| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1694 - Information System Monitoring | Analyze Communications Traffic Anomalies | ||
| Id | 426c4ac9-ff17-49d0-acd7-a13c157081c0 | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this System and Information Integrity control | ||
| Additional metadata |
Name/Id: ACF1694 / Microsoft Managed Control 1694 Category: System and Information Integrity Title: Information System Monitoring | Analyze Communications Traffic Anomalies Ownership: Customer, Microsoft Description: The organization doesn't analyzes outbound communications traffic at the external boundary of the information system and selected interior points within the system (e.g., subnetworks, subsystems) to discover anomalies as this is the responsibility of the customer. This control is not applicable in the organization. Requirements: For Azure services, onboarding to Azure Security Pack enables monitoring of network communication correlated with network logs and in-memory lateral movement during post exploitation for all deployment types via Process Investigation, which is available externally via Azure Security Center via Fileless Attack detections, and via the Network Risk Management (NRM) Service. The NRM service assesses the resultant set of open ports and protocols based on data provided by the VM agent. Additionally, for VMs hosted on Azure, the Network Security Group (NSG) settings are considered and the resultant set of the settings is calculated. Additionally, for the assets running in Bare Metal, Azure assesses the Surface Area Manager configuration settings. For Linux VMs hosted in Azure, Azure uses the NSG settings to validate that the configuration meets the network baseline requirements. For all deployment types, if there is a network baseline violation that exposes a management port to the internet, an alert is generated and routed to the service team. For internal service teams, Azure implements monitoring and alerting for unusual behavior of key security features including, but not limited to, if a user accesses an asset without using Azure Just In Time (JIT) access, if a dSTS account has an unusual access pattern, if the Geneva Actions have unusual activity, if the Azure Fabric is accessed without using Azure JIT, or if a service owner has unexpected changes to permissions in the service team subscription. Additionally, internal services regardless of deployment type monitor their own network connections for unexpected network activities at the application layer. However, to protect customer end user identifiable information, Azure does not monitor the customer traffic in the security monitoring solutions. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|