SI-4(6) — Restrict Non-privileged Users

Restrict who can access monitoring tools and data — non-privileged users should not be able to see security alerts or tamper with monitoring configurations.

Example 1: Use role-based access control in your SIEM to limit who can view security events, create/modify detection rules, and access incident data. Regular IT staff get read-only access to their systems' logs. Only your security team gets full access to all events and configuration.

Example 2: In Microsoft Sentinel, use Azure RBAC to control access. Assign the "Microsoft Sentinel Reader" role to operations staff and "Microsoft Sentinel Contributor" only to your security analysts. Audit who has access to the SIEM workspace quarterly.