Microsoft implements this System and Information Integrity control
Name/Id: ACF1703 / Microsoft Managed Control 1703 Category: System and Information Integrity Title: Security Alerts, Advisories, And Directives - Alerts from External Organizations Ownership: Customer, Microsoft Description: The organization: Receives information system security alerts, advisories, and directives from including US-CERT on an ongoing basis; Requirements: For all asset types, Azure receives information system security alerts, advisories, and directives from external vendors, parties providing software within the Azure environment, and external security organizations including US-CERT and other external parties performing independent vulnerability analysis. In addition, customers can report security incidents at any time through the Azure Management Portal or via a twenty-four (24) hours a day, seven (7) days a week dedicated phone line that is available.
Internally, Microsoft’s Security Response Team notifies service teams of security incidents and the latest security patches for Microsoft’s software platforms. The Microsoft Security Response Center (MSRC) also publishes Security Bulletins and associated patches every month except when MSRC determines that an out-of-band patch is required for addressing zero-day vulnerabilities or escalations. Working with MSRC and Security Response Team, external parties such as regulators, law enforcement, ISPs, and other partners can identify security issues. Service teams also subscribe to service-specific alerts, advisories, and directives as needed.
Azure is also made aware of any directives or advisories through the FedRAMP Program Management Office (PMO), the DISA/DoD authorizing officials, and other authorizing officials, which send email alerts to provide situational awareness and any actions that all CSPs must take.
Rule resource types
IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups