Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

NIST SP 800-53 Posture Changed

Back
Iddd834c97-4638-4bb3-a4e3-807e8b0580dc
RulenameNIST SP 800-53 Posture Changed
DescriptionThis alert is desinged to monitor Azure policies aligned with the NIST SP 800-53 Regulatory Compliance initative. The alert triggers when policy compliance falls below 70% within a 1 week timeframe.
SeverityMedium
TacticsDiscovery
TechniquesT1082
KindScheduled
Query frequency7d
Query period7d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NISTSP80053/Analytic Rules/NISTSP80053PostureChanged.yaml
Version1.0.0
Arm templatedd834c97-4638-4bb3-a4e3-807e8b0580dc.json
Deploy To Azure
let Last_Evaluated=SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "NIST-SP-800-53-R4") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains "AC.", "Access Control", iff(ComplianceControl contains "AT.", "Security Awareness & Training", iff(ComplianceControl contains "AU.", "Audit & Accountability", iff(ComplianceControl contains "CA.", "Security Assessment", iff(ComplianceControl contains "CM.", "Configuration Management", iff(ComplianceControl contains "CP.", "Contingency Planning", iff(ComplianceControl contains "IA.", "Identification & Authentication", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "MA.", "System Maintenance", iff(ComplianceControl contains "MP.", "Media Protection", iff(ComplianceControl contains "PE.", "Physical Protection", iff(ComplianceControl contains "PL.", "Security Planning", iff(ComplianceControl contains "PS.", "Personnel Security",iff(ComplianceControl contains "RA.", "Risk Assessment",iff(ComplianceControl contains "SA.", "System & Services Acquisition",iff(ComplianceControl contains "SC.", "System & Communications Protection",iff(ComplianceControl contains "SI.", "System & Information Integrity","Other"))))))))))))))))) | summarize Failed = countif(RecommendationState == "Unhealthy"), Passed = countif(RecommendationState == "Healthy"), Total = countif(RecommendationState == "Healthy" or RecommendationState == "Unhealthy") by ComplianceDomain, TimeGenerated; SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "NIST-SP-800-53-R4") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains "AC.", "Access Control", iff(ComplianceControl contains "AT.", "Security Awareness & Training", iff(ComplianceControl contains "AU.", "Audit & Accountability", iff(ComplianceControl contains "CA.", "Security Assessment", iff(ComplianceControl contains "CM.", "Configuration Management", iff(ComplianceControl contains "CP.", "Contingency Planning", iff(ComplianceControl contains "IA.", "Identification & Authentication", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "MA.", "System Maintenance", iff(ComplianceControl contains "MP.", "Media Protection", iff(ComplianceControl contains "PE.", "Physical Protection", iff(ComplianceControl contains "PL.", "Security Planning", iff(ComplianceControl contains "PS.", "Personnel Security",iff(ComplianceControl contains "RA.", "Risk Assessment",iff(ComplianceControl contains "SA.", "System & Services Acquisition",iff(ComplianceControl contains "SC.", "System & Communications Protection",iff(ComplianceControl contains "SI.", "System & Information Integrity","Other"))))))))))))))))) | summarize Failed = countif(RecommendationState == "Unhealthy"), Passed = countif(RecommendationState == "Healthy"), Total = countif(RecommendationState == "Healthy" or RecommendationState == "Unhealthy") by ComplianceDomain | extend PassedControlsPercentage = (Passed/todouble(Total))*100 | join (Last_Evaluated) on ComplianceDomain | project ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed, LastEvaluated=TimeGenerated | summarize arg_max(LastEvaluated, *) by ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed | where PassedControlsPercentage < 70 | sort by PassedControlsPercentage, Passed desc | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22') | extend URLCustomEntity = RemediationLink
severity: Medium
relevantTechniques:
- T1082
queryFrequency: 7d
kind: Scheduled
version: 1.0.0
name: NIST SP 800-53 Posture Changed
triggerOperator: gt
description: |
    'This alert is desinged to monitor Azure policies aligned with the NIST SP 800-53 Regulatory Compliance initative. The alert triggers when policy compliance falls below 70% within a 1 week timeframe.'
queryPeriod: 7d
query: let Last_Evaluated=SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "NIST-SP-800-53-R4") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains "AC.", "Access Control", iff(ComplianceControl contains "AT.", "Security Awareness & Training", iff(ComplianceControl contains "AU.", "Audit & Accountability", iff(ComplianceControl contains "CA.", "Security Assessment", iff(ComplianceControl contains "CM.", "Configuration Management", iff(ComplianceControl contains "CP.", "Contingency Planning", iff(ComplianceControl contains "IA.", "Identification & Authentication", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "MA.", "System Maintenance", iff(ComplianceControl contains "MP.", "Media Protection", iff(ComplianceControl contains "PE.", "Physical Protection", iff(ComplianceControl contains "PL.", "Security Planning", iff(ComplianceControl contains "PS.", "Personnel Security",iff(ComplianceControl contains "RA.", "Risk Assessment",iff(ComplianceControl contains "SA.", "System & Services Acquisition",iff(ComplianceControl contains "SC.", "System & Communications Protection",iff(ComplianceControl contains "SI.", "System & Information Integrity","Other"))))))))))))))))) | summarize Failed = countif(RecommendationState == "Unhealthy"), Passed = countif(RecommendationState == "Healthy"), Total = countif(RecommendationState == "Healthy" or RecommendationState == "Unhealthy") by ComplianceDomain, TimeGenerated; SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "NIST-SP-800-53-R4") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains "AC.", "Access Control", iff(ComplianceControl contains "AT.", "Security Awareness & Training", iff(ComplianceControl contains "AU.", "Audit & Accountability", iff(ComplianceControl contains "CA.", "Security Assessment", iff(ComplianceControl contains "CM.", "Configuration Management", iff(ComplianceControl contains "CP.", "Contingency Planning", iff(ComplianceControl contains "IA.", "Identification & Authentication", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "MA.", "System Maintenance", iff(ComplianceControl contains "MP.", "Media Protection", iff(ComplianceControl contains "PE.", "Physical Protection", iff(ComplianceControl contains "PL.", "Security Planning", iff(ComplianceControl contains "PS.", "Personnel Security",iff(ComplianceControl contains "RA.", "Risk Assessment",iff(ComplianceControl contains "SA.", "System & Services Acquisition",iff(ComplianceControl contains "SC.", "System & Communications Protection",iff(ComplianceControl contains "SI.", "System & Information Integrity","Other"))))))))))))))))) | summarize Failed = countif(RecommendationState == "Unhealthy"), Passed = countif(RecommendationState == "Healthy"), Total = countif(RecommendationState == "Healthy" or RecommendationState == "Unhealthy") by ComplianceDomain | extend PassedControlsPercentage = (Passed/todouble(Total))*100 | join (Last_Evaluated) on ComplianceDomain | project ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed, LastEvaluated=TimeGenerated | summarize arg_max(LastEvaluated, *) by ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed | where PassedControlsPercentage < 70 | sort by PassedControlsPercentage, Passed desc | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22') | extend URLCustomEntity = RemediationLink
entityMappings:
- entityType: URL
  fieldMappings:
  - columnName: URLCustomEntity
    identifier: Url
tactics:
- Discovery
status: Available
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NISTSP80053/Analytic Rules/NISTSP80053PostureChanged.yaml
id: dd834c97-4638-4bb3-a4e3-807e8b0580dc
requiredDataConnectors: []
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dd834c97-4638-4bb3-a4e3-807e8b0580dc')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dd834c97-4638-4bb3-a4e3-807e8b0580dc')]",
      "properties": {
        "alertRuleTemplateName": "dd834c97-4638-4bb3-a4e3-807e8b0580dc",
        "customDetails": null,
        "description": "'This alert is desinged to monitor Azure policies aligned with the NIST SP 800-53 Regulatory Compliance initative. The alert triggers when policy compliance falls below 70% within a 1 week timeframe.'\n",
        "displayName": "NIST SP 800-53 Posture Changed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "URLCustomEntity",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NISTSP80053/Analytic Rules/NISTSP80053PostureChanged.yaml",
        "query": "let Last_Evaluated=SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == \"NIST-SP-800-53-R4\") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains \"AC.\", \"Access Control\", iff(ComplianceControl contains \"AT.\", \"Security Awareness & Training\", iff(ComplianceControl contains \"AU.\", \"Audit & Accountability\", iff(ComplianceControl contains \"CA.\", \"Security Assessment\", iff(ComplianceControl contains \"CM.\", \"Configuration Management\", iff(ComplianceControl contains \"CP.\", \"Contingency Planning\", iff(ComplianceControl contains \"IA.\", \"Identification & Authentication\", iff(ComplianceControl contains \"IR.\", \"Incident Response\", iff(ComplianceControl contains \"MA.\", \"System Maintenance\", iff(ComplianceControl contains \"MP.\", \"Media Protection\", iff(ComplianceControl contains \"PE.\", \"Physical Protection\", iff(ComplianceControl contains \"PL.\", \"Security Planning\", iff(ComplianceControl contains \"PS.\", \"Personnel Security\",iff(ComplianceControl contains \"RA.\", \"Risk Assessment\",iff(ComplianceControl contains \"SA.\", \"System & Services Acquisition\",iff(ComplianceControl contains \"SC.\", \"System & Communications Protection\",iff(ComplianceControl contains \"SI.\", \"System & Information Integrity\",\"Other\"))))))))))))))))) | summarize Failed = countif(RecommendationState == \"Unhealthy\"), Passed = countif(RecommendationState == \"Healthy\"), Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\") by ComplianceDomain, TimeGenerated; SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == \"NIST-SP-800-53-R4\") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains \"AC.\", \"Access Control\", iff(ComplianceControl contains \"AT.\", \"Security Awareness & Training\", iff(ComplianceControl contains \"AU.\", \"Audit & Accountability\", iff(ComplianceControl contains \"CA.\", \"Security Assessment\", iff(ComplianceControl contains \"CM.\", \"Configuration Management\", iff(ComplianceControl contains \"CP.\", \"Contingency Planning\", iff(ComplianceControl contains \"IA.\", \"Identification & Authentication\", iff(ComplianceControl contains \"IR.\", \"Incident Response\", iff(ComplianceControl contains \"MA.\", \"System Maintenance\", iff(ComplianceControl contains \"MP.\", \"Media Protection\", iff(ComplianceControl contains \"PE.\", \"Physical Protection\", iff(ComplianceControl contains \"PL.\", \"Security Planning\", iff(ComplianceControl contains \"PS.\", \"Personnel Security\",iff(ComplianceControl contains \"RA.\", \"Risk Assessment\",iff(ComplianceControl contains \"SA.\", \"System & Services Acquisition\",iff(ComplianceControl contains \"SC.\", \"System & Communications Protection\",iff(ComplianceControl contains \"SI.\", \"System & Information Integrity\",\"Other\"))))))))))))))))) | summarize Failed = countif(RecommendationState == \"Unhealthy\"), Passed = countif(RecommendationState == \"Healthy\"), Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\") by ComplianceDomain | extend PassedControlsPercentage = (Passed/todouble(Total))*100 | join (Last_Evaluated) on ComplianceDomain | project ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed, LastEvaluated=TimeGenerated | summarize arg_max(LastEvaluated, *) by ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed | where PassedControlsPercentage < 70 | sort by PassedControlsPercentage, Passed desc | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22') | extend URLCustomEntity = RemediationLink",
        "queryFrequency": "P7D",
        "queryPeriod": "P7D",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [
          "T1082"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}