Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Azure Security Benchmark Posture Changed

Back
Id0610e72f-ceaf-42d1-879e-952a1bd8d07a
RulenameAzure Security Benchmark Posture Changed
DescriptionThis alert is designed to monitor Azure policies aligned with the Azure Security Benchmark Regulatory Compliance initiative. The alert triggers when policy compliance falls below 70% within a 1 week time-frame.
SeverityMedium
TacticsDiscovery
TechniquesT1082
KindScheduled
Query frequency7d
Query period7d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureSecurityBenchmark/Analytic Rules/AzureSecurityBenchmarkPostureChanged.yaml
Version1.0.0
Arm template0610e72f-ceaf-42d1-879e-952a1bd8d07a.json
Deploy To Azure
let Last_Evaluated=SecurityRecommendation
| join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "Azure-Security-Benchmark") on RecommendationName
| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName
| extend ComplianceDomain=iff(ComplianceControl contains "NS.", "Network Security", iff(ComplianceControl contains "IM.", "Identity Management", iff(ComplianceControl contains "PA.", "Privileged Access", iff(ComplianceControl contains "DP.", "Data Protection", iff(ComplianceControl contains "AM.", "Asset Management", iff(ComplianceControl contains "LT.", "Logging & Threat Detection", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "PV.", "Posture & Vulnerability Management", iff(ComplianceControl contains "ES.", "Endpoint Security", iff(ComplianceControl contains "BR.", "Backup & Recovery", iff(ComplianceControl startswith "DS.", "DevOps Security", iff(ComplianceControl contains "GS.", "Governance & Strategy", "Other"))))))))))));
SecurityRecommendation
| join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "Azure-Security-Benchmark") on RecommendationName
| extend ComplianceDomain=iff(ComplianceControl contains "NS.", "Network Security", iff(ComplianceControl contains "IM.", "Identity Management", iff(ComplianceControl contains "PA.", "Privileged Access", iff(ComplianceControl contains "DP.", "Data Protection", iff(ComplianceControl contains "AM.", "Asset Management", iff(ComplianceControl contains "LT.", "Logging & Threat Detection", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "PV.", "Posture & Vulnerability Management", iff(ComplianceControl contains "ES.", "Endpoint Security", iff(ComplianceControl contains "BR.", "Backup & Recovery", iff(ComplianceControl startswith "DS.", "DevOps Security", iff(ComplianceControl contains "GS.", "Governance & Strategy", "Other"))))))))))))
| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName
| summarize Failed = countif(RecommendationState == "Unhealthy"), Passed = countif(RecommendationState == "Healthy"), Total = countif(RecommendationState == "Healthy" or RecommendationState == "Unhealthy") by ComplianceDomain
| extend PassedControlsPercentage = (Passed/todouble(Total))*100
| join (Last_Evaluated) on ComplianceDomain
| project ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed, LastEvaluated=TimeGenerated
| summarize arg_max(LastEvaluated, *) by ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed
| where PassedControlsPercentage < 70 
| sort by PassedControlsPercentage, Passed desc
| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')
| extend URLCustomEntity = RemediationLink
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureSecurityBenchmark/Analytic Rules/AzureSecurityBenchmarkPostureChanged.yaml
severity: Medium
name: Azure Security Benchmark Posture Changed
entityMappings:
- entityType: URL
  fieldMappings:
  - columnName: URLCustomEntity
    identifier: Url
relevantTechniques:
- T1082
queryFrequency: 7d
triggerThreshold: 0
queryPeriod: 7d
description: |
    'This alert is designed to monitor Azure policies aligned with the Azure Security Benchmark Regulatory Compliance initiative. The alert triggers when policy compliance falls below 70% within a 1 week time-frame.'
id: 0610e72f-ceaf-42d1-879e-952a1bd8d07a
version: 1.0.0
tactics:
- Discovery
query: |
  let Last_Evaluated=SecurityRecommendation
  | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "Azure-Security-Benchmark") on RecommendationName
  | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName
  | extend ComplianceDomain=iff(ComplianceControl contains "NS.", "Network Security", iff(ComplianceControl contains "IM.", "Identity Management", iff(ComplianceControl contains "PA.", "Privileged Access", iff(ComplianceControl contains "DP.", "Data Protection", iff(ComplianceControl contains "AM.", "Asset Management", iff(ComplianceControl contains "LT.", "Logging & Threat Detection", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "PV.", "Posture & Vulnerability Management", iff(ComplianceControl contains "ES.", "Endpoint Security", iff(ComplianceControl contains "BR.", "Backup & Recovery", iff(ComplianceControl startswith "DS.", "DevOps Security", iff(ComplianceControl contains "GS.", "Governance & Strategy", "Other"))))))))))));
  SecurityRecommendation
  | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "Azure-Security-Benchmark") on RecommendationName
  | extend ComplianceDomain=iff(ComplianceControl contains "NS.", "Network Security", iff(ComplianceControl contains "IM.", "Identity Management", iff(ComplianceControl contains "PA.", "Privileged Access", iff(ComplianceControl contains "DP.", "Data Protection", iff(ComplianceControl contains "AM.", "Asset Management", iff(ComplianceControl contains "LT.", "Logging & Threat Detection", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "PV.", "Posture & Vulnerability Management", iff(ComplianceControl contains "ES.", "Endpoint Security", iff(ComplianceControl contains "BR.", "Backup & Recovery", iff(ComplianceControl startswith "DS.", "DevOps Security", iff(ComplianceControl contains "GS.", "Governance & Strategy", "Other"))))))))))))
  | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName
  | summarize Failed = countif(RecommendationState == "Unhealthy"), Passed = countif(RecommendationState == "Healthy"), Total = countif(RecommendationState == "Healthy" or RecommendationState == "Unhealthy") by ComplianceDomain
  | extend PassedControlsPercentage = (Passed/todouble(Total))*100
  | join (Last_Evaluated) on ComplianceDomain
  | project ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed, LastEvaluated=TimeGenerated
  | summarize arg_max(LastEvaluated, *) by ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed
  | where PassedControlsPercentage < 70 
  | sort by PassedControlsPercentage, Passed desc
  | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')
  | extend URLCustomEntity = RemediationLink  
requiredDataConnectors: []
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0610e72f-ceaf-42d1-879e-952a1bd8d07a')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0610e72f-ceaf-42d1-879e-952a1bd8d07a')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Azure Security Benchmark Posture Changed",
        "description": "'This alert is designed to monitor Azure policies aligned with the Azure Security Benchmark Regulatory Compliance initiative. The alert triggers when policy compliance falls below 70% within a 1 week time-frame.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let Last_Evaluated=SecurityRecommendation\n| join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == \"Azure-Security-Benchmark\") on RecommendationName\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName\n| extend ComplianceDomain=iff(ComplianceControl contains \"NS.\", \"Network Security\", iff(ComplianceControl contains \"IM.\", \"Identity Management\", iff(ComplianceControl contains \"PA.\", \"Privileged Access\", iff(ComplianceControl contains \"DP.\", \"Data Protection\", iff(ComplianceControl contains \"AM.\", \"Asset Management\", iff(ComplianceControl contains \"LT.\", \"Logging & Threat Detection\", iff(ComplianceControl contains \"IR.\", \"Incident Response\", iff(ComplianceControl contains \"PV.\", \"Posture & Vulnerability Management\", iff(ComplianceControl contains \"ES.\", \"Endpoint Security\", iff(ComplianceControl contains \"BR.\", \"Backup & Recovery\", iff(ComplianceControl startswith \"DS.\", \"DevOps Security\", iff(ComplianceControl contains \"GS.\", \"Governance & Strategy\", \"Other\"))))))))))));\nSecurityRecommendation\n| join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == \"Azure-Security-Benchmark\") on RecommendationName\n| extend ComplianceDomain=iff(ComplianceControl contains \"NS.\", \"Network Security\", iff(ComplianceControl contains \"IM.\", \"Identity Management\", iff(ComplianceControl contains \"PA.\", \"Privileged Access\", iff(ComplianceControl contains \"DP.\", \"Data Protection\", iff(ComplianceControl contains \"AM.\", \"Asset Management\", iff(ComplianceControl contains \"LT.\", \"Logging & Threat Detection\", iff(ComplianceControl contains \"IR.\", \"Incident Response\", iff(ComplianceControl contains \"PV.\", \"Posture & Vulnerability Management\", iff(ComplianceControl contains \"ES.\", \"Endpoint Security\", iff(ComplianceControl contains \"BR.\", \"Backup & Recovery\", iff(ComplianceControl startswith \"DS.\", \"DevOps Security\", iff(ComplianceControl contains \"GS.\", \"Governance & Strategy\", \"Other\"))))))))))))\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName\n| summarize Failed = countif(RecommendationState == \"Unhealthy\"), Passed = countif(RecommendationState == \"Healthy\"), Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\") by ComplianceDomain\n| extend PassedControlsPercentage = (Passed/todouble(Total))*100\n| join (Last_Evaluated) on ComplianceDomain\n| project ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed, LastEvaluated=TimeGenerated\n| summarize arg_max(LastEvaluated, *) by ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed\n| where PassedControlsPercentage < 70 \n| sort by PassedControlsPercentage, Passed desc\n| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n| extend URLCustomEntity = RemediationLink\n",
        "queryFrequency": "P7D",
        "queryPeriod": "P7D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [
          "T1082"
        ],
        "alertRuleTemplateName": "0610e72f-ceaf-42d1-879e-952a1bd8d07a",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "identifier": "Url",
                "columnName": "URLCustomEntity"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureSecurityBenchmark/Analytic Rules/AzureSecurityBenchmarkPostureChanged.yaml",
        "templateVersion": "1.0.0"
      }
    }
  ]
}