Security Control: Incident Response
Note
The most up-to-date Azure Security Benchmark is available here.
Protect the organization's information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker's presence, and restoring the integrity of the network and systems.
10.1: Create an incident response guide
| Azure ID | CIS IDs | Responsibility |
|---|---|---|
| 10.1 | 19.1, 19.2, 19.3 | Customer |
Build out an incident response guide for your organization. Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review.
10.2: Create an incident scoring and prioritization procedure
| Azure ID | CIS IDs | Responsibility |
|---|---|---|
| 10.2 | 19.8 | Customer |
Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.
Additionally, clearly mark subscriptions (for ex. production, non-prod) using tags and create a naming system to clearly identify and categorize Azure resources, especially those processing sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.
10.3: Test security response procedures
| Azure ID | CIS IDs | Responsibility |
|---|---|---|
| 10.3 | 19 | Customer |
Conduct exercises to test your systems’ incident response capabilities on a regular cadence to help protect your Azure resources. Identify weak points and gaps and revise plan as needed.
10.4: Provide security incident contact details and configure alert notifications for security incidents
| Azure ID | CIS IDs | Responsibility |
|---|---|---|
| 10.4 | 19.5 | Customer |
Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. Review incidents after the fact to ensure that issues are resolved.
10.5: Incorporate security alerts into your incident response system
| Azure ID | CIS IDs | Responsibility |
|---|---|---|
| 10.5 | 19.6 | Customer |
Export your Azure Security Center alerts and recommendations using the Continuous Export feature to help identify risks to Azure resources. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel.
10.6: Automate the response to security alerts
| Azure ID | CIS IDs | Responsibility |
|---|---|---|
| 10.6 | 19 | Customer |
Use the Workflow Automation feature in Azure Security Center to automatically trigger responses via "Logic Apps" on security alerts and recommendations to protect your Azure resources.
Next steps
- See the next Security Control: Penetration Tests and Red Team Exercises
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for