ZeroTrustTIC30 Control Assessment Posture Change
Id | 4942992d-a4d3-44b0-9cf4-b5a23811d82d |
Rulename | ZeroTrust(TIC3.0) Control Assessment Posture Change |
Description | Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines |
Severity | Medium |
Tactics | Discovery |
Techniques | T1082 |
Kind | Scheduled |
Query frequency | 7d |
Query period | 7d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ZeroTrust(TIC3.0)/Analytic Rules/Zero_Trust_TIC3.0_ControlAssessmentPostureChange.yaml |
Version | 1.0.0 |
Arm template | 4942992d-a4d3-44b0-9cf4-b5a23811d82d.json |
SecurityRecommendation
| where RecommendationDisplayName <> ""
| extend ControlFamily=iff(RecommendationDisplayName has_any("email"), "Email",
iff(RecommendationDisplayName has_any("apps", "teams", "meeting", "call"), "Unified Communications & Collaboration",
iff(RecommendationDisplayName has_any("dns", "domain"), "DNS",
iff(RecommendationDisplayName has_any("endpoint protection", "malware", "file", "files", "IaaSAntimalware"), "Files",
iff(RecommendationDisplayName has_any("Security Center", "defender", "adaptive", "HoneyTokens", "honey", "deception", "intrusion", "incident", "incidents"), "Intrusion Detection",
iff(RecommendationDisplayName has_any("firewall", "watcher", "proxy", "certificate", "url", "web"), "Web",
iff(RecommendationDisplayName has_any("network", "segment", "network security groups", "subnet", "application gateway", "security groups", "IP forwarding", "port", "ports", "networks"), "Networking",
iff(RecommendationDisplayName has_any("backup", "denial", "DDoS", "load", "scale", "front", "traffic manager", "pool", "disaster", "region", "redundant", "geo"), "Resiliency",
iff(RecommendationDisplayName has_any("encrypt", "rest", "transit", "data", "http", "https", "TLS", "transfer", "transit", "Secure Socket", "SSH", "just", "FTP", "server-side", "storage", "database", "databases", "SQL", "disk", "disks"), "Data Protection",
iff(RecommendationDisplayName has_any("private", "vpn", "automation", "playbook", "logic", "notification", "authorized", "safe", "network gateway", "express", "VPC"), "Enterprise",
iff(RecommendationDisplayName has_any("recover", "log", "configured", "configuration", "identity", "privilege", "admin", "authentication", "JIT", "just", "password", "time", "sync", "vulnerability", "Vulnerabilities", "updates", "update", "upgrade", "audit", "account", "guest", "shared", "access", "machines", "rights", "VM", "key", "keys", "IAM", "EC2", "GuardDuty", "logs", "CloudTrail", "MFA", "External accounts", "accounts", "config", "credentials", "privileged", "owner", "owners", "login", "logon", "virtual machine", "container", "containers", "Kubernetes"), "Universal Security Capabilities", "Other")))))))))))
| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName
| summarize
Failed=countif(RecommendationState == "Unhealthy"),
Passed=countif(RecommendationState == "Healthy"),
Total=countif(RecommendationState == "Unhealthy" or RecommendationState == "Healthy")
by ControlFamily
| extend PassedControlsPercentage = (Passed / todouble(Total)) * 100
| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5')
| extend URLCustomEntity = RemediationLink
| project ControlFamily, Total, PassedControlsPercentage, Passed, Failed, RemediationLink, URLCustomEntity
| where PassedControlsPercentage < 70 //Adjust PassedRatePercentage Thresholds within Organizational Needs
| sort by PassedControlsPercentage asc
id: 4942992d-a4d3-44b0-9cf4-b5a23811d82d
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ZeroTrust(TIC3.0)/Analytic Rules/Zero_Trust_TIC3.0_ControlAssessmentPostureChange.yaml
requiredDataConnectors: []
description: |
'Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines'
severity: Medium
queryPeriod: 7d
kind: Scheduled
tactics:
- Discovery
queryFrequency: 7d
query: |
SecurityRecommendation
| where RecommendationDisplayName <> ""
| extend ControlFamily=iff(RecommendationDisplayName has_any("email"), "Email",
iff(RecommendationDisplayName has_any("apps", "teams", "meeting", "call"), "Unified Communications & Collaboration",
iff(RecommendationDisplayName has_any("dns", "domain"), "DNS",
iff(RecommendationDisplayName has_any("endpoint protection", "malware", "file", "files", "IaaSAntimalware"), "Files",
iff(RecommendationDisplayName has_any("Security Center", "defender", "adaptive", "HoneyTokens", "honey", "deception", "intrusion", "incident", "incidents"), "Intrusion Detection",
iff(RecommendationDisplayName has_any("firewall", "watcher", "proxy", "certificate", "url", "web"), "Web",
iff(RecommendationDisplayName has_any("network", "segment", "network security groups", "subnet", "application gateway", "security groups", "IP forwarding", "port", "ports", "networks"), "Networking",
iff(RecommendationDisplayName has_any("backup", "denial", "DDoS", "load", "scale", "front", "traffic manager", "pool", "disaster", "region", "redundant", "geo"), "Resiliency",
iff(RecommendationDisplayName has_any("encrypt", "rest", "transit", "data", "http", "https", "TLS", "transfer", "transit", "Secure Socket", "SSH", "just", "FTP", "server-side", "storage", "database", "databases", "SQL", "disk", "disks"), "Data Protection",
iff(RecommendationDisplayName has_any("private", "vpn", "automation", "playbook", "logic", "notification", "authorized", "safe", "network gateway", "express", "VPC"), "Enterprise",
iff(RecommendationDisplayName has_any("recover", "log", "configured", "configuration", "identity", "privilege", "admin", "authentication", "JIT", "just", "password", "time", "sync", "vulnerability", "Vulnerabilities", "updates", "update", "upgrade", "audit", "account", "guest", "shared", "access", "machines", "rights", "VM", "key", "keys", "IAM", "EC2", "GuardDuty", "logs", "CloudTrail", "MFA", "External accounts", "accounts", "config", "credentials", "privileged", "owner", "owners", "login", "logon", "virtual machine", "container", "containers", "Kubernetes"), "Universal Security Capabilities", "Other")))))))))))
| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName
| summarize
Failed=countif(RecommendationState == "Unhealthy"),
Passed=countif(RecommendationState == "Healthy"),
Total=countif(RecommendationState == "Unhealthy" or RecommendationState == "Healthy")
by ControlFamily
| extend PassedControlsPercentage = (Passed / todouble(Total)) * 100
| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5')
| extend URLCustomEntity = RemediationLink
| project ControlFamily, Total, PassedControlsPercentage, Passed, Failed, RemediationLink, URLCustomEntity
| where PassedControlsPercentage < 70 //Adjust PassedRatePercentage Thresholds within Organizational Needs
| sort by PassedControlsPercentage asc
version: 1.0.0
triggerThreshold: 0
name: ZeroTrust(TIC3.0) Control Assessment Posture Change
entityMappings:
- entityType: URL
fieldMappings:
- columnName: URLCustomEntity
identifier: Url
status: Available
relevantTechniques:
- T1082
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4942992d-a4d3-44b0-9cf4-b5a23811d82d')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4942992d-a4d3-44b0-9cf4-b5a23811d82d')]",
"properties": {
"alertRuleTemplateName": "4942992d-a4d3-44b0-9cf4-b5a23811d82d",
"customDetails": null,
"description": "'Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines'\n",
"displayName": "ZeroTrust(TIC3.0) Control Assessment Posture Change",
"enabled": true,
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "URLCustomEntity",
"identifier": "Url"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ZeroTrust(TIC3.0)/Analytic Rules/Zero_Trust_TIC3.0_ControlAssessmentPostureChange.yaml",
"query": "SecurityRecommendation\n| where RecommendationDisplayName <> \"\"\n| extend ControlFamily=iff(RecommendationDisplayName has_any(\"email\"), \"Email\",\n iff(RecommendationDisplayName has_any(\"apps\", \"teams\", \"meeting\", \"call\"), \"Unified Communications & Collaboration\",\n iff(RecommendationDisplayName has_any(\"dns\", \"domain\"), \"DNS\",\n iff(RecommendationDisplayName has_any(\"endpoint protection\", \"malware\", \"file\", \"files\", \"IaaSAntimalware\"), \"Files\",\n iff(RecommendationDisplayName has_any(\"Security Center\", \"defender\", \"adaptive\", \"HoneyTokens\", \"honey\", \"deception\", \"intrusion\", \"incident\", \"incidents\"), \"Intrusion Detection\",\n iff(RecommendationDisplayName has_any(\"firewall\", \"watcher\", \"proxy\", \"certificate\", \"url\", \"web\"), \"Web\",\n iff(RecommendationDisplayName has_any(\"network\", \"segment\", \"network security groups\", \"subnet\", \"application gateway\", \"security groups\", \"IP forwarding\", \"port\", \"ports\", \"networks\"), \"Networking\",\n iff(RecommendationDisplayName has_any(\"backup\", \"denial\", \"DDoS\", \"load\", \"scale\", \"front\", \"traffic manager\", \"pool\", \"disaster\", \"region\", \"redundant\", \"geo\"), \"Resiliency\",\n iff(RecommendationDisplayName has_any(\"encrypt\", \"rest\", \"transit\", \"data\", \"http\", \"https\", \"TLS\", \"transfer\", \"transit\", \"Secure Socket\", \"SSH\", \"just\", \"FTP\", \"server-side\", \"storage\", \"database\", \"databases\", \"SQL\", \"disk\", \"disks\"), \"Data Protection\",\n iff(RecommendationDisplayName has_any(\"private\", \"vpn\", \"automation\", \"playbook\", \"logic\", \"notification\", \"authorized\", \"safe\", \"network gateway\", \"express\", \"VPC\"), \"Enterprise\",\n iff(RecommendationDisplayName has_any(\"recover\", \"log\", \"configured\", \"configuration\", \"identity\", \"privilege\", \"admin\", \"authentication\", \"JIT\", \"just\", \"password\", \"time\", \"sync\", \"vulnerability\", \"Vulnerabilities\", \"updates\", \"update\", \"upgrade\", \"audit\", \"account\", \"guest\", \"shared\", \"access\", \"machines\", \"rights\", \"VM\", \"key\", \"keys\", \"IAM\", \"EC2\", \"GuardDuty\", \"logs\", \"CloudTrail\", \"MFA\", \"External accounts\", \"accounts\", \"config\", \"credentials\", \"privileged\", \"owner\", \"owners\", \"login\", \"logon\", \"virtual machine\", \"container\", \"containers\", \"Kubernetes\"), \"Universal Security Capabilities\", \"Other\")))))))))))\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\n| summarize\n Failed=countif(RecommendationState == \"Unhealthy\"),\n Passed=countif(RecommendationState == \"Healthy\"),\n Total=countif(RecommendationState == \"Unhealthy\" or RecommendationState == \"Healthy\")\n by ControlFamily\n| extend PassedControlsPercentage = (Passed / todouble(Total)) * 100\n| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5')\n| extend URLCustomEntity = RemediationLink\n| project ControlFamily, Total, PassedControlsPercentage, Passed, Failed, RemediationLink, URLCustomEntity\n| where PassedControlsPercentage < 70 //Adjust PassedRatePercentage Thresholds within Organizational Needs\n| sort by PassedControlsPercentage asc\n",
"queryFrequency": "P7D",
"queryPeriod": "P7D",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Discovery"
],
"techniques": [
"T1082"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}