Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Azure Security Benchmark Posture Changed

Back
Id0610e72f-ceaf-42d1-879e-952a1bd8d07a
RulenameAzure Security Benchmark Posture Changed
DescriptionThis alert is designed to monitor Azure policies aligned with the Azure Security Benchmark Regulatory Compliance initiative. The alert triggers when policy compliance falls below 70% within a 1 week time-frame.
SeverityMedium
TacticsDiscovery
TechniquesT1082
KindScheduled
Query frequency7d
Query period7d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureSecurityBenchmark/Analytic Rules/AzureSecurityBenchmarkPostureChanged.yaml
Version1.0.1
Arm template0610e72f-ceaf-42d1-879e-952a1bd8d07a.json
Deploy To Azure
let Last_Evaluated=SecurityRecommendation
| join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "Azure-Security-Benchmark") on RecommendationName
| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName
| extend ComplianceDomain=iff(ComplianceControl contains "NS.", "Network Security", iff(ComplianceControl contains "IM.", "Identity Management", iff(ComplianceControl contains "PA.", "Privileged Access", iff(ComplianceControl contains "DP.", "Data Protection", iff(ComplianceControl contains "AM.", "Asset Management", iff(ComplianceControl contains "LT.", "Logging & Threat Detection", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "PV.", "Posture & Vulnerability Management", iff(ComplianceControl contains "ES.", "Endpoint Security", iff(ComplianceControl contains "BR.", "Backup & Recovery", iff(ComplianceControl startswith "DS.", "DevOps Security", iff(ComplianceControl contains "GS.", "Governance & Strategy", "Other"))))))))))));
SecurityRecommendation
| join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "Azure-Security-Benchmark") on RecommendationName
| extend ComplianceDomain=iff(ComplianceControl contains "NS.", "Network Security", iff(ComplianceControl contains "IM.", "Identity Management", iff(ComplianceControl contains "PA.", "Privileged Access", iff(ComplianceControl contains "DP.", "Data Protection", iff(ComplianceControl contains "AM.", "Asset Management", iff(ComplianceControl contains "LT.", "Logging & Threat Detection", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "PV.", "Posture & Vulnerability Management", iff(ComplianceControl contains "ES.", "Endpoint Security", iff(ComplianceControl contains "BR.", "Backup & Recovery", iff(ComplianceControl startswith "DS.", "DevOps Security", iff(ComplianceControl contains "GS.", "Governance & Strategy", "Other"))))))))))))
| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName
| summarize Failed = countif(RecommendationState == "Unhealthy"), Passed = countif(RecommendationState == "Healthy"), Total = countif(RecommendationState == "Healthy" or RecommendationState == "Unhealthy") by ComplianceDomain
| extend PassedControlsPercentage = (Passed/todouble(Total))*100
| join (Last_Evaluated) on ComplianceDomain
| project ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed, LastEvaluated=TimeGenerated
| summarize arg_max(LastEvaluated, *) by ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed
| where PassedControlsPercentage < 70 
| sort by PassedControlsPercentage, Passed desc
| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')
relevantTechniques:
- T1082
name: Azure Security Benchmark Posture Changed
requiredDataConnectors: []
entityMappings:
- fieldMappings:
  - identifier: Url
    columnName: RemediationLink
  entityType: URL
triggerThreshold: 0
id: 0610e72f-ceaf-42d1-879e-952a1bd8d07a
tactics:
- Discovery
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureSecurityBenchmark/Analytic Rules/AzureSecurityBenchmarkPostureChanged.yaml
queryPeriod: 7d
kind: Scheduled
queryFrequency: 7d
severity: Medium
description: |
    'This alert is designed to monitor Azure policies aligned with the Azure Security Benchmark Regulatory Compliance initiative. The alert triggers when policy compliance falls below 70% within a 1 week time-frame.'
query: |
  let Last_Evaluated=SecurityRecommendation
  | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "Azure-Security-Benchmark") on RecommendationName
  | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName
  | extend ComplianceDomain=iff(ComplianceControl contains "NS.", "Network Security", iff(ComplianceControl contains "IM.", "Identity Management", iff(ComplianceControl contains "PA.", "Privileged Access", iff(ComplianceControl contains "DP.", "Data Protection", iff(ComplianceControl contains "AM.", "Asset Management", iff(ComplianceControl contains "LT.", "Logging & Threat Detection", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "PV.", "Posture & Vulnerability Management", iff(ComplianceControl contains "ES.", "Endpoint Security", iff(ComplianceControl contains "BR.", "Backup & Recovery", iff(ComplianceControl startswith "DS.", "DevOps Security", iff(ComplianceControl contains "GS.", "Governance & Strategy", "Other"))))))))))));
  SecurityRecommendation
  | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "Azure-Security-Benchmark") on RecommendationName
  | extend ComplianceDomain=iff(ComplianceControl contains "NS.", "Network Security", iff(ComplianceControl contains "IM.", "Identity Management", iff(ComplianceControl contains "PA.", "Privileged Access", iff(ComplianceControl contains "DP.", "Data Protection", iff(ComplianceControl contains "AM.", "Asset Management", iff(ComplianceControl contains "LT.", "Logging & Threat Detection", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "PV.", "Posture & Vulnerability Management", iff(ComplianceControl contains "ES.", "Endpoint Security", iff(ComplianceControl contains "BR.", "Backup & Recovery", iff(ComplianceControl startswith "DS.", "DevOps Security", iff(ComplianceControl contains "GS.", "Governance & Strategy", "Other"))))))))))))
  | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName
  | summarize Failed = countif(RecommendationState == "Unhealthy"), Passed = countif(RecommendationState == "Healthy"), Total = countif(RecommendationState == "Healthy" or RecommendationState == "Unhealthy") by ComplianceDomain
  | extend PassedControlsPercentage = (Passed/todouble(Total))*100
  | join (Last_Evaluated) on ComplianceDomain
  | project ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed, LastEvaluated=TimeGenerated
  | summarize arg_max(LastEvaluated, *) by ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed
  | where PassedControlsPercentage < 70 
  | sort by PassedControlsPercentage, Passed desc
  | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')  
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0610e72f-ceaf-42d1-879e-952a1bd8d07a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0610e72f-ceaf-42d1-879e-952a1bd8d07a')]",
      "properties": {
        "alertRuleTemplateName": "0610e72f-ceaf-42d1-879e-952a1bd8d07a",
        "customDetails": null,
        "description": "'This alert is designed to monitor Azure policies aligned with the Azure Security Benchmark Regulatory Compliance initiative. The alert triggers when policy compliance falls below 70% within a 1 week time-frame.'\n",
        "displayName": "Azure Security Benchmark Posture Changed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "RemediationLink",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureSecurityBenchmark/Analytic Rules/AzureSecurityBenchmarkPostureChanged.yaml",
        "query": "let Last_Evaluated=SecurityRecommendation\n| join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == \"Azure-Security-Benchmark\") on RecommendationName\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName\n| extend ComplianceDomain=iff(ComplianceControl contains \"NS.\", \"Network Security\", iff(ComplianceControl contains \"IM.\", \"Identity Management\", iff(ComplianceControl contains \"PA.\", \"Privileged Access\", iff(ComplianceControl contains \"DP.\", \"Data Protection\", iff(ComplianceControl contains \"AM.\", \"Asset Management\", iff(ComplianceControl contains \"LT.\", \"Logging & Threat Detection\", iff(ComplianceControl contains \"IR.\", \"Incident Response\", iff(ComplianceControl contains \"PV.\", \"Posture & Vulnerability Management\", iff(ComplianceControl contains \"ES.\", \"Endpoint Security\", iff(ComplianceControl contains \"BR.\", \"Backup & Recovery\", iff(ComplianceControl startswith \"DS.\", \"DevOps Security\", iff(ComplianceControl contains \"GS.\", \"Governance & Strategy\", \"Other\"))))))))))));\nSecurityRecommendation\n| join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == \"Azure-Security-Benchmark\") on RecommendationName\n| extend ComplianceDomain=iff(ComplianceControl contains \"NS.\", \"Network Security\", iff(ComplianceControl contains \"IM.\", \"Identity Management\", iff(ComplianceControl contains \"PA.\", \"Privileged Access\", iff(ComplianceControl contains \"DP.\", \"Data Protection\", iff(ComplianceControl contains \"AM.\", \"Asset Management\", iff(ComplianceControl contains \"LT.\", \"Logging & Threat Detection\", iff(ComplianceControl contains \"IR.\", \"Incident Response\", iff(ComplianceControl contains \"PV.\", \"Posture & Vulnerability Management\", iff(ComplianceControl contains \"ES.\", \"Endpoint Security\", iff(ComplianceControl contains \"BR.\", \"Backup & Recovery\", iff(ComplianceControl startswith \"DS.\", \"DevOps Security\", iff(ComplianceControl contains \"GS.\", \"Governance & Strategy\", \"Other\"))))))))))))\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName\n| summarize Failed = countif(RecommendationState == \"Unhealthy\"), Passed = countif(RecommendationState == \"Healthy\"), Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\") by ComplianceDomain\n| extend PassedControlsPercentage = (Passed/todouble(Total))*100\n| join (Last_Evaluated) on ComplianceDomain\n| project ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed, LastEvaluated=TimeGenerated\n| summarize arg_max(LastEvaluated, *) by ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed\n| where PassedControlsPercentage < 70 \n| sort by PassedControlsPercentage, Passed desc\n| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n",
        "queryFrequency": "P7D",
        "queryPeriod": "P7D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [
          "T1082"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}