Azure Security Benchmark Posture Changed
| Id | 0610e72f-ceaf-42d1-879e-952a1bd8d07a |
| Rulename | Azure Security Benchmark Posture Changed |
| Description | This alert is designed to monitor Azure policies aligned with the Azure Security Benchmark Regulatory Compliance initiative. The alert triggers when policy compliance falls below 70% within a 1 week time-frame. |
| Severity | Medium |
| Tactics | Discovery |
| Techniques | T1082 |
| Kind | Scheduled |
| Query frequency | 7d |
| Query period | 7d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureSecurityBenchmark/Analytic Rules/AzureSecurityBenchmarkPostureChanged.yaml |
| Version | 1.0.0 |
| Arm template | 0610e72f-ceaf-42d1-879e-952a1bd8d07a.json |
let Last_Evaluated=SecurityRecommendation
| join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "Azure-Security-Benchmark") on RecommendationName
| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName
| extend ComplianceDomain=iff(ComplianceControl contains "NS.", "Network Security", iff(ComplianceControl contains "IM.", "Identity Management", iff(ComplianceControl contains "PA.", "Privileged Access", iff(ComplianceControl contains "DP.", "Data Protection", iff(ComplianceControl contains "AM.", "Asset Management", iff(ComplianceControl contains "LT.", "Logging & Threat Detection", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "PV.", "Posture & Vulnerability Management", iff(ComplianceControl contains "ES.", "Endpoint Security", iff(ComplianceControl contains "BR.", "Backup & Recovery", iff(ComplianceControl startswith "DS.", "DevOps Security", iff(ComplianceControl contains "GS.", "Governance & Strategy", "Other"))))))))))));
SecurityRecommendation
| join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "Azure-Security-Benchmark") on RecommendationName
| extend ComplianceDomain=iff(ComplianceControl contains "NS.", "Network Security", iff(ComplianceControl contains "IM.", "Identity Management", iff(ComplianceControl contains "PA.", "Privileged Access", iff(ComplianceControl contains "DP.", "Data Protection", iff(ComplianceControl contains "AM.", "Asset Management", iff(ComplianceControl contains "LT.", "Logging & Threat Detection", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "PV.", "Posture & Vulnerability Management", iff(ComplianceControl contains "ES.", "Endpoint Security", iff(ComplianceControl contains "BR.", "Backup & Recovery", iff(ComplianceControl startswith "DS.", "DevOps Security", iff(ComplianceControl contains "GS.", "Governance & Strategy", "Other"))))))))))))
| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName
| summarize Failed = countif(RecommendationState == "Unhealthy"), Passed = countif(RecommendationState == "Healthy"), Total = countif(RecommendationState == "Healthy" or RecommendationState == "Unhealthy") by ComplianceDomain
| extend PassedControlsPercentage = (Passed/todouble(Total))*100
| join (Last_Evaluated) on ComplianceDomain
| project ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed, LastEvaluated=TimeGenerated
| summarize arg_max(LastEvaluated, *) by ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed
| where PassedControlsPercentage < 70
| sort by PassedControlsPercentage, Passed desc
| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')
| extend URLCustomEntity = RemediationLink
version: 1.0.0
queryFrequency: 7d
requiredDataConnectors: []
entityMappings:
- fieldMappings:
- columnName: URLCustomEntity
identifier: Url
entityType: URL
kind: Scheduled
queryPeriod: 7d
severity: Medium
query: |
let Last_Evaluated=SecurityRecommendation
| join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "Azure-Security-Benchmark") on RecommendationName
| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName
| extend ComplianceDomain=iff(ComplianceControl contains "NS.", "Network Security", iff(ComplianceControl contains "IM.", "Identity Management", iff(ComplianceControl contains "PA.", "Privileged Access", iff(ComplianceControl contains "DP.", "Data Protection", iff(ComplianceControl contains "AM.", "Asset Management", iff(ComplianceControl contains "LT.", "Logging & Threat Detection", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "PV.", "Posture & Vulnerability Management", iff(ComplianceControl contains "ES.", "Endpoint Security", iff(ComplianceControl contains "BR.", "Backup & Recovery", iff(ComplianceControl startswith "DS.", "DevOps Security", iff(ComplianceControl contains "GS.", "Governance & Strategy", "Other"))))))))))));
SecurityRecommendation
| join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "Azure-Security-Benchmark") on RecommendationName
| extend ComplianceDomain=iff(ComplianceControl contains "NS.", "Network Security", iff(ComplianceControl contains "IM.", "Identity Management", iff(ComplianceControl contains "PA.", "Privileged Access", iff(ComplianceControl contains "DP.", "Data Protection", iff(ComplianceControl contains "AM.", "Asset Management", iff(ComplianceControl contains "LT.", "Logging & Threat Detection", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "PV.", "Posture & Vulnerability Management", iff(ComplianceControl contains "ES.", "Endpoint Security", iff(ComplianceControl contains "BR.", "Backup & Recovery", iff(ComplianceControl startswith "DS.", "DevOps Security", iff(ComplianceControl contains "GS.", "Governance & Strategy", "Other"))))))))))))
| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName
| summarize Failed = countif(RecommendationState == "Unhealthy"), Passed = countif(RecommendationState == "Healthy"), Total = countif(RecommendationState == "Healthy" or RecommendationState == "Unhealthy") by ComplianceDomain
| extend PassedControlsPercentage = (Passed/todouble(Total))*100
| join (Last_Evaluated) on ComplianceDomain
| project ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed, LastEvaluated=TimeGenerated
| summarize arg_max(LastEvaluated, *) by ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed
| where PassedControlsPercentage < 70
| sort by PassedControlsPercentage, Passed desc
| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')
| extend URLCustomEntity = RemediationLink
triggerOperator: gt
id: 0610e72f-ceaf-42d1-879e-952a1bd8d07a
description: |
'This alert is designed to monitor Azure policies aligned with the Azure Security Benchmark Regulatory Compliance initiative. The alert triggers when policy compliance falls below 70% within a 1 week time-frame.'
triggerThreshold: 0
name: Azure Security Benchmark Posture Changed
relevantTechniques:
- T1082
tactics:
- Discovery
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureSecurityBenchmark/Analytic Rules/AzureSecurityBenchmarkPostureChanged.yaml
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0610e72f-ceaf-42d1-879e-952a1bd8d07a')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0610e72f-ceaf-42d1-879e-952a1bd8d07a')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Azure Security Benchmark Posture Changed",
"description": "'This alert is designed to monitor Azure policies aligned with the Azure Security Benchmark Regulatory Compliance initiative. The alert triggers when policy compliance falls below 70% within a 1 week time-frame.'\n",
"severity": "Medium",
"enabled": true,
"query": "let Last_Evaluated=SecurityRecommendation\n| join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == \"Azure-Security-Benchmark\") on RecommendationName\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName\n| extend ComplianceDomain=iff(ComplianceControl contains \"NS.\", \"Network Security\", iff(ComplianceControl contains \"IM.\", \"Identity Management\", iff(ComplianceControl contains \"PA.\", \"Privileged Access\", iff(ComplianceControl contains \"DP.\", \"Data Protection\", iff(ComplianceControl contains \"AM.\", \"Asset Management\", iff(ComplianceControl contains \"LT.\", \"Logging & Threat Detection\", iff(ComplianceControl contains \"IR.\", \"Incident Response\", iff(ComplianceControl contains \"PV.\", \"Posture & Vulnerability Management\", iff(ComplianceControl contains \"ES.\", \"Endpoint Security\", iff(ComplianceControl contains \"BR.\", \"Backup & Recovery\", iff(ComplianceControl startswith \"DS.\", \"DevOps Security\", iff(ComplianceControl contains \"GS.\", \"Governance & Strategy\", \"Other\"))))))))))));\nSecurityRecommendation\n| join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == \"Azure-Security-Benchmark\") on RecommendationName\n| extend ComplianceDomain=iff(ComplianceControl contains \"NS.\", \"Network Security\", iff(ComplianceControl contains \"IM.\", \"Identity Management\", iff(ComplianceControl contains \"PA.\", \"Privileged Access\", iff(ComplianceControl contains \"DP.\", \"Data Protection\", iff(ComplianceControl contains \"AM.\", \"Asset Management\", iff(ComplianceControl contains \"LT.\", \"Logging & Threat Detection\", iff(ComplianceControl contains \"IR.\", \"Incident Response\", iff(ComplianceControl contains \"PV.\", \"Posture & Vulnerability Management\", iff(ComplianceControl contains \"ES.\", \"Endpoint Security\", iff(ComplianceControl contains \"BR.\", \"Backup & Recovery\", iff(ComplianceControl startswith \"DS.\", \"DevOps Security\", iff(ComplianceControl contains \"GS.\", \"Governance & Strategy\", \"Other\"))))))))))))\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName\n| summarize Failed = countif(RecommendationState == \"Unhealthy\"), Passed = countif(RecommendationState == \"Healthy\"), Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\") by ComplianceDomain\n| extend PassedControlsPercentage = (Passed/todouble(Total))*100\n| join (Last_Evaluated) on ComplianceDomain\n| project ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed, LastEvaluated=TimeGenerated\n| summarize arg_max(LastEvaluated, *) by ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed\n| where PassedControlsPercentage < 70 \n| sort by PassedControlsPercentage, Passed desc\n| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n| extend URLCustomEntity = RemediationLink\n",
"queryFrequency": "P7D",
"queryPeriod": "P7D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Discovery"
],
"techniques": [
"T1082"
],
"alertRuleTemplateName": "0610e72f-ceaf-42d1-879e-952a1bd8d07a",
"customDetails": null,
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "URLCustomEntity"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureSecurityBenchmark/Analytic Rules/AzureSecurityBenchmarkPostureChanged.yaml",
"templateVersion": "1.0.0"
}
}
]
}