SI-7(7)—Integration Of Detection And Response
MODERATE
HIGH
>Control Description
Incorporate the detection of the following unauthorized changes into the organizational incident response capability: ⚙organization-defined security-relevant changes to the system.
>Cross-Framework Mappings
>Programmatic Queries
Beta
Related Services
Amazon GuardDuty
AWS Lambda
AWS Systems Manager
CLI Commands
Get GuardDuty findings for integrity violations
aws guardduty list-findings --detector-id detector-id --finding-criteria '{"Criterion":{"type":{"Eq":["CryptoCurrency:EC2/BitcoinTool.B","Trojan:EC2/DGADomainRequest.C"]}}}'Create Lambda function for automated response
aws lambda create-function --function-name IntegrityResponseFunction --runtime python3.11 --role arn:aws:iam::123456789012:role/lambda-role --handler index.handler --zip-file fileb://function.zipSet up EventBridge rule to trigger response
aws events put-targets --rule security-findings-rule --targets Id=1,Arn=arn:aws:lambda:us-east-1:123456789012:function:IntegrityResponseFunctionCreate Systems Manager automation for remediation
aws ssm create-document --content file://remediation.json --document-type Automation --name IntegrityRemediationPlaybook>Supplemental Guidance
Integrating detection and response helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important for being able to identify and discern adversary actions over an extended time period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or the unauthorized elevation of system privileges.
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies and procedures govern integration of detection and response?
- •Who is responsible for monitoring system and information integrity?
- •How frequently are integrity monitoring processes reviewed and updated?
Technical Implementation:
- •What technical controls detect and respond to integration of detection and response issues?
- •How are integrity violations identified and reported?
- •What automated tools support system and information integrity monitoring?
- •What systems and events are monitored for integrity violations?
Evidence & Documentation:
- •Can you provide recent integrity monitoring reports or alerts?
- •What logs demonstrate that SI-7(7) is actively implemented?
- •Where is evidence of integrity monitoring maintained and for how long?
- •Can you provide examples of integrity monitoring alerts and responses?
Ask AI
Configure your API key to use AI features.