Power Platform & Dynamics 365 Cloud Solution Architect Assets
Service Offerings Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Welcome to CSA Assets!
  2. /
  3. Well-Architected Framework
  4. /
  5. Security
  6. /
  7. Security Assessment Guidance 07 How Do You Monitor the Workload

Security Assessment Guidance 07 How Do You Monitor the Workload

Security Assessment - Monitoring Activity

Question: How do you monitor the workload?

Regularly monitor resources to maintain your security posture and detect vulnerabilities. Detection can take the form of reacting to an alert of suspicious activity or proactively hunting for anomalous events in your enterprise activity logs. Vigilantly respond to anomalies and alerts to prevent security assurance decay. Use defense-in-depth and least-privilege strategies in your design.

Comments

Question Responses

[X] We use tools to monitor our workload resources.

You should use the monitoring tools that are built into the platform that your application runs on. These tools can give you insights and a good view of security events.

Comments

References

[X] We collect logs from all workload user flows.

You should design your workload to provide runtime visibility when events occur. Code should be instrumented via structured logging. Doing so enables easy and uniform querying and filtering of logs.

[X] We periodically review access to the control plane and data plane of the application.

Record all resource access activities by capturing who does what and when they do it.

[X] We use a threat-detection tool to aggregate and analyze logs.

Consider a central view of logs and data, when applicable. Storing all your logs in a single repository creates a single point of observability, reduces duplication, and aids in the use of machine learning to corelate incidents.

[X] We monitor configuration drift away from the baseline and agreed-upon standards.

Drift in resource configuration must be monitored. Any modification to an existing resource needs to be documented. Also keep track of changes that can’t finish as part of a rollout to a fleet of resources. Logs must capture the specifics of each change and the exact time that it occurred.

[X] We use modern threat-detection techniques to detect suspicious activities.

Transforming aggregated data into actionable intelligence helps you react to incidents quickly and effectively. Monitoring helps with post-incident activities. The goal is to collect enough data to analyze and understand what happened. The process of monitoring captures information about past events that you can use to enhance reactive capabilities and potentially predict future incidents.

gdoc_arrow_left_alt Security Assessment Guidance 06 How Do You Secure Your Secrets and the Other Credentials That Your Workload Uses Security Assessment Guidance 08 How Do You Test Your Workload Before and After It Reaches Production gdoc_arrow_right_alt