data sources / sentinel cleanup

wagov · Nov 7, 2023 · 5a5d5df · 5a5d5df
1 parent c50bca8
commit 5a5d5df
Show file tree

Hide file tree

Showing 10 changed files with 167 additions and 273 deletions.
diff --git a/docs/README.md b/docs/README.md
@@ -15,9 +15,8 @@ Baselines are for use as self-assessment checklists, and guidelines are for gene
 
 !!! abstract "Baselines"
 
-    The WA SOC has developed a [Baseline for Event Ingestion](baselines/data-sources.md). It's currently under review to align with [MITRE ATT&CK®](https://attack.mitre.org) and develop detection coverage/quality into a standalone baseline. See [MITRE Data Sources](https://attack.mitre.org/datasources/) for SIEM (sensors/events) coverage and [MITRE Tactics](https://attack.mitre.org/tactics/enterprise/) for SIEM automated detection coverage.
-
     - [Security Operations Baseline](baselines/security-operations.md) - aligned with [MITRE 11 Strategies of a World-Class Cybersecurity Operations Center](pdfs/11-strategies-of-a-world-class-cybersecurity-operations-center.pdf) and [ACSC's Cyber Incident Response Plan Resource](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/publications/cyber-incident-response-plan).
+    - [Detection Coverage Baseline](baselines/data-sources.md) - *[telemetry collection](https://attack.mitre.org/datasources/)* and *[detection analytics](https://attack.mitre.org)* aligned to the [MITRE ATT&CK Framework](https://attack.mitre.org).
     - [Vulnerability Management Baseline](baselines/vulnerability-management.md) - focused on undertaking operational **Identify** and **Protect** capabilities.
 
 !!! danger "Critical Infrastructure Entities"
@@ -26,6 +25,7 @@ Baselines are for use as self-assessment checklists, and guidelines are for gene
 
 !!! tip "Guidelines"
 
+    - [Supply Chain Risk Management Guideline](guidelines/supply-chain-risk-mgmt.md) - Implementation guidance for [ACSC Cyber Supply Chain Risk Management](https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-procurement/cyber-supply-chains/cyber-supply-chain-risk-management).
     - [Guide to Securing Remote Access Software (CISA)](https://www.cisa.gov/resources-tools/resources/guide-securing-remote-access-software) - remote access software overview, including the malicious use of remote access software, detection methods, and recommendations for all organizations.
     - [#StopRansomware Guide (CISA)](https://www.cisa.gov/resources-tools/resources/stopransomware-guide) - one-stop resource to help organizations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks.
     - [Microsoft Sentinel Guidance](onboarding/sentinel-guidance.md) - Implementation guidance for using Sentinel for [ACSC Guidelines for System Monitoring](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-system-monitoring)

diff --git a/docs/baselines/data-sources.md b/docs/baselines/data-sources.md
diff --git a/docs/guidelines/observables-gap-analysis.md b/docs/guidelines/observables-gap-analysis.md
diff --git a/docs/guidelines/supply-chain-risk-mgmt.md b/docs/guidelines/supply-chain-risk-mgmt.md
@@ -0,0 +1,11 @@
+# Supply Chain Risk Management Guideline
+
+Agencies should review [ACSC's Questions to Ask Managed Service Providers](https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-procurement/managed-services/questions-ask-managed-service-providers), especially service providers managing their **network**, **compute** and **file/email (Microsoft 365)** resources. A supporting extract from page 16 and 17 of the [NIST CSF 2.0 Initial Public Draft](https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.ipd.pdf) is below, identifying what should be addressed as part of procurement and **contract management**.
+
+!!! note "Managing Cybersecurity Risk in Supply Chains (NIST)"
+
+    - **Identify:** Identifying, validating, and recording vulnerabilities associated with the supplier’s product or service [ID.RA-01]
+    - **Protect:** Authenticating users, services, and hardware [PR.AA-03]; applying appropriate configuration management practices [PR.PS-01]; generating log records and having the logs available for continuous monitoring [PR.PS-04]; and integrating secure software development practices into the supplier’s software development life cycles [PR.PS-07]
+    - **Detect:** Monitoring computing hardware and software for potentially adverse events [DE.CM-09]
+    - **Respond:** Executing incident response plans when compromised products or services are involved [RS.MA-01]
+    - **Recover:** Executing the recovery portion of the organization’s incident response plan when compromised products or services are involved [RC.RP-01], and restoring compromised products or services and verifying their integrity [RC.RP-05]
diff --git a/docs/onboarding/onboarding-support.md b/docs/onboarding/onboarding-support.md