CISA.MS.EXO.16.2 - Alerts SHOULD be sent to a monitored address or incorporated into a security information and event management (SIEM) system.
Overview
Alerts SHOULD be sent to a monitored address or incorporated into a security information and event management (SIEM) system.
Rationale: Suspicious or malicious events, if not resolved promptly, may have a greater impact to users and the agency. Sending alerts to a monitored email address or SIEM system helps ensure these suspicious or malicious events are acted upon in a timely manner to limit overall impact.
Remediation action:
- Sign in to Microsoft 365 Defender.
- Select Settings.
- Select either:
- Microsoft Sentinel.
- Defender XDR, and under General, select Streaming API.
- Ensure a SIEM integration is configured for your organization.
Related links
- Defender admin center - Alert policy
- Defender admin center - Streaming API
- Defender admin center - Sentinel workspaces
- CISA 16 Alerts - MS.EXO.16.2
- CISA ScubaGear Rego Reference
Test Metadata
| Field | Value |
|---|---|
| Test ID | CISA.MS.EXO.16.2 |
| Severity | Medium |
| Suite | CISA |
| Category | exchange |
| PowerShell test | Test-MtCisaExoAlertSiem |
| Tags | CISA, CISA.MS.EXO.16.2, MS.EXO, MS.EXO.16.2 |
Source
- Pester test:
tests/cisa/exchange/Test-MtCisaExoAlertSiem.Tests.ps1 - PowerShell source:
powershell/public/cisa/exchange/Test-MtCisaExoAlertSiem.ps1