Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events
Monitoring is the nervous system of your security posture: without it, attacks can persist for months before anyone notices. Effective monitoring goes beyond infrastructure metrics to include security-relevant events: authentication failures, privilege escalations, unusual process executions, data exfiltration signals, and configuration changes. The goal is to generate a signal that a trained analyst can act on, not simply to log everything.
Implementation steps
- 1
Deploy host-based monitoring and endpoint detection on critical systems
Install endpoint detection and response (EDR) agents on all endpoints and servers. Configure agents to monitor process execution, file system changes, network connections, and registry modifications. Enable behavioral detection rules that flag attacker techniques from MITRE ATT&CK, including credential dumping, lateral movement, and persistence mechanisms. Ensure agents are reporting and that coverage gaps are tracked.
crowdstrikesentinelonemicrosoft-defendercarbon-black - 2
Aggregate logs and events into a centralized platform
Collect logs from endpoints, servers, cloud services, network devices, and applications into a SIEM or log aggregation platform. Normalize event formats so that correlation rules can work across sources. Define a retention policy that satisfies both security investigation needs (typically 90 days hot, 1 year total) and any applicable compliance requirements. Ensure high-value log sources (authentication, privileged access, firewall) are always flowing and alert on gaps.
splunkdatadogelasticmicrosoft-sentinelsumo-logic - 3
Define detection rules and alerting for high-priority threat scenarios
Build or import detection rules for the threat scenarios most relevant to your environment: brute force attempts, impossible travel logins, privilege escalation, mass file access (ransomware signal), large data transfers, and new administrative accounts. Tune rules to reduce false positive rate so that analysts can focus on real signals. Review and update detection rules quarterly as your environment and the threat landscape evolve.
splunkdatadogelasticmicrosoft-sentinelsigma
Evidence required
Monitoring coverage documentation
Evidence that critical systems have security monitoring deployed and that logs are flowing to a centralized platform.
- · EDR deployment report showing coverage percentage across endpoints
- · SIEM data source inventory showing which systems are feeding logs
- · Log ingestion dashboard showing volume and completeness across sources
Detection rule configuration
Evidence that detection rules are configured to alert on high-priority security events.
- · SIEM detection rule library with descriptions and tuning history
- · Alert configuration showing enabled rules and notification routing
- · Quarterly detection rule review record
Related controls
Networks and network services are monitored to detect adverse events
Continuous Monitoring
Malicious code is detected
Continuous Monitoring
Monitoring for unauthorized personnel, connections, devices, and software is performed
Continuous Monitoring
Log records are generated and made available for continuous monitoring
Platform Security