | Regulatory Compliance Microsoft Learn |
||||||||||||||||||||||
| Description | Microsoft implements this Incident Response control | ||||||||||||||||||||||
| Additional metadata |
Name/Id: ACF1369 / Microsoft Managed Control 1369 Category: Incident Response Title: Incident Monitoring Ownership: Customer, Microsoft Description: The organization tracks and documents information system security incidents. Requirements: The Azure Security Response Team utilizes the Incident Management (IcM) ticketing system for notification about new alerts. Certain Azure monitoring tools such as Azure Security Monitoring (ASM) create tickets automatically when monitoring for security events. These tickets can be assigned to the Security Response Team as necessary. In other cases, tickets are created as a result of manual log review, incident reporting from service teams, or incident management team research and investigation. Should an IcM alert pass the triage phase without being determined to be a false positive, the Security Response Team creates a case in Service Now (SNow), the security incident tracking tool. Case tickets are updated as more information on the incident is gathered. While not preferred, the Azure Security Response Team monitors a dedicated phone and email alias twenty-four (24) hours a day, seven (7) days a week which can also be used to report suspected security issues. Tickets for events are entered into IcM and SNow and escalated as necessary. This escalation process enables incidents to be escalated to the proper teams. At any point in the escalation path, once the incident has been resolved, the responding support group updates the status of the incident. If it is a customer-related incident, the owner of the incident communicates the resolution of the issue to the customer. |
||||||||||||||||||||||
| Mode | Indexed | ||||||||||||||||||||||
| Type | Static | ||||||||||||||||||||||
| Preview | False | ||||||||||||||||||||||
| Deprecated | False | ||||||||||||||||||||||
| Effect | Fixed audit |
||||||||||||||||||||||
| RBAC role(s) | none | ||||||||||||||||||||||
| Rule aliases | none | ||||||||||||||||||||||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||||||||||||||||||||||
| Compliance |
The following 1 compliance controls are associated with this Policy definition 'Microsoft Managed Control 1369 - Incident Monitoring' (18cc35ed-a429-486d-8d59-cb47e87304ed)
| ||||||||||||||||||||||
| Initiatives usage |
|
||||||||||||||||||||||
| History | none | ||||||||||||||||||||||
| JSON compare | n/a | ||||||||||||||||||||||
| JSON |
|