NIST SP 800-53 Posture Changed
Id | dd834c97-4638-4bb3-a4e3-807e8b0580dc |
Rulename | NIST SP 800-53 Posture Changed |
Description | This alert is desinged to monitor Azure policies aligned with the NIST SP 800-53 Regulatory Compliance initative. The alert triggers when policy compliance falls below 70% within a 1 week timeframe. |
Severity | Medium |
Tactics | Discovery |
Techniques | T1082 |
Kind | Scheduled |
Query frequency | 7d |
Query period | 7d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NISTSP80053/Analytic Rules/NISTSP80053PostureChanged.yaml |
Version | 1.0.0 |
Arm template | dd834c97-4638-4bb3-a4e3-807e8b0580dc.json |
let Last_Evaluated=SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "NIST-SP-800-53-R4") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains "AC.", "Access Control", iff(ComplianceControl contains "AT.", "Security Awareness & Training", iff(ComplianceControl contains "AU.", "Audit & Accountability", iff(ComplianceControl contains "CA.", "Security Assessment", iff(ComplianceControl contains "CM.", "Configuration Management", iff(ComplianceControl contains "CP.", "Contingency Planning", iff(ComplianceControl contains "IA.", "Identification & Authentication", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "MA.", "System Maintenance", iff(ComplianceControl contains "MP.", "Media Protection", iff(ComplianceControl contains "PE.", "Physical Protection", iff(ComplianceControl contains "PL.", "Security Planning", iff(ComplianceControl contains "PS.", "Personnel Security",iff(ComplianceControl contains "RA.", "Risk Assessment",iff(ComplianceControl contains "SA.", "System & Services Acquisition",iff(ComplianceControl contains "SC.", "System & Communications Protection",iff(ComplianceControl contains "SI.", "System & Information Integrity","Other"))))))))))))))))) | summarize Failed = countif(RecommendationState == "Unhealthy"), Passed = countif(RecommendationState == "Healthy"), Total = countif(RecommendationState == "Healthy" or RecommendationState == "Unhealthy") by ComplianceDomain, TimeGenerated; SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "NIST-SP-800-53-R4") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains "AC.", "Access Control", iff(ComplianceControl contains "AT.", "Security Awareness & Training", iff(ComplianceControl contains "AU.", "Audit & Accountability", iff(ComplianceControl contains "CA.", "Security Assessment", iff(ComplianceControl contains "CM.", "Configuration Management", iff(ComplianceControl contains "CP.", "Contingency Planning", iff(ComplianceControl contains "IA.", "Identification & Authentication", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "MA.", "System Maintenance", iff(ComplianceControl contains "MP.", "Media Protection", iff(ComplianceControl contains "PE.", "Physical Protection", iff(ComplianceControl contains "PL.", "Security Planning", iff(ComplianceControl contains "PS.", "Personnel Security",iff(ComplianceControl contains "RA.", "Risk Assessment",iff(ComplianceControl contains "SA.", "System & Services Acquisition",iff(ComplianceControl contains "SC.", "System & Communications Protection",iff(ComplianceControl contains "SI.", "System & Information Integrity","Other"))))))))))))))))) | summarize Failed = countif(RecommendationState == "Unhealthy"), Passed = countif(RecommendationState == "Healthy"), Total = countif(RecommendationState == "Healthy" or RecommendationState == "Unhealthy") by ComplianceDomain | extend PassedControlsPercentage = (Passed/todouble(Total))*100 | join (Last_Evaluated) on ComplianceDomain | project ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed, LastEvaluated=TimeGenerated | summarize arg_max(LastEvaluated, *) by ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed | where PassedControlsPercentage < 70 | sort by PassedControlsPercentage, Passed desc | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22') | extend URLCustomEntity = RemediationLink
requiredDataConnectors: []
status: Available
relevantTechniques:
- T1082
queryFrequency: 7d
id: dd834c97-4638-4bb3-a4e3-807e8b0580dc
name: NIST SP 800-53 Posture Changed
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NISTSP80053/Analytic Rules/NISTSP80053PostureChanged.yaml
queryPeriod: 7d
entityMappings:
- fieldMappings:
- columnName: URLCustomEntity
identifier: Url
entityType: URL
description: |
'This alert is desinged to monitor Azure policies aligned with the NIST SP 800-53 Regulatory Compliance initative. The alert triggers when policy compliance falls below 70% within a 1 week timeframe.'
triggerThreshold: 0
tactics:
- Discovery
query: let Last_Evaluated=SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "NIST-SP-800-53-R4") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains "AC.", "Access Control", iff(ComplianceControl contains "AT.", "Security Awareness & Training", iff(ComplianceControl contains "AU.", "Audit & Accountability", iff(ComplianceControl contains "CA.", "Security Assessment", iff(ComplianceControl contains "CM.", "Configuration Management", iff(ComplianceControl contains "CP.", "Contingency Planning", iff(ComplianceControl contains "IA.", "Identification & Authentication", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "MA.", "System Maintenance", iff(ComplianceControl contains "MP.", "Media Protection", iff(ComplianceControl contains "PE.", "Physical Protection", iff(ComplianceControl contains "PL.", "Security Planning", iff(ComplianceControl contains "PS.", "Personnel Security",iff(ComplianceControl contains "RA.", "Risk Assessment",iff(ComplianceControl contains "SA.", "System & Services Acquisition",iff(ComplianceControl contains "SC.", "System & Communications Protection",iff(ComplianceControl contains "SI.", "System & Information Integrity","Other"))))))))))))))))) | summarize Failed = countif(RecommendationState == "Unhealthy"), Passed = countif(RecommendationState == "Healthy"), Total = countif(RecommendationState == "Healthy" or RecommendationState == "Unhealthy") by ComplianceDomain, TimeGenerated; SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == "NIST-SP-800-53-R4") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains "AC.", "Access Control", iff(ComplianceControl contains "AT.", "Security Awareness & Training", iff(ComplianceControl contains "AU.", "Audit & Accountability", iff(ComplianceControl contains "CA.", "Security Assessment", iff(ComplianceControl contains "CM.", "Configuration Management", iff(ComplianceControl contains "CP.", "Contingency Planning", iff(ComplianceControl contains "IA.", "Identification & Authentication", iff(ComplianceControl contains "IR.", "Incident Response", iff(ComplianceControl contains "MA.", "System Maintenance", iff(ComplianceControl contains "MP.", "Media Protection", iff(ComplianceControl contains "PE.", "Physical Protection", iff(ComplianceControl contains "PL.", "Security Planning", iff(ComplianceControl contains "PS.", "Personnel Security",iff(ComplianceControl contains "RA.", "Risk Assessment",iff(ComplianceControl contains "SA.", "System & Services Acquisition",iff(ComplianceControl contains "SC.", "System & Communications Protection",iff(ComplianceControl contains "SI.", "System & Information Integrity","Other"))))))))))))))))) | summarize Failed = countif(RecommendationState == "Unhealthy"), Passed = countif(RecommendationState == "Healthy"), Total = countif(RecommendationState == "Healthy" or RecommendationState == "Unhealthy") by ComplianceDomain | extend PassedControlsPercentage = (Passed/todouble(Total))*100 | join (Last_Evaluated) on ComplianceDomain | project ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed, LastEvaluated=TimeGenerated | summarize arg_max(LastEvaluated, *) by ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed | where PassedControlsPercentage < 70 | sort by PassedControlsPercentage, Passed desc | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22') | extend URLCustomEntity = RemediationLink
kind: Scheduled
triggerOperator: gt
version: 1.0.0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dd834c97-4638-4bb3-a4e3-807e8b0580dc')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dd834c97-4638-4bb3-a4e3-807e8b0580dc')]",
"properties": {
"alertRuleTemplateName": "dd834c97-4638-4bb3-a4e3-807e8b0580dc",
"customDetails": null,
"description": "'This alert is desinged to monitor Azure policies aligned with the NIST SP 800-53 Regulatory Compliance initative. The alert triggers when policy compliance falls below 70% within a 1 week timeframe.'\n",
"displayName": "NIST SP 800-53 Posture Changed",
"enabled": true,
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "URLCustomEntity",
"identifier": "Url"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NISTSP80053/Analytic Rules/NISTSP80053PostureChanged.yaml",
"query": "let Last_Evaluated=SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == \"NIST-SP-800-53-R4\") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains \"AC.\", \"Access Control\", iff(ComplianceControl contains \"AT.\", \"Security Awareness & Training\", iff(ComplianceControl contains \"AU.\", \"Audit & Accountability\", iff(ComplianceControl contains \"CA.\", \"Security Assessment\", iff(ComplianceControl contains \"CM.\", \"Configuration Management\", iff(ComplianceControl contains \"CP.\", \"Contingency Planning\", iff(ComplianceControl contains \"IA.\", \"Identification & Authentication\", iff(ComplianceControl contains \"IR.\", \"Incident Response\", iff(ComplianceControl contains \"MA.\", \"System Maintenance\", iff(ComplianceControl contains \"MP.\", \"Media Protection\", iff(ComplianceControl contains \"PE.\", \"Physical Protection\", iff(ComplianceControl contains \"PL.\", \"Security Planning\", iff(ComplianceControl contains \"PS.\", \"Personnel Security\",iff(ComplianceControl contains \"RA.\", \"Risk Assessment\",iff(ComplianceControl contains \"SA.\", \"System & Services Acquisition\",iff(ComplianceControl contains \"SC.\", \"System & Communications Protection\",iff(ComplianceControl contains \"SI.\", \"System & Information Integrity\",\"Other\"))))))))))))))))) | summarize Failed = countif(RecommendationState == \"Unhealthy\"), Passed = countif(RecommendationState == \"Healthy\"), Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\") by ComplianceDomain, TimeGenerated; SecurityRecommendation | join kind=fullouter(SecurityRegulatoryCompliance| where ComplianceStandard == \"NIST-SP-800-53-R4\") on RecommendationName | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationName | extend ComplianceDomain=iff(ComplianceControl contains \"AC.\", \"Access Control\", iff(ComplianceControl contains \"AT.\", \"Security Awareness & Training\", iff(ComplianceControl contains \"AU.\", \"Audit & Accountability\", iff(ComplianceControl contains \"CA.\", \"Security Assessment\", iff(ComplianceControl contains \"CM.\", \"Configuration Management\", iff(ComplianceControl contains \"CP.\", \"Contingency Planning\", iff(ComplianceControl contains \"IA.\", \"Identification & Authentication\", iff(ComplianceControl contains \"IR.\", \"Incident Response\", iff(ComplianceControl contains \"MA.\", \"System Maintenance\", iff(ComplianceControl contains \"MP.\", \"Media Protection\", iff(ComplianceControl contains \"PE.\", \"Physical Protection\", iff(ComplianceControl contains \"PL.\", \"Security Planning\", iff(ComplianceControl contains \"PS.\", \"Personnel Security\",iff(ComplianceControl contains \"RA.\", \"Risk Assessment\",iff(ComplianceControl contains \"SA.\", \"System & Services Acquisition\",iff(ComplianceControl contains \"SC.\", \"System & Communications Protection\",iff(ComplianceControl contains \"SI.\", \"System & Information Integrity\",\"Other\"))))))))))))))))) | summarize Failed = countif(RecommendationState == \"Unhealthy\"), Passed = countif(RecommendationState == \"Healthy\"), Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\") by ComplianceDomain | extend PassedControlsPercentage = (Passed/todouble(Total))*100 | join (Last_Evaluated) on ComplianceDomain | project ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed, LastEvaluated=TimeGenerated | summarize arg_max(LastEvaluated, *) by ComplianceDomain, Total, PassedControlsPercentage, Passed, Failed | where PassedControlsPercentage < 70 | sort by PassedControlsPercentage, Passed desc | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22') | extend URLCustomEntity = RemediationLink",
"queryFrequency": "P7D",
"queryPeriod": "P7D",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Discovery"
],
"techniques": [
"T1082"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}