CMMC 20 Level 1 Foundational Readiness Posture
Id | fb127436-e5c4-4e31-85a8-d3507128dd09 |
Rulename | CMMC 2.0 Level 1 (Foundational) Readiness Posture |
Description | CMMC 2.0 Level 1 (Foundational) assessments have deviated from configured threshold baselines. This alert is triggered when CMMC2.0 policy compliance is assessed below 70% compliance in 7 days. |
Severity | Medium |
Tactics | Discovery |
Techniques | T1082 |
Kind | Scheduled |
Query frequency | 7d |
Query period | 7d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Analytic Rules/CMMC2.0Level1FoundationalPosture.yaml |
Version | 1.0.0 |
Arm template | fb127436-e5c4-4e31-85a8-d3507128dd09.json |
SecurityRegulatoryCompliance
| where ComplianceStandard == "NIST-SP-800-171-R2"
| extend Level=iff(ComplianceControl in ("3.1.1","3.1.2","3.1.20","3.1.22","3.4.1","3.5.2","3.5.2","3.8.3","3.13.1","3.13.5","3.14.1","3.14.2","3.14.4","3.14.5"), "Level 1: Foundational","Level 2: Advanced")
| where Level == "Level 1: Foundational"
| summarize arg_max(TimeGenerated, *) by RecommendationName, AssessedResourceId, Level
| summarize Failed=countif(State=="Failed"),Passed=countif(State=="Passed"),Total=countif(State=="Passed" or State == "Failed") by Level
|extend PassedControlsPercentage = (Passed/todouble(Total))*100
| where PassedControlsPercentage < 70
//Adjust Either Passed Thresholds within Organizational Needs
| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')
| project Level, Total, PassedControlsPercentage, Passed, Failed, RemediationLink, LastObserved=now()
| extend URLCustomEntity = RemediationLink
relevantTechniques:
- T1082
name: CMMC 2.0 Level 1 (Foundational) Readiness Posture
requiredDataConnectors: []
entityMappings:
- fieldMappings:
- identifier: Url
columnName: URLCustomEntity
entityType: URL
triggerThreshold: 0
id: fb127436-e5c4-4e31-85a8-d3507128dd09
tactics:
- Discovery
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Analytic Rules/CMMC2.0Level1FoundationalPosture.yaml
queryPeriod: 7d
kind: Scheduled
queryFrequency: 7d
severity: Medium
status: Available
description: |
'CMMC 2.0 Level 1 (Foundational) assessments have deviated from configured threshold baselines. This alert is triggered when CMMC2.0 policy compliance is assessed below 70% compliance in 7 days.'
query: |
SecurityRegulatoryCompliance
| where ComplianceStandard == "NIST-SP-800-171-R2"
| extend Level=iff(ComplianceControl in ("3.1.1","3.1.2","3.1.20","3.1.22","3.4.1","3.5.2","3.5.2","3.8.3","3.13.1","3.13.5","3.14.1","3.14.2","3.14.4","3.14.5"), "Level 1: Foundational","Level 2: Advanced")
| where Level == "Level 1: Foundational"
| summarize arg_max(TimeGenerated, *) by RecommendationName, AssessedResourceId, Level
| summarize Failed=countif(State=="Failed"),Passed=countif(State=="Passed"),Total=countif(State=="Passed" or State == "Failed") by Level
|extend PassedControlsPercentage = (Passed/todouble(Total))*100
| where PassedControlsPercentage < 70
//Adjust Either Passed Thresholds within Organizational Needs
| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')
| project Level, Total, PassedControlsPercentage, Passed, Failed, RemediationLink, LastObserved=now()
| extend URLCustomEntity = RemediationLink
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fb127436-e5c4-4e31-85a8-d3507128dd09')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fb127436-e5c4-4e31-85a8-d3507128dd09')]",
"properties": {
"alertRuleTemplateName": "fb127436-e5c4-4e31-85a8-d3507128dd09",
"customDetails": null,
"description": "'CMMC 2.0 Level 1 (Foundational) assessments have deviated from configured threshold baselines. This alert is triggered when CMMC2.0 policy compliance is assessed below 70% compliance in 7 days.'\n",
"displayName": "CMMC 2.0 Level 1 (Foundational) Readiness Posture",
"enabled": true,
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "URLCustomEntity",
"identifier": "Url"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Analytic Rules/CMMC2.0Level1FoundationalPosture.yaml",
"query": "SecurityRegulatoryCompliance\n| where ComplianceStandard == \"NIST-SP-800-171-R2\"\n| extend Level=iff(ComplianceControl in (\"3.1.1\",\"3.1.2\",\"3.1.20\",\"3.1.22\",\"3.4.1\",\"3.5.2\",\"3.5.2\",\"3.8.3\",\"3.13.1\",\"3.13.5\",\"3.14.1\",\"3.14.2\",\"3.14.4\",\"3.14.5\"), \"Level 1: Foundational\",\"Level 2: Advanced\")\n| where Level == \"Level 1: Foundational\"\n| summarize arg_max(TimeGenerated, *) by RecommendationName, AssessedResourceId, Level\n| summarize Failed=countif(State==\"Failed\"),Passed=countif(State==\"Passed\"),Total=countif(State==\"Passed\" or State == \"Failed\") by Level\n|extend PassedControlsPercentage = (Passed/todouble(Total))*100\n| where PassedControlsPercentage < 70 \n//Adjust Either Passed Thresholds within Organizational Needs\n| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n| project Level, Total, PassedControlsPercentage, Passed, Failed, RemediationLink, LastObserved=now()\n| extend URLCustomEntity = RemediationLink\n",
"queryFrequency": "P7D",
"queryPeriod": "P7D",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Discovery"
],
"techniques": [
"T1082"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}