NIST Cybersecurity Framework: Tools and References from Microsoft – Detect Function

Sergey Tsygalnitsky

The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides voluntary guidance – a set of industry standards and best practices – for reducing cybersecurity risks to critical infrastructure. Organizations that want to utilize the framework may find the task daunting at first, but it is helpful to remember that many of the subcategories in the framework can be accomplished with products and technologies they are already using.

Countless organizations around the globe rely on Microsoft technology to achieve their objectives. Understanding how Microsoft products and technologies relate to the NIST Cybersecurity Framework can help customers make significant progress in implementing it. After having several customers and partners ask me about utilizing the NIST Cybersecurity Framework, I’ve begun mapping Microsoft products and architectural references to subcategories of the framework.

This post provides mapping for the Detect function. There’s more to come on this as I work through the Respond and Recover functions.

Identify function mapping

Protect function mapping

Learn more about the NIST Cybersecurity Framework

Download the NIST Cybersecurity Framework PDF

Detect function mapping

About the mapping

In the tables below, I’ve mapped Microsoft products and architectural references to subcategories of the Protect function in the Framework. The resources listed reflect product information and how-to documentation, and do not include Microsoft service offerings (for example, Premier or MCS). Where I’ve left subcategories blank, the activity should be covered by the implementing organization utilizing internal resources or third parties. For Microsoft partners, that white space is the opportunity to step in and provide much needed services.

If you have a resource to add to the list below, share your feedback with me in the Enterprise Security + Mobility Partners Yammer group.

Anomalies and Events (DE.AE)

Anomalous activity is detected in a timely manner and the potential impact of events is understood.


A baseline of network operations and expected data flows for users and systems is established and managed


Detected events are analyzed to understand attack targets and methods


Event data are aggregated and correlated from multiple sources and sensors


Impact of events is determined


Incident alert thresholds are established

Security Continuous Monitoring (DE.CM)

The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.


The network is monitored to detect potential cybersecurity events


The physical environment is monitored to detect potential cybersecurity events


Personnel activity is monitored to detect potential cybersecurity events


Malicious code is detected


Unauthorized mobile code is detected


External service provider activity is monitored to detect potential cybersecurity events


Monitoring for unauthorized personnel, connections, devices, and software is performed


Vulnerability scans are performed

Detection Processes (DE.DP)

Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.


Roles and responsibilities for detection are well defined to ensure accountability


Detection activities comply with all applicable requirements


Detection processes are tested


Event detection information is communicated to appropriate parties


Detection processes are continuously improved

Microsoft security resources

Microsoft Trust Center

Microsoft Cybersecurity website

Microsoft Secure website

Skip to main content