Microsoft implements this System and Information Integrity control
Name/Id: ACF1714 / Microsoft Managed Control 1714 Category: System and Information Integrity Title: Software & Information Integrity | Automated Notifications Of Integrity Violations Ownership: Customer, Microsoft Description: The organization employs automated tools that provide notification to Service Engineer Operations personnel upon discovering discrepancies during integrity verification. Requirements: Azure software updates are thoroughly reviewed for any unauthorized changes before entering the production environments as part of the Security Development Lifecycle (SDL) and Change and Release Management processes. Any code changes must be reviewed and approved before they are deployed to the environment. Additionally, builds are digitally signed before they are deployed. If the integrity verification fails at deployment, the deployment operation fails, and the process needs to be started over. The deployment engine is configured to notify service teams upon discovery of discrepancies during integrity verification. Service teams are notified via email or the creation of DevOps tickets.
The Windows Server operating systems provide real-time file integrity validation, protection, and recovery of core system files that are installed as part of Windows or authorized Windows system updates. Windows Resource Protection (WRP) automatically detects and restores the original version of protected files if a program uses an unauthorized method to change those files.
WRP provides protection for system files using two mechanisms. The first mechanism runs in the background. This protection is triggered after WRP receives a directory change notification for a file in a protected directory. After WRP receives this notification, WRP determines which file was changed. If the file is protected, WRP looks up the file signature in a catalog file to determine if the new file is the correct version. If the file is not the correct version, WRP replaces the new file with the file from the system protected cache folder (if it is in the cache folder) or from the installation source. In addition to WRP, on demand validation and recovery of core Windows system files are provided using the System File Checker (sfc.exe) tool.
The Security File Integrity Monitoring (FIM) component consists of 2 elements:
* System files protection provided by Windows Resource Protection (WRP) for Server baseline(s). This functionality is built into the operating system.
* Critical file monitoring over and above that offered by WRP is provided by a combination of Local Security Policy settings for Windows Audit Object Access (WOA) together with the appropriate system access-control list (SACL) applied to the files designated as application-critical.
Both technologies write events to the event logs which are forwarded by an event forwarding tool and monitored by a security incident and event management tool. WRP is a real-time solution that performs scanning on a continuous basis. Network Devices
Azure uses the Config Policy Verifier (CPV) and Config Change Reporter (CCR) tools to notify the Azure Networking team on unauthorized changes to network devices on a continuous basis. CPV and CCR automatically send alerts to Incident Management (IcM) regarding deviations of correct operations of security functions. CPV and CCR aler upon system startup and restart and continuously provides event monitoring and alerting to Azure Networking. CPV and CCR are near-real-time solutions that perform scanning on a continuous basis.
Rule resource types
IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups