This implementation automates reporting to verify compliance with GC Cloud Guardrails. SSC and TBS review the results. Cette mise en œuvre automatise la production de rapports afin de vérifier la conformité aux mesures de sécurité infonuagique du GC. SPC et SCT examinent les résultats.
Other
11
stars
4
forks
source link
GR1 | Validation 5 | Alerts to Flag Misuse and Suspicious Activities (M) #169
ItemName: Alerts to Flag Misuse and Suspicious Activities (M)
ItemName FR:
Updated on 2024-11-04
Description: This is a new control for the validation “Confirm that alerts to the authorized personnel have been implemented to flag misuse or suspicious activities for all user accounts”. This control will focus on the guidance provided in the GC Event Logging Guidance Table A‑14 Cloud Environments.
It will look at the configuration of Azure Monitor Alerts for the following "suspicious" activities.
Any activity on Breakglass account(s)
Conditional access policy changes
General Flow:
Check Alert Rule Configuration (does is monitor what it's supposed to?)
Check Action Group Results (is it sending alerts to someone?)
Potential Check Flow 1:
Are sign-in logs being sent to a Log Analytics Workspace for Azure Monitor to utilize? If no, non-compliant.
If yes, is there an alert with a condition to monitor sign-in activity for BG account UPNs (provided in the config.json)? If no, non-compliant.
If yes, does this alert have an action to send notifications somewhere (for example email). If no, non-compliant.
If yes, compliant.
Potential Check Flow 2:
Are audit logs being sent to a Log Analytics Workspace for Azure Monitor to utilize? If no, non-compliant.
If yes, is there an alert looks into audit logs? If no, non-compliant.
If yes, does this alert have an action to send notifications somewhere (for example email). If no, non-compliant.
If yes, compliant.
Both checks need to be compliant in order to pass this check.
**Consider other options and the most efficient way to achieve the above.
ItemName: Alerts to Flag Misuse and Suspicious Activities (M) ItemName FR:
Updated on 2024-11-04
Description: This is a new control for the validation “Confirm that alerts to the authorized personnel have been implemented to flag misuse or suspicious activities for all user accounts”. This control will focus on the guidance provided in the GC Event Logging Guidance Table A‑14 Cloud Environments.
It will look at the configuration of Azure Monitor Alerts for the following "suspicious" activities.
General Flow:
Potential Check Flow 1:
Potential Check Flow 2:
Both checks need to be compliant in order to pass this check.
**Consider other options and the most efficient way to achieve the above.