Ability™ Developer Portal
Try Sandbox for free
Get a month of free access to ABB Ability™ Platform to learn and experiment!
API Playground
Play with ABB Ability™ Platform APIs (no time limits)

# Security Monitoring

Security monitoring workflow describes the process for daily Azure Security Center (ASC) monitoring and reporting.

# Monitoring Workflow

Perform the following steps to achieve daily ASC monitoring and reporting:

  1. Check the status of the services on the ASC dashboard.
    Note: Two authorize operations engineers are responsible for ServiceNow monitoring and check the ASC dashboard status daily.

  2. Record the metrics from the dashboard.

    Following metrics are recorded as a part of daily security monitoring activity:

    • Security Score
    • Subscriptions Covered
    • Total Resources
    • Total Security Alerts
    • Total High Severity Alerts
    • Total Medium Severity Alerts
    • Total Low Severity Alerts
    • Remediation Performed
    • Exceptions added

  3. Check for deviations in the Alerts section.

    If the deviation is detected:
    No: The workflow is concluded.
    Yes: Proceed to the next step.

  4. Create an internal ServiceNow ticket.

Create a ServiceNow ticket with incident categorization as Security Incident. The operations engineer self-assigns the ticket for follow-up and closure and records the ticket details in the metrics sheet.

  1. Check for possible mitigation.

If the issue is mitigated by the Operations Team with configuration changes or removing an account, or similar actions lead to resolving the issue.

Mitigation confirmation: Yes, follow the below steps for resolution:

a. Take approval for Ops Head, Cyber Security Head, and Infosec with details over mail.
b. Apply mitigation to prevent further damage.
c. Ensure that the fix is applied as per step 5b.
Check if the issue is resolved or requires a further permanent fix.

No: The workflow is concluded.
Yes: Follow the below steps for a permanent fix.

1. Raise a Sev A ticket to MS: An optional step, and only applicable if the issue is not managed with the Operations Team.
2. Notify Infosec Team via Mail: An optional step, and only applicable if the issue is not managed with the Operations Team.
3. Work towards permanent fix: Work with required teams for resolution.
4. Issue resolved:

    Yes: The workflow is concluded.

    No: Procced to the next step.

5. Perform Root Cause Analysis (RCA) with all involved parties: Prepare RCA and schedule a review call.
6. Define best practices: Record the best practice and upload it in the SharePoint Portal.

# Monitoring Workflow Diagram

The above procedure is represented in the below workflow diagram:

workflow-diagram

Last updated: 9/6/2021, 1:25:50 PM

Weekly RCA call

Feedback