Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. CMMC 20 Level 2 Advanced Readiness Posture

CMMC 20 Level 2 Advanced Readiness Posture

Back
Id7bfe573b-3069-4e81-98fe-9a4cffbcbc24
RulenameCMMC 2.0 Level 2 (Advanced) Readiness Posture
DescriptionCMMC 2.0 Level 2 (Advanced) assessments have deviated from configured threshold baselines. This alert is triggered when CMMC2.0 policy compliance is assessed below 70% compliance in 7 days.
SeverityMedium
TacticsDiscovery
TechniquesT1082
KindScheduled
Query frequency7d
Query period7d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Analytic Rules/CMMC2.0Level2AdvancedPosture.yaml
Version1.0.0
Arm template7bfe573b-3069-4e81-98fe-9a4cffbcbc24.json
Deploy To Azure
SecurityRegulatoryCompliance
| where ComplianceStandard == "NIST-SP-800-171-R2"
| extend Level=iff(ComplianceControl in ("3.1.1","3.1.2","3.1.20","3.1.22","3.4.1","3.5.2","3.5.2","3.8.3","3.13.1","3.13.5","3.14.1","3.14.2","3.14.4","3.14.5"), "Level 1: Foundational","Level 2: Advanced")
| where Level == "Level 2: Advanced"
| summarize arg_max(TimeGenerated, *) by RecommendationName, AssessedResourceId, Level
|summarize Failed=countif(State=="Failed"),Passed=countif(State=="Passed"),Total=countif(State=="Passed" or State == "Failed") by Level
|extend PassedControlsPercentage = (Passed/todouble(Total))*100
| where PassedControlsPercentage < 70 
//Adjust Either Passed Thresholds within Organizational Needs
| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')
| project Level, Total, PassedControlsPercentage, Passed, Failed, RemediationLink, LastObserved=now()
| extend URLCustomEntity = RemediationLink

queryPeriod: 7d
query: |
  SecurityRegulatoryCompliance
  | where ComplianceStandard == "NIST-SP-800-171-R2"
  | extend Level=iff(ComplianceControl in ("3.1.1","3.1.2","3.1.20","3.1.22","3.4.1","3.5.2","3.5.2","3.8.3","3.13.1","3.13.5","3.14.1","3.14.2","3.14.4","3.14.5"), "Level 1: Foundational","Level 2: Advanced")
  | where Level == "Level 2: Advanced"
  | summarize arg_max(TimeGenerated, *) by RecommendationName, AssessedResourceId, Level
  |summarize Failed=countif(State=="Failed"),Passed=countif(State=="Passed"),Total=countif(State=="Passed" or State == "Failed") by Level
  |extend PassedControlsPercentage = (Passed/todouble(Total))*100
  | where PassedControlsPercentage < 70 
  //Adjust Either Passed Thresholds within Organizational Needs
  | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')
  | project Level, Total, PassedControlsPercentage, Passed, Failed, RemediationLink, LastObserved=now()
  | extend URLCustomEntity = RemediationLink  
name: CMMC 2.0 Level 2 (Advanced) Readiness Posture
entityMappings:
- fieldMappings:
  - columnName: URLCustomEntity
    identifier: Url
  entityType: URL
queryFrequency: 7d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Analytic Rules/CMMC2.0Level2AdvancedPosture.yaml
requiredDataConnectors: []
description: |
    'CMMC 2.0 Level 2 (Advanced) assessments have deviated from configured threshold baselines. This alert is triggered when CMMC2.0 policy compliance is assessed below 70% compliance in 7 days.'
kind: Scheduled
version: 1.0.0
status: Available
severity: Medium
relevantTechniques:
- T1082
triggerOperator: gt
triggerThreshold: 0
tactics:
- Discovery
id: 7bfe573b-3069-4e81-98fe-9a4cffbcbc24