Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. CDM_ContinuousDiagnosticsMitigation_Posture

CDM_ContinuousDiagnosticsMitigation_Posture

Back
Ide15944a8-4172-4208-a928-631e01920d9c
RulenameCDM_ContinuousDiagnostics&Mitigation_Posture
DescriptionThis hunting query is designed to monitor Azure policies aligned with the Continuous Diagnostics & Mitigation (CDM) Program. It provides a policy check assessment of current CDM policy status across capability areas.
SeverityMedium
TacticsDiscovery
TechniquesT1082
KindScheduled
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContinuousDiagnostics&Mitigation/Hunting Queries/ContinuousDiagnostics&MitigationPosture.yaml
Version1.0.0
Arm templatee15944a8-4172-4208-a928-631e01920d9c.json
Deploy To Azure
SecurityRecommendation
| where RecommendationDisplayName <> ""
| extend MaturityLevel=iff(RecommendationDisplayName has_any("log", "defender", "asset", "arc"), "Hardware Asset Management (HWAM)",
    iff(RecommendationDisplayName has_any("allow", "software", "application"), "Software Asset Management (SWAM)",
    iff(RecommendationDisplayName has_any("account", "user", "identity", "trust"), "User Trust (TRUST)",
    iff(RecommendationDisplayName has_any("access", "auth", "key", "cert", "token"), "Credentials & Authenticators (CRED)",
    iff(RecommendationDisplayName has_any("priv", "admin", "root"), "Privileges (PRIV)",
    iff(RecommendationDisplayName has_any("network", "internet", "traffic", "firewall", "intrusion", "bound", "tls", "gateway", "subnet", "web", "url", "proxy", "just", "port", "JIT", "http"), "Boundary Protection (BOUND)",
    iff(RecommendationDisplayName has_any("event", "agent", "incident", "back", "privacy", "audit", "collect"), "Manage Events (MNGEVT)",
    iff(RecommendationDisplayName has_any("edr", "malware", "endpoint protection", "detect", "respon"), "Endpoint Detection & Response (EDR)",
    iff(RecommendationDisplayName has_any("aks", "contain", "kube", "supply"), "Design & Build in Security (DBS)",
    iff(RecommendationDisplayName has_any("data", "storage", "sql", "cmk", "key"), "Data Protection Management (DPM)", "Other"))))))))))
| where MaturityLevel in ('Hardware Asset Management (HWAM)', 'Software Asset Management (SWAM)', 'User Trust (TRUST)', 'Credentials & Authenticators (CRED)', 'Privileges (PRIV)', 'Boundary Protection (BOUND)', 'Manage Events (MNGEVT)', 'Endpoint Detection & Response (EDR)', 'Design & Build in Security (DBS)', 'Data Protection Management (DPM)')
| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName
| summarize
    Failed = countif(RecommendationState == "Unhealthy"),
    Passed = countif(RecommendationState == "Healthy"),
    NotApplicable = countif(RecommendationState == "NotApplicable" or RecommendationState == "Removed"),
    Applicable = countif(RecommendationState == "Unhealthy" or RecommendationState == "Healthy"),
    Total = countif(RecommendationState == "Unhealthy" or RecommendationState == "Healthy" or RecommendationState == "NotApplicable" or RecommendationState == "Removed")
    by MaturityLevel
| extend PassedControls = (Passed / todouble(Applicable)) * 100
| project MaturityLevel, Total, PassedControls, Passed, Failed, Applicable, NotApplicable
| sort by Total, Passed desc
| project CapabilityArea=MaturityLevel, Total, PassedControls, Passed, Failed, LastObserved=now()

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContinuousDiagnostics&Mitigation/Hunting Queries/ContinuousDiagnostics&MitigationPosture.yaml
version: 1.0.0
entityMappings:
- fieldMappings:
  - identifier: []
    columnName: []
  entityType: []
severity: Medium
relevantTechniques:
- T1082
tactics:
- Discovery
description: |
    'This hunting query is designed to monitor Azure policies aligned with the Continuous Diagnostics & Mitigation (CDM) Program. It provides a policy check assessment of current CDM policy status across capability areas.'
query: |
  SecurityRecommendation
  | where RecommendationDisplayName <> ""
  | extend MaturityLevel=iff(RecommendationDisplayName has_any("log", "defender", "asset", "arc"), "Hardware Asset Management (HWAM)",
      iff(RecommendationDisplayName has_any("allow", "software", "application"), "Software Asset Management (SWAM)",
      iff(RecommendationDisplayName has_any("account", "user", "identity", "trust"), "User Trust (TRUST)",
      iff(RecommendationDisplayName has_any("access", "auth", "key", "cert", "token"), "Credentials & Authenticators (CRED)",
      iff(RecommendationDisplayName has_any("priv", "admin", "root"), "Privileges (PRIV)",
      iff(RecommendationDisplayName has_any("network", "internet", "traffic", "firewall", "intrusion", "bound", "tls", "gateway", "subnet", "web", "url", "proxy", "just", "port", "JIT", "http"), "Boundary Protection (BOUND)",
      iff(RecommendationDisplayName has_any("event", "agent", "incident", "back", "privacy", "audit", "collect"), "Manage Events (MNGEVT)",
      iff(RecommendationDisplayName has_any("edr", "malware", "endpoint protection", "detect", "respon"), "Endpoint Detection & Response (EDR)",
      iff(RecommendationDisplayName has_any("aks", "contain", "kube", "supply"), "Design & Build in Security (DBS)",
      iff(RecommendationDisplayName has_any("data", "storage", "sql", "cmk", "key"), "Data Protection Management (DPM)", "Other"))))))))))
  | where MaturityLevel in ('Hardware Asset Management (HWAM)', 'Software Asset Management (SWAM)', 'User Trust (TRUST)', 'Credentials & Authenticators (CRED)', 'Privileges (PRIV)', 'Boundary Protection (BOUND)', 'Manage Events (MNGEVT)', 'Endpoint Detection & Response (EDR)', 'Design & Build in Security (DBS)', 'Data Protection Management (DPM)')
  | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName
  | summarize
      Failed = countif(RecommendationState == "Unhealthy"),
      Passed = countif(RecommendationState == "Healthy"),
      NotApplicable = countif(RecommendationState == "NotApplicable" or RecommendationState == "Removed"),
      Applicable = countif(RecommendationState == "Unhealthy" or RecommendationState == "Healthy"),
      Total = countif(RecommendationState == "Unhealthy" or RecommendationState == "Healthy" or RecommendationState == "NotApplicable" or RecommendationState == "Removed")
      by MaturityLevel
  | extend PassedControls = (Passed / todouble(Applicable)) * 100
  | project MaturityLevel, Total, PassedControls, Passed, Failed, Applicable, NotApplicable
  | sort by Total, Passed desc
  | project CapabilityArea=MaturityLevel, Total, PassedControls, Passed, Failed, LastObserved=now()  
kind: Scheduled
id: e15944a8-4172-4208-a928-631e01920d9c
requiredDataConnectors: []
name: CDM_ContinuousDiagnostics&Mitigation_Posture

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e15944a8-4172-4208-a928-631e01920d9c')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e15944a8-4172-4208-a928-631e01920d9c')]",
      "properties": {
        "alertRuleTemplateName": "e15944a8-4172-4208-a928-631e01920d9c",
        "customDetails": null,
        "description": "'This hunting query is designed to monitor Azure policies aligned with the Continuous Diagnostics & Mitigation (CDM) Program. It provides a policy check assessment of current CDM policy status across capability areas.'\n",
        "displayName": "CDM_ContinuousDiagnostics&Mitigation_Posture",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": [],
            "fieldMappings": [
              {
                "columnName": [],
                "identifier": []
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContinuousDiagnostics&Mitigation/Hunting Queries/ContinuousDiagnostics&MitigationPosture.yaml",
        "query": "SecurityRecommendation\n| where RecommendationDisplayName <> \"\"\n| extend MaturityLevel=iff(RecommendationDisplayName has_any(\"log\", \"defender\", \"asset\", \"arc\"), \"Hardware Asset Management (HWAM)\",\n    iff(RecommendationDisplayName has_any(\"allow\", \"software\", \"application\"), \"Software Asset Management (SWAM)\",\n    iff(RecommendationDisplayName has_any(\"account\", \"user\", \"identity\", \"trust\"), \"User Trust (TRUST)\",\n    iff(RecommendationDisplayName has_any(\"access\", \"auth\", \"key\", \"cert\", \"token\"), \"Credentials & Authenticators (CRED)\",\n    iff(RecommendationDisplayName has_any(\"priv\", \"admin\", \"root\"), \"Privileges (PRIV)\",\n    iff(RecommendationDisplayName has_any(\"network\", \"internet\", \"traffic\", \"firewall\", \"intrusion\", \"bound\", \"tls\", \"gateway\", \"subnet\", \"web\", \"url\", \"proxy\", \"just\", \"port\", \"JIT\", \"http\"), \"Boundary Protection (BOUND)\",\n    iff(RecommendationDisplayName has_any(\"event\", \"agent\", \"incident\", \"back\", \"privacy\", \"audit\", \"collect\"), \"Manage Events (MNGEVT)\",\n    iff(RecommendationDisplayName has_any(\"edr\", \"malware\", \"endpoint protection\", \"detect\", \"respon\"), \"Endpoint Detection & Response (EDR)\",\n    iff(RecommendationDisplayName has_any(\"aks\", \"contain\", \"kube\", \"supply\"), \"Design & Build in Security (DBS)\",\n    iff(RecommendationDisplayName has_any(\"data\", \"storage\", \"sql\", \"cmk\", \"key\"), \"Data Protection Management (DPM)\", \"Other\"))))))))))\n| where MaturityLevel in ('Hardware Asset Management (HWAM)', 'Software Asset Management (SWAM)', 'User Trust (TRUST)', 'Credentials & Authenticators (CRED)', 'Privileges (PRIV)', 'Boundary Protection (BOUND)', 'Manage Events (MNGEVT)', 'Endpoint Detection & Response (EDR)', 'Design & Build in Security (DBS)', 'Data Protection Management (DPM)')\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\n| summarize\n    Failed = countif(RecommendationState == \"Unhealthy\"),\n    Passed = countif(RecommendationState == \"Healthy\"),\n    NotApplicable = countif(RecommendationState == \"NotApplicable\" or RecommendationState == \"Removed\"),\n    Applicable = countif(RecommendationState == \"Unhealthy\" or RecommendationState == \"Healthy\"),\n    Total = countif(RecommendationState == \"Unhealthy\" or RecommendationState == \"Healthy\" or RecommendationState == \"NotApplicable\" or RecommendationState == \"Removed\")\n    by MaturityLevel\n| extend PassedControls = (Passed / todouble(Applicable)) * 100\n| project MaturityLevel, Total, PassedControls, Passed, Failed, Applicable, NotApplicable\n| sort by Total, Passed desc\n| project CapabilityArea=MaturityLevel, Total, PassedControls, Passed, Failed, LastObserved=now()\n",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [
          "T1082"
        ],
        "templateVersion": "1.0.0"
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}