NIST SP 800-53 Posture Changed
| Id | dd834c97-4638-4bb3-a4e3-807e8b0580dc |
| Rulename | NIST SP 800-53 Posture Changed |
| Description | This alert is desinged to monitor Azure policies aligned with the NIST SP 800-53 Regulatory Compliance initative. The alert triggers when policy compliance falls below 70% within a 1 week timeframe. |
| Severity | Medium |
| Tactics | Discovery |
| Techniques | T1082 |
| Kind | Scheduled |
| Query frequency | 7d |
| Query period | 7d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NISTSP80053/Analytic Rules/NISTSP80053PostureChanged.yaml |
| Version | 1.0.0 |
| Arm template | dd834c97-4638-4bb3-a4e3-807e8b0580dc.json |
let Last_Evaluated=SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "NIST-SP-800-53-R4") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains "AC.", "Access Control", iff(ComplianceControl contains "AT.", "Security Awareness & Training", iff(ComplianceControl contains "AU.", "Audit & Accountability", iff(ComplianceControl contains "CA.", "Security Assessment", iff(ComplianceControl contains "CM.", "Configuration Management", iff(ComplianceControl contains "CP.", "Contingency Planning", iff(ComplianceControl contains "IA.", "Identification & Authentication", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "MA.", "System Maintenance", iff(ComplianceControl contains "MP.", "Media Protection", iff(ComplianceControl contains "PE.", "Physical Protection", iff(ComplianceControl contains "PL.", "Security Planning", iff(ComplianceControl contains "PS.", "Personnel Security",iff(ComplianceControl contains "RA.", "Risk Assessment",iff(ComplianceControl contains "SA.", "System & Services Acquisition",iff(ComplianceControl contains "SC.", "System & Communications Protection",iff(ComplianceControl contains "SI.", "System & Information Integrity","Other"))))))))))))))))) | summarize Failed = countif(RecommendationState == "Unhealthy"), Passed = countif(RecommendationState == "Healthy"), Total = countif(RecommendationState == "Healthy" or RecommendationState == "Unhealthy") by ComplianceDomain, TimeGenerated; SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "NIST-SP-800-53-R4") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains "AC.", "Access Control", iff(ComplianceControl contains "AT.", "Security Awareness & Training", iff(ComplianceControl contains "AU.", "Audit & Accountability", iff(ComplianceControl contains "CA.", "Security Assessment", iff(ComplianceControl contains "CM.", "Configuration Management", iff(ComplianceControl contains "CP.", "Contingency Planning", iff(ComplianceControl contains "IA.", "Identification & Authentication", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "MA.", "System Maintenance", iff(ComplianceControl contains "MP.", "Media Protection", iff(ComplianceControl contains "PE.", "Physical Protection", iff(ComplianceControl contains "PL.", "Security Planning", iff(ComplianceControl contains "PS.", "Personnel Security",iff(ComplianceControl contains "RA.", "Risk Assessment",iff(ComplianceControl contains "SA.", "System & Services Acquisition",iff(ComplianceControl contains "SC.", "System & Communications Protection",iff(ComplianceControl contains "SI.", "System & Information Integrity","Other"))))))))))))))))) | summarize Failed = countif(RecommendationState == "Unhealthy"), Passed = countif(RecommendationState == "Healthy"), Total = countif(RecommendationState == "Healthy" or RecommendationState == "Unhealthy") by ComplianceDomain | extend PassedControlsPercentage = (Passed/todouble(Total))*100 | join (Last_Evaluated) on ComplianceDomain | project ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed, LastEvaluated=TimeGenerated | summarize arg_max(LastEvaluated, *) by ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed | where PassedControlsPercentage < 70 | sort by PassedControlsPercentage, Passed desc | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22') | extend URLCustomEntity = RemediationLink
status: Available
id: dd834c97-4638-4bb3-a4e3-807e8b0580dc
query: let Last_Evaluated=SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "NIST-SP-800-53-R4") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains "AC.", "Access Control", iff(ComplianceControl contains "AT.", "Security Awareness & Training", iff(ComplianceControl contains "AU.", "Audit & Accountability", iff(ComplianceControl contains "CA.", "Security Assessment", iff(ComplianceControl contains "CM.", "Configuration Management", iff(ComplianceControl contains "CP.", "Contingency Planning", iff(ComplianceControl contains "IA.", "Identification & Authentication", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "MA.", "System Maintenance", iff(ComplianceControl contains "MP.", "Media Protection", iff(ComplianceControl contains "PE.", "Physical Protection", iff(ComplianceControl contains "PL.", "Security Planning", iff(ComplianceControl contains "PS.", "Personnel Security",iff(ComplianceControl contains "RA.", "Risk Assessment",iff(ComplianceControl contains "SA.", "System & Services Acquisition",iff(ComplianceControl contains "SC.", "System & Communications Protection",iff(ComplianceControl contains "SI.", "System & Information Integrity","Other"))))))))))))))))) | summarize Failed = countif(RecommendationState == "Unhealthy"), Passed = countif(RecommendationState == "Healthy"), Total = countif(RecommendationState == "Healthy" or RecommendationState == "Unhealthy") by ComplianceDomain, TimeGenerated; SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "NIST-SP-800-53-R4") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains "AC.", "Access Control", iff(ComplianceControl contains "AT.", "Security Awareness & Training", iff(ComplianceControl contains "AU.", "Audit & Accountability", iff(ComplianceControl contains "CA.", "Security Assessment", iff(ComplianceControl contains "CM.", "Configuration Management", iff(ComplianceControl contains "CP.", "Contingency Planning", iff(ComplianceControl contains "IA.", "Identification & Authentication", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "MA.", "System Maintenance", iff(ComplianceControl contains "MP.", "Media Protection", iff(ComplianceControl contains "PE.", "Physical Protection", iff(ComplianceControl contains "PL.", "Security Planning", iff(ComplianceControl contains "PS.", "Personnel Security",iff(ComplianceControl contains "RA.", "Risk Assessment",iff(ComplianceControl contains "SA.", "System & Services Acquisition",iff(ComplianceControl contains "SC.", "System & Communications Protection",iff(ComplianceControl contains "SI.", "System & Information Integrity","Other"))))))))))))))))) | summarize Failed = countif(RecommendationState == "Unhealthy"), Passed = countif(RecommendationState == "Healthy"), Total = countif(RecommendationState == "Healthy" or RecommendationState == "Unhealthy") by ComplianceDomain | extend PassedControlsPercentage = (Passed/todouble(Total))*100 | join (Last_Evaluated) on ComplianceDomain | project ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed, LastEvaluated=TimeGenerated | summarize arg_max(LastEvaluated, *) by ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed | where PassedControlsPercentage < 70 | sort by PassedControlsPercentage, Passed desc | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22') | extend URLCustomEntity = RemediationLink
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NISTSP80053/Analytic Rules/NISTSP80053PostureChanged.yaml
description: |
'This alert is desinged to monitor Azure policies aligned with the NIST SP 800-53 Regulatory Compliance initative. The alert triggers when policy compliance falls below 70% within a 1 week timeframe.'
name: NIST SP 800-53 Posture Changed
relevantTechniques:
- T1082
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: URLCustomEntity
triggerThreshold: 0
severity: Medium
requiredDataConnectors: []
queryFrequency: 7d
queryPeriod: 7d
version: 1.0.0
kind: Scheduled
tactics:
- Discovery
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dd834c97-4638-4bb3-a4e3-807e8b0580dc')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dd834c97-4638-4bb3-a4e3-807e8b0580dc')]",
"properties": {
"alertRuleTemplateName": "dd834c97-4638-4bb3-a4e3-807e8b0580dc",
"customDetails": null,
"description": "'This alert is desinged to monitor Azure policies aligned with the NIST SP 800-53 Regulatory Compliance initative. The alert triggers when policy compliance falls below 70% within a 1 week timeframe.'\n",
"displayName": "NIST SP 800-53 Posture Changed",
"enabled": true,
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "URLCustomEntity",
"identifier": "Url"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NISTSP80053/Analytic Rules/NISTSP80053PostureChanged.yaml",
"query": "let Last_Evaluated=SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == \"NIST-SP-800-53-R4\") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains \"AC.\", \"Access Control\", iff(ComplianceControl contains \"AT.\", \"Security Awareness & Training\", iff(ComplianceControl contains \"AU.\", \"Audit & Accountability\", iff(ComplianceControl contains \"CA.\", \"Security Assessment\", iff(ComplianceControl contains \"CM.\", \"Configuration Management\", iff(ComplianceControl contains \"CP.\", \"Contingency Planning\", iff(ComplianceControl contains \"IA.\", \"Identification & Authentication\", iff(ComplianceControl contains \"IR.\", \"Incident Response\", iff(ComplianceControl contains \"MA.\", \"System Maintenance\", iff(ComplianceControl contains \"MP.\", \"Media Protection\", iff(ComplianceControl contains \"PE.\", \"Physical Protection\", iff(ComplianceControl contains \"PL.\", \"Security Planning\", iff(ComplianceControl contains \"PS.\", \"Personnel Security\",iff(ComplianceControl contains \"RA.\", \"Risk Assessment\",iff(ComplianceControl contains \"SA.\", \"System & Services Acquisition\",iff(ComplianceControl contains \"SC.\", \"System & Communications Protection\",iff(ComplianceControl contains \"SI.\", \"System & Information Integrity\",\"Other\"))))))))))))))))) | summarize Failed = countif(RecommendationState == \"Unhealthy\"), Passed = countif(RecommendationState == \"Healthy\"), Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\") by ComplianceDomain, TimeGenerated; SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == \"NIST-SP-800-53-R4\") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains \"AC.\", \"Access Control\", iff(ComplianceControl contains \"AT.\", \"Security Awareness & Training\", iff(ComplianceControl contains \"AU.\", \"Audit & Accountability\", iff(ComplianceControl contains \"CA.\", \"Security Assessment\", iff(ComplianceControl contains \"CM.\", \"Configuration Management\", iff(ComplianceControl contains \"CP.\", \"Contingency Planning\", iff(ComplianceControl contains \"IA.\", \"Identification & Authentication\", iff(ComplianceControl contains \"IR.\", \"Incident Response\", iff(ComplianceControl contains \"MA.\", \"System Maintenance\", iff(ComplianceControl contains \"MP.\", \"Media Protection\", iff(ComplianceControl contains \"PE.\", \"Physical Protection\", iff(ComplianceControl contains \"PL.\", \"Security Planning\", iff(ComplianceControl contains \"PS.\", \"Personnel Security\",iff(ComplianceControl contains \"RA.\", \"Risk Assessment\",iff(ComplianceControl contains \"SA.\", \"System & Services Acquisition\",iff(ComplianceControl contains \"SC.\", \"System & Communications Protection\",iff(ComplianceControl contains \"SI.\", \"System & Information Integrity\",\"Other\"))))))))))))))))) | summarize Failed = countif(RecommendationState == \"Unhealthy\"), Passed = countif(RecommendationState == \"Healthy\"), Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\") by ComplianceDomain | extend PassedControlsPercentage = (Passed/todouble(Total))*100 | join (Last_Evaluated) on ComplianceDomain | project ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed, LastEvaluated=TimeGenerated | summarize arg_max(LastEvaluated, *) by ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed | where PassedControlsPercentage < 70 | sort by PassedControlsPercentage, Passed desc | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22') | extend URLCustomEntity = RemediationLink",
"queryFrequency": "P7D",
"queryPeriod": "P7D",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Discovery"
],
"techniques": [
"T1082"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}