This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

Cloud provider monitoring

What are the differences between CloudWatch monitoring metrics (AWS) and general monitoring for cloud infrastructure?

• CloudWatch is Amazon's built-in monitoring tool for AWS. It automatically tracks things like CPU usage, memory, and errors for AWS services like EC2, Lambda, and RDS. It’s tightly integrated with the AWS ecosystem and works out of the box for most resources.

  In contrast, general cloud monitoring tools like Datadog, New Relic, or Prometheus are designed to work across multiple cloud providers (like AWS, Azure, and GCP) and even on-prem systems. They often offer more advanced features, like deeper application performance insights, customizable dashboards, and the ability to combine data from different sources.

  So the main difference is: CloudWatch is great if you’re fully on AWS, while general tools are better if you need broader visibility, more customization, or multi-cloud support.

Logging and monitoring

Does the use of Cloud Armor WAF satisfy the requirement for a threat detection solution actively monitoring for threats to cloud infrastructure? Would WAF logs be acceptable evidence or does another solution work better?

• A WAF mainly covers firewall-related issues. A more holistic or analytical solution is needed for cloud threat detection. AWS GuardDuty or Azure Defender are better options for this.

How do I set up monitoring for cloud infrastructure in Google Cloud Platform (GCP)?

• To pass this test, validate that GCP is configured to monitor for security-related and performance-related events. This is typically done through GCP’s Security Command Center.

  Purpose of Monitoring

  Gain real-time insight into system health and performance

  Detect anomalies and potential security issues as they occur

  Support proactive problem resolution and SLA compliance

  Provide dashboards and visualizations for informed decision-making

  Key Components

  Monitoring: Real-time observation and analysis of systems/networks

  Logging: Recording events for historical analysis (via Cloud Logging)

  Alerting: Notifying relevant teams when specific conditions are met

  GCP’s Cloud Logging aggregates logs from all GCP services and custom apps, viewable via Logs Explorer with advanced filtering and search capabilities

  How to Pass This Test
  During audit readiness prep and at least once per audit window:

  Upload evidence showing an active monitoring dashboard in GCP Security Command Center.

  The dashboard should track:

  Failed logins

  Administrator activity (account, permissions, configuration changes)

  Capacity/availability metrics

  Error events

  Screenshots must show:

  A visible date from the computer display

  The source (e.g., URL) where the screenshot was taken

  Reference: [GCP Monitoring Documentation](https://cloud.google.com/monitoring/docs)

How do we handle monitoring for web applications, and what counts as a web application?

• A web application refers to any software your organization hosts or delivers over the internet—such as a customer portal, internal admin tool, or SaaS platform. It typically runs in a browser and interacts with back-end systems via APIs or cloud infrastructure.

  When it comes to monitoring:

  You should monitor anything that supports your web application—this may include infrastructure (e.g., AWS, GCP), security tooling, logging systems, or CI/CD pipelines.

  Monitoring should allow relevant personnel to view activity logs, usage data, access patterns, and security alerts in real time or near real time.

  If your organization does not operate any web applications, you can mark this control as out of scope. The auditor will expect that decision to be well justified.

How should an entity keep logging tools aligned with any changes in their environment?

• The entity should keep logging tools aligned with any changes in their environment by periodically reviewing tool settings and updating settings to reflect any changes.

How should we handle the “Blob container data restrictions (Azure)” test if the tagged containers are used for logging or support storage, not for storing business-critical customer data?

• This test specifically checks for immutability in Azure Blob Storage—ensuring data cannot be altered or deleted (WORM: Write Once, Read Many). While immutability is important for log storage and evidence integrity, it may not be required for all use cases.

  Recommended approach:

  Review usage: Document what each blob container is used for (e.g., logging, support storage, customer data).

  For customer-facing or business-critical data: Implement immutability policies where possible. At minimum, ensure versioning and soft delete are enabled.

  For non-critical or programmatically written data:

  Provide documentation of the container’s intended use.

  If immutability is not appropriate, consider adding this as a risk exception and disabling the test for the assessment.

  For SOC 2: While not always a hard requirement, immutability for logs is strongly recommended to ensure evidence can’t be modified after creation.

  Tip: Even if exempting, clearly record the rationale so auditors can see the security consideration was evaluated.

Is it okay to disable the Transfer Family logging test (AWS). We are not using managed workflows, which is a requirement to enable the logging.

• Yes, as long as you are passing other logging/monitoring tests in platform.

Logging for web application tests?

• This is subjective and varies from organization to organization. However, most would monitor uptime, availability, unusual behavior, admin actions, etc. Cloud system access logs are good examples of evidence.

We recently enabled VPC flow logs as part of the Client logging for critical information in its cloud infrastructure test. We're concerned about how much these logs cost for our instance.

• VPC flow logs are not an absolute must. The intent of the control is to ensure that cloud infrastructure activity is logged and monitored. If this can be done without enabling VPC flow logs, that is acceptable.

What do file integrity monitoring or change-detection systems check for?

• File integrity monitoring or change-detection systems check for changes to critical files and notify when such changes are identified.

What do logging and analyzing security-relevant events enable an organization to do?

• Logging and analyzing security-relevant events enable an organization to identify and trace potentially malicious activities.

What files does an entity usually monitor for file integrity monitoring purposes?

• For file integrity monitoring purposes, an entity usually monitors files that do not regularly change, but when changed, indicate a possible compromise.

What is continuous monitoring?

• We continuously detect and remediate misconfigurations across your technology stack, providing complete visibility with actionable insights on critical security, privacy, and compliance issues.

What should be done to monitoring devices or mechanisms?

• Monitoring devices or mechanisms are protected from tampering or disabling.

What should be examined to verify the use of file integrity monitoring or change-detection software on audit logs?

• Examine system settings, monitored files, and results from monitoring activities to verify the use of file integrity monitoring or change-detection software on audit logs.

What should not generate an alert when monitoring changes to audit logs?

• New log data being added to an audit log should not generate an alert.

What would pass as evidence for having monitoring enabled for critical information in its web applications(s)?

• The auditor will want to see that you are monitoring for events of interest or those that are important to your organization.

Logs and retention

A system audit log is the tracking of activity on a system and/or account level. What best describes audit logging for your product or service?

• Application logs and production system logs are sent in real-time to a centralized logging infrastructure. These logs are not directly accessible outside our organization.

What should be examined to verify that audit log retention policies and procedures are defined?

• Examine documentation to verify that the following is defined: Audit log retention policies, and Procedures for retaining audit log history for at least 12 months, with at least the most recent three months immediately available online.

Where can I find additional guidance on effective daily log monitoring?

• Refer to the Information Supplement: Effective Daily Log Monitoring for additional guidance.

SIEM and third-party platforms

Are SIEM tools required for compliance?

• SIEM solutions are not a hard requirement for all frameworks, but they are best practice for aggregating and analyzing logs. AWS GuardDuty and GCP Security Command Center serve as cloud-based SIEM tools that monitor and alert on events.

Do we have any suggested tools to satisfy SIEM for customers that don't use any of the major cloud providers?

• Wazuh is a great cost effective option, but Splunk, SumoLogic, NewRelic are also good options.

Does Secureframe support Azure, AWS, Defender, and Sentinel integrations for Government (Gov/GovCloud) environments at the tenant root group or organization level?

• Currently, Government support is limited to individual accounts or subscriptions only.

  Azure: Government is supported only for an individual subscription. Selecting Tenant root group defaults to Commercial and does not work for Government.

  AWS: GovCloud is supported only for an individual account. Selecting Organization defaults to Commercial and does not work for GovCloud.

  Microsoft Defender & Microsoft Sentinel: These are supported only at the individual subscription level for Commercial environments.

  Support for tenant root group or organization-level configuration in Government environments would require a new feature request.

Does Secureframe support Microsoft Sentinel Government?

• Yes! Secureframe now supports Microsoft Sentinel Government as an integration.

How does the type of SIEM deployment (e.g., on-premise, cloud) affect its assessment?

• Because of the wide range of SIEM tools available (on-premise hardware appliance; on-premise virtual appliance; or cloud based), methods of assessing the SIEM will also vary.

How is Sumo Logic used for auditing purposes?

• Sumo Logic is a cloud-based log management and analytics platform used to collect, monitor, and analyze logs and events from systems, applications, and infrastructure.

  At its core, Sumo Logic enables teams to maintain visibility into system behavior and user activity, which is essential for proving adherence to security and compliance controls.

If my SIEM or log data is hosted or maintained by an External Service Provider (ESP), is the ESP in scope?

• Yes, if the SIEM and/or associated log data is hosted or maintained by an ESP, then the portion of the ESP that is used to provide the SIEM service or log storage is part of the OSA’s assessment scope.

Is a specific SentinelOne license required to fully utilize the integration?

• Yes, to fully utilize the Secureframe integration with SentinelOne, a specific SentinelOne license is required.

  We recommend SentinelOne Control or Complete license tiers, because these tiers provide the necessary API access and features for integration.

Additional customer questions

What is a key data source used by network defenders?

• DNS queries and responses are a key data source used by network defenders in support of incident response as well as intrusion discovery.

What does having centrally stored log history allow investigators to do?

• Having centrally stored log history allows investigators to better determine the length of time a potential breach was occurring, and the possible system(s) impacted.

What should be examined to verify that current audit log files are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify?

• Examine backup configurations or log files to verify that current audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify.

Why is it important to promptly back up logs to a centralized log server or media that is difficult to alter?

• Promptly backing up the logs to a centralized log server or media that is difficult to alter keeps the logs protected, even if the system generating the logs becomes compromised.