| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1683 - Information System Monitoring | ||
| Id | 8c79fee4-88dd-44ce-bbd4-4de88948c4f8 | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this System and Information Integrity control | ||
| Additional metadata |
Name/Id: ACF1683 / Microsoft Managed Control 1683 Category: System and Information Integrity Title: Information System Monitoring - Attack Detection Ownership: Customer, Microsoft Description: The organization: Monitors the information system to detect: Attacks and indicators of potential attacks in accordance with Ensure the proper functioning of internal processes and controls in furtherance of regulatory and compliance requirements; examine system records to confirm that the system is functioning in an optimal, resilient, and secure state; identify irregularities or anomalies that are indicators of a system malfunction or compromise; and Unauthorized local, network, and remote connections; Requirements: Azure requires service teams to deploy active monitoring solutions that generate audit logs and alerts as a required step in the Security Development Lifecycle (SDL) process, described in the CM family of controls. All service teams upload their logs to Geneva Monitoring, where they are aggregated and processed as described in the AU family of controls. The Logging and Monitoring team assists in identifying normal usage of the system and deviations from that normal range. The tooling automatically reviews audit logs and anti-malware information to confirm that the system is functioning in an optimal, resilient, and secure state and identifies irregularities or anomalies that are indicators of a system malfunction or compromise. Unusual activity is flagged for further review via detections and alerts. Any log event that indicates a potential violation of the Microsoft Security Policy is immediately brought to the attention of Azure Security. Local connections are disallowed by policy within Azure. No personnel have local access. Azure performs network monitoring and detection of unauthorized connections via Network Isolation (NetIso), which provides the Network Risk Management Service (NRMS) for network baseline measurement, management, and enforcement. The service provides an assessment of network security and alerts on internet exposed endpoints via Incident Management (IcM) based on analysis patterns for configuration issues. Any process that begins offering an open network port is flagged and investigated if it is not part of the approved baseline for that host, ensure detection of network services that have not been authorized as an indicator of compromise. In addition, the implemented host-based SDN firewall uses a deny all policy. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|