This article provides additional information on how you can meet the requirement for the CAF control – C1.c Generating Alerts.
Continuous Monitoring and Alerting
- Continuous monitoring should be in place across systems using intrusion detection and security monitoring tools such as:
-
SIEM / Microsoft Sentinel
-
Microsoft Defender
-
Huntress
-
CrowdStrike
-
RMM-based alerting
-
- These tools should be centrally configured to detect:
-
Indicators of Compromise (IoCs)
-
behavioural anomalies
-
suspicious activity
-
- Alerts should be correlated and managed through a centralised detection and response process.
Alert Handling and Prioritisation
-
Alerts should be automatically prioritised and enriched with contextual information.
-
The security team should review all alerts and manage response actions through the organisation’s incident response workflow.
-
Detection rules and alert logic should be routinely reviewed, tuned and updated to maintain accuracy and reduce false positives.
Prompt Incident Identification
Continuous real-time monitoring and alerting ensures potential security incidents are identified quickly, allowing for timely investigation and effective containment.