BIO 12.04.01 ISO A.12.4.1

Identity Reporting & Monitoring Design

πŸ“… 2025-10-30
β€’
⏱️ 8 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Identity monitoring design voor realtime Detectie van beveiligingsdreigingen, compliance rapportage, en audittrail analysis.

Aanbeveling
IMPLEMENTEER IDENTITY MONITORING
Risico zonder
High
Risk Score
8/10
Implementatie
20u (tech: 12u)
Van toepassing op:
βœ“ Azure AD
βœ“ Sentinel

Identity is primary aanvalsvector. Monitoring detecteert: account compromises, privilege escalation, insider threats, compliance schendingen. Azure AD logt naar Sentinel voor SIEM correlation, automated response, long-term retention.

PowerShell Modules Vereist
Primary API: Microsoft Graph
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.Reports

Implementatie

Monitoring stack: Azure AD logt β†’ Sentinel (SIEM), Workbooks voor dashboards, Alert rules (suspicious sign-ins, privilege changes, break-glass usage), Automated response (Schakel uit account, revoke sessions), Compliance reports (MFA coverage, passwordless adoption, risky users).

Vereisten

  1. Azure AD Premium P1/P2
  2. Azure Sentinel workspace
  3. Security Operations Center (SOC) capacity
  4. incidentrespons procedures

Implementatie

Gebruik PowerShell-script reporting-monitoring.ps1 (functie Invoke-Remediation) – Monitoring setup.

  1. Azure AD diagnostic settings β†’ Verzend to Sentinel (all loggen categories)
  2. Sentinel alert rules: Suspicious sign-ins, admin changes, MFA failures
  3. Workbooks: Identity security dashboard, Compliance overview
  4. Automated response playbooks voor common scenarios

Monitoring

Gebruik PowerShell-script reporting-monitoring.ps1 (functie Invoke-Monitoring) – Controleren.

Daily: Alert triage, Weekly: Trend analysis, Monthly: Compliance reports, Quarterly: Review met management

Compliance en Auditing

  1. BIO 12.04 - Logging
  2. ISO 27001 A.12.4 - logging en monitoring
  3. NIS2 art. 21 - Monitoring capabilities

Remediatie

Gebruik PowerShell-script reporting-monitoring.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Identity Reporting & Monitoring Design .DESCRIPTION Implementation for Identity Reporting & Monitoring Design .NOTES Filename: reporting-monitoring.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 1.0 Related JSON: content/design/identity/reporting-monitoring.json #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter()][switch]$WhatIf, [Parameter()][switch]$Monitoring, [Parameter()][switch]$Remediation, [Parameter()][switch]$Revert ) $ErrorActionPreference = 'Stop' $VerbosePreference = 'Continue' $PolicyName = "Identity Reporting & Monitoring Design" $BIOControl = "16.01" function Connect-RequiredServices { # Connection logic based on API } function Test-Compliance { Write-Verbose "Testing compliance for: $PolicyName..." $result = [PSCustomObject]@{ ScriptName = "reporting-monitoring" PolicyName = $PolicyName IsCompliant = $false TotalResources = 0 CompliantCount = 0 NonCompliantCount = 0 Details = @() Recommendations = @() } # Compliance check implementation # Based on: Design Document $result.Details += "Compliance check - implementation required based on control" $result.NonCompliantCount = 1 return $result } function Invoke-Remediation { Write-Host "`nApplying remediation for: $PolicyName..." -ForegroundColor Cyan # Remediation implementation Write-Host " Configuration applied" -ForegroundColor Green Write-Host "`n[OK] Remediation completed" -ForegroundColor Green } function Invoke-Monitoring { $result = Test-Compliance Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "$PolicyName" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan Write-Host "Total: $($result.TotalResources)" -ForegroundColor White Write-Host "Compliant: $($result.CompliantCount)" -ForegroundColor Green $color = if ($result.NonCompliantCount -gt 0) { "Red" } else { "Green" } Write-Host "Non-compliant: $($result.NonCompliantCount)" -ForegroundColor $color return $result } function Invoke-Revert { Write-Host "Revert: Configuration revert not yet implemented" -ForegroundColor Yellow } try { Connect-RequiredServices if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { if ($WhatIf) { Write-Host "WhatIf: Would apply remediation" -ForegroundColor Yellow } else { Invoke-Remediation } } elseif ($Revert) { Invoke-Revert } else { $result = Test-Compliance if ($result.IsCompliant) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green } else { Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red } } } catch { Write-Error $_ }

Risico zonder implementatie

Risico zonder implementatie
High: Identity attacks undetected = prolonged compromise (months dwell time), slow incident response, compliance violations (NIS2 24-uur notification). Blind spot identity security. Het risico is HOOG - attack detection.

Management Samenvatting

Identity Reporting & Monitoring: Entra ID logs β†’ Sentinel SIEM, Alert rules (suspicious sign-ins, privilege escalation, risky users, failed MFA), Dashboards (identity security posture), Automated response (block risky users, revoke sessions), Workbooks (identity analytics). Activatie: Entra ID β†’ Diagnostic settings β†’ Stream to Sentinel + Alert rules. Kosten: Sentinel ingestion. Verplicht BIO 16.01, NIS2. Implementatie: 12-20 uur. Essential identity threat detection.