NIST SP 800-53 Posture Changed
| Id | dd834c97-4638-4bb3-a4e3-807e8b0580dc |
| Rulename | NIST SP 800-53 Posture Changed |
| Description | This alert is desinged to monitor Azure policies aligned with the NIST SP 800-53 Regulatory Compliance initative. The alert triggers when policy compliance falls below 70% within a 1 week timeframe. |
| Severity | Medium |
| Tactics | Discovery |
| Techniques | T1082 |
| Kind | Scheduled |
| Query frequency | 7d |
| Query period | 7d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NISTSP80053/Analytic Rules/NISTSP80053PostureChanged.yaml |
| Version | 1.0.0 |
| Arm template | dd834c97-4638-4bb3-a4e3-807e8b0580dc.json |
let Last_Evaluated=SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "NIST-SP-800-53-R4") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains "AC.", "Access Control", iff(ComplianceControl contains "AT.", "Security Awareness & Training", iff(ComplianceControl contains "AU.", "Audit & Accountability", iff(ComplianceControl contains "CA.", "Security Assessment", iff(ComplianceControl contains "CM.", "Configuration Management", iff(ComplianceControl contains "CP.", "Contingency Planning", iff(ComplianceControl contains "IA.", "Identification & Authentication", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "MA.", "System Maintenance", iff(ComplianceControl contains "MP.", "Media Protection", iff(ComplianceControl contains "PE.", "Physical Protection", iff(ComplianceControl contains "PL.", "Security Planning", iff(ComplianceControl contains "PS.", "Personnel Security",iff(ComplianceControl contains "RA.", "Risk Assessment",iff(ComplianceControl contains "SA.", "System & Services Acquisition",iff(ComplianceControl contains "SC.", "System & Communications Protection",iff(ComplianceControl contains "SI.", "System & Information Integrity","Other"))))))))))))))))) | summarize Failed = countif(RecommendationState == "Unhealthy"), Passed = countif(RecommendationState == "Healthy"), Total = countif(RecommendationState == "Healthy" or RecommendationState == "Unhealthy") by ComplianceDomain, TimeGenerated; SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "NIST-SP-800-53-R4") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains "AC.", "Access Control", iff(ComplianceControl contains "AT.", "Security Awareness & Training", iff(ComplianceControl contains "AU.", "Audit & Accountability", iff(ComplianceControl contains "CA.", "Security Assessment", iff(ComplianceControl contains "CM.", "Configuration Management", iff(ComplianceControl contains "CP.", "Contingency Planning", iff(ComplianceControl contains "IA.", "Identification & Authentication", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "MA.", "System Maintenance", iff(ComplianceControl contains "MP.", "Media Protection", iff(ComplianceControl contains "PE.", "Physical Protection", iff(ComplianceControl contains "PL.", "Security Planning", iff(ComplianceControl contains "PS.", "Personnel Security",iff(ComplianceControl contains "RA.", "Risk Assessment",iff(ComplianceControl contains "SA.", "System & Services Acquisition",iff(ComplianceControl contains "SC.", "System & Communications Protection",iff(ComplianceControl contains "SI.", "System & Information Integrity","Other"))))))))))))))))) | summarize Failed = countif(RecommendationState == "Unhealthy"), Passed = countif(RecommendationState == "Healthy"), Total = countif(RecommendationState == "Healthy" or RecommendationState == "Unhealthy") by ComplianceDomain | extend PassedControlsPercentage = (Passed/todouble(Total))*100 | join (Last_Evaluated) on ComplianceDomain | project ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed, LastEvaluated=TimeGenerated | summarize arg_max(LastEvaluated, *) by ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed | where PassedControlsPercentage < 70 | sort by PassedControlsPercentage, Passed desc | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22') | extend URLCustomEntity = RemediationLink
relevantTechniques:
- T1082
name: NIST SP 800-53 Posture Changed
requiredDataConnectors: []
entityMappings:
- fieldMappings:
- identifier: Url
columnName: URLCustomEntity
entityType: URL
triggerThreshold: 0
id: dd834c97-4638-4bb3-a4e3-807e8b0580dc
tactics:
- Discovery
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NISTSP80053/Analytic Rules/NISTSP80053PostureChanged.yaml
queryPeriod: 7d
kind: Scheduled
queryFrequency: 7d
severity: Medium
status: Available
description: |
'This alert is desinged to monitor Azure policies aligned with the NIST SP 800-53 Regulatory Compliance initative. The alert triggers when policy compliance falls below 70% within a 1 week timeframe.'
query: let Last_Evaluated=SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "NIST-SP-800-53-R4") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains "AC.", "Access Control", iff(ComplianceControl contains "AT.", "Security Awareness & Training", iff(ComplianceControl contains "AU.", "Audit & Accountability", iff(ComplianceControl contains "CA.", "Security Assessment", iff(ComplianceControl contains "CM.", "Configuration Management", iff(ComplianceControl contains "CP.", "Contingency Planning", iff(ComplianceControl contains "IA.", "Identification & Authentication", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "MA.", "System Maintenance", iff(ComplianceControl contains "MP.", "Media Protection", iff(ComplianceControl contains "PE.", "Physical Protection", iff(ComplianceControl contains "PL.", "Security Planning", iff(ComplianceControl contains "PS.", "Personnel Security",iff(ComplianceControl contains "RA.", "Risk Assessment",iff(ComplianceControl contains "SA.", "System & Services Acquisition",iff(ComplianceControl contains "SC.", "System & Communications Protection",iff(ComplianceControl contains "SI.", "System & Information Integrity","Other"))))))))))))))))) | summarize Failed = countif(RecommendationState == "Unhealthy"), Passed = countif(RecommendationState == "Healthy"), Total = countif(RecommendationState == "Healthy" or RecommendationState == "Unhealthy") by ComplianceDomain, TimeGenerated; SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "NIST-SP-800-53-R4") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains "AC.", "Access Control", iff(ComplianceControl contains "AT.", "Security Awareness & Training", iff(ComplianceControl contains "AU.", "Audit & Accountability", iff(ComplianceControl contains "CA.", "Security Assessment", iff(ComplianceControl contains "CM.", "Configuration Management", iff(ComplianceControl contains "CP.", "Contingency Planning", iff(ComplianceControl contains "IA.", "Identification & Authentication", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "MA.", "System Maintenance", iff(ComplianceControl contains "MP.", "Media Protection", iff(ComplianceControl contains "PE.", "Physical Protection", iff(ComplianceControl contains "PL.", "Security Planning", iff(ComplianceControl contains "PS.", "Personnel Security",iff(ComplianceControl contains "RA.", "Risk Assessment",iff(ComplianceControl contains "SA.", "System & Services Acquisition",iff(ComplianceControl contains "SC.", "System & Communications Protection",iff(ComplianceControl contains "SI.", "System & Information Integrity","Other"))))))))))))))))) | summarize Failed = countif(RecommendationState == "Unhealthy"), Passed = countif(RecommendationState == "Healthy"), Total = countif(RecommendationState == "Healthy" or RecommendationState == "Unhealthy") by ComplianceDomain | extend PassedControlsPercentage = (Passed/todouble(Total))*100 | join (Last_Evaluated) on ComplianceDomain | project ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed, LastEvaluated=TimeGenerated | summarize arg_max(LastEvaluated, *) by ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed | where PassedControlsPercentage < 70 | sort by PassedControlsPercentage, Passed desc | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22') | extend URLCustomEntity = RemediationLink
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dd834c97-4638-4bb3-a4e3-807e8b0580dc')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dd834c97-4638-4bb3-a4e3-807e8b0580dc')]",
"properties": {
"alertRuleTemplateName": "dd834c97-4638-4bb3-a4e3-807e8b0580dc",
"customDetails": null,
"description": "'This alert is desinged to monitor Azure policies aligned with the NIST SP 800-53 Regulatory Compliance initative. The alert triggers when policy compliance falls below 70% within a 1 week timeframe.'\n",
"displayName": "NIST SP 800-53 Posture Changed",
"enabled": true,
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "URLCustomEntity",
"identifier": "Url"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NISTSP80053/Analytic Rules/NISTSP80053PostureChanged.yaml",
"query": "let Last_Evaluated=SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == \"NIST-SP-800-53-R4\") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains \"AC.\", \"Access Control\", iff(ComplianceControl contains \"AT.\", \"Security Awareness & Training\", iff(ComplianceControl contains \"AU.\", \"Audit & Accountability\", iff(ComplianceControl contains \"CA.\", \"Security Assessment\", iff(ComplianceControl contains \"CM.\", \"Configuration Management\", iff(ComplianceControl contains \"CP.\", \"Contingency Planning\", iff(ComplianceControl contains \"IA.\", \"Identification & Authentication\", iff(ComplianceControl contains \"IR.\", \"Incident Response\", iff(ComplianceControl contains \"MA.\", \"System Maintenance\", iff(ComplianceControl contains \"MP.\", \"Media Protection\", iff(ComplianceControl contains \"PE.\", \"Physical Protection\", iff(ComplianceControl contains \"PL.\", \"Security Planning\", iff(ComplianceControl contains \"PS.\", \"Personnel Security\",iff(ComplianceControl contains \"RA.\", \"Risk Assessment\",iff(ComplianceControl contains \"SA.\", \"System & Services Acquisition\",iff(ComplianceControl contains \"SC.\", \"System & Communications Protection\",iff(ComplianceControl contains \"SI.\", \"System & Information Integrity\",\"Other\"))))))))))))))))) | summarize Failed = countif(RecommendationState == \"Unhealthy\"), Passed = countif(RecommendationState == \"Healthy\"), Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\") by ComplianceDomain, TimeGenerated; SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == \"NIST-SP-800-53-R4\") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains \"AC.\", \"Access Control\", iff(ComplianceControl contains \"AT.\", \"Security Awareness & Training\", iff(ComplianceControl contains \"AU.\", \"Audit & Accountability\", iff(ComplianceControl contains \"CA.\", \"Security Assessment\", iff(ComplianceControl contains \"CM.\", \"Configuration Management\", iff(ComplianceControl contains \"CP.\", \"Contingency Planning\", iff(ComplianceControl contains \"IA.\", \"Identification & Authentication\", iff(ComplianceControl contains \"IR.\", \"Incident Response\", iff(ComplianceControl contains \"MA.\", \"System Maintenance\", iff(ComplianceControl contains \"MP.\", \"Media Protection\", iff(ComplianceControl contains \"PE.\", \"Physical Protection\", iff(ComplianceControl contains \"PL.\", \"Security Planning\", iff(ComplianceControl contains \"PS.\", \"Personnel Security\",iff(ComplianceControl contains \"RA.\", \"Risk Assessment\",iff(ComplianceControl contains \"SA.\", \"System & Services Acquisition\",iff(ComplianceControl contains \"SC.\", \"System & Communications Protection\",iff(ComplianceControl contains \"SI.\", \"System & Information Integrity\",\"Other\"))))))))))))))))) | summarize Failed = countif(RecommendationState == \"Unhealthy\"), Passed = countif(RecommendationState == \"Healthy\"), Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\") by ComplianceDomain | extend PassedControlsPercentage = (Passed/todouble(Total))*100 | join (Last_Evaluated) on ComplianceDomain | project ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed, LastEvaluated=TimeGenerated | summarize arg_max(LastEvaluated, *) by ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed | where PassedControlsPercentage < 70 | sort by PassedControlsPercentage, Passed desc | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22') | extend URLCustomEntity = RemediationLink",
"queryFrequency": "P7D",
"queryPeriod": "P7D",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Discovery"
],
"techniques": [
"T1082"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}