SM-04 Incident & Security Monitoring

Security Alerting & Anomaly Monitoring

Suspicious access is detected and acted upon.

Domain: Incident & Security Monitoring
Control type: Detective
Automated / manual: Automated
Frequency: Continuous
Framework reference: MAS TRM – Logging

What good looks like

Failed logins, impossible travel and anomalies alert security and are triaged/closed.

Risk if it fails

Undetected brute-force/account takeover.

How Tess tests it

3 tests — each concludes only on cited evidence.

Detection rules defined

Design

Procedure: Inspect SIEM rules.
Expected: Failed-login/impossible-travel rules exist.
Sample: 1 (design inspection)
Evidence: SIEM rules, alert tickets, investigation notes.

Alerts generated and routed to security

Operating

Procedure: Inspect alert routing.
Expected: Routed to security promptly.
Sample: 25 (or full config inspection)
Evidence: SIEM rules, alert tickets, investigation notes.

Alerts triaged and closed

Operating

Procedure: Sample alerts.
Expected: Investigated and documented.
Sample: 25 (or full config inspection)
Evidence: SIEM rules, alert tickets, investigation notes.

Evidence Tess looks for

SIEM rules, alert tickets, investigation notes.

More in Incident & Security Monitoring

SM-01 Logging Standard & Retention SM-02 Access & Privileged Activity Logging SM-03 Time Synchronisation (NTP) SM-05 Endpoint Protection (EDR)

Want Tess to test SM-04 against your evidence?