Benchmark: Information System Monitoring (SI-4)

Description

The organization: a.Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and 2.Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; c. Deploys monitoring devices: 1. Strategically within the information system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].

Usage

Install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/steampipe-mod-azure-compliance

Start the Powerpipe server:

steampipe service start
powerpipe server

Open http://localhost:9033 in your browser and select Information System Monitoring (SI-4).

Run this benchmark in your terminal:

powerpipe benchmark run azure_compliance.benchmark.fedramp_high_si_4

Snapshot and share results via Turbot Pipes:

powerpipe benchmark run azure_compliance.benchmark.fedramp_high_si_4 --share

Controls

• Log Analytics extension should be installed on your Linux Azure Arc machines
• Log Analytics extension should be installed on your Windows Azure Arc machines
• Guest Configuration extension should be installed on your machines
• Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
• Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
• Network traffic data collection agent should be installed on Linux virtual machines
• Network traffic data collection agent should be installed on Windows virtual machines
• Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
• Network Watcher should be enabled
• Auto provisioning of the Log Analytics agent should be enabled on your subscription
• Azure Defender for App Service should be enabled
• Microsoft Defender for Containers should be enabled
• Azure Defender for Key Vault should be enabled
• Azure Defender for Resource Manager should be enabled
• Azure Defender for servers should be enabled
• Azure Defender for Azure SQL Database servers should be enabled
• Microsoft Defender for Storage (Classic) should be enabled
• Azure Defender for SQL should be enabled for unprotected Azure SQL servers