Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. CMMC 20 Level 1 Foundational Readiness Posture

CMMC 20 Level 1 Foundational Readiness Posture

Back
Idfb127436-e5c4-4e31-85a8-d3507128dd09
RulenameCMMC 2.0 Level 1 (Foundational) Readiness Posture
DescriptionCMMC 2.0 Level 1 (Foundational) assessments have deviated from configured threshold baselines. This alert is triggered when CMMC2.0 policy compliance is assessed below 70% compliance in 7 days.
SeverityMedium
TacticsDiscovery
TechniquesT1082
KindScheduled
Query frequency7d
Query period7d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Analytic Rules/CMMC2.0Level1FoundationalPosture.yaml
Version1.0.0
Arm templatefb127436-e5c4-4e31-85a8-d3507128dd09.json
Deploy To Azure
SecurityRegulatoryCompliance
| where ComplianceStandard == "NIST-SP-800-171-R2"
| extend Level=iff(ComplianceControl in ("3.1.1","3.1.2","3.1.20","3.1.22","3.4.1","3.5.2","3.5.2","3.8.3","3.13.1","3.13.5","3.14.1","3.14.2","3.14.4","3.14.5"), "Level 1: Foundational","Level 2: Advanced")
| where Level == "Level 1: Foundational"
| summarize arg_max(TimeGenerated, *) by RecommendationName, AssessedResourceId, Level
| summarize Failed=countif(State=="Failed"),Passed=countif(State=="Passed"),Total=countif(State=="Passed" or State == "Failed") by Level
|extend PassedControlsPercentage = (Passed/todouble(Total))*100
| where PassedControlsPercentage < 70 
//Adjust Either Passed Thresholds within Organizational Needs
| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')
| project Level, Total, PassedControlsPercentage, Passed, Failed, RemediationLink, LastObserved=now()
| extend URLCustomEntity = RemediationLink

triggerThreshold: 0
entityMappings:
- fieldMappings:
  - identifier: Url
    columnName: URLCustomEntity
  entityType: URL
tactics:
- Discovery
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Analytic Rules/CMMC2.0Level1FoundationalPosture.yaml
queryPeriod: 7d
kind: Scheduled
relevantTechniques:
- T1082
name: CMMC 2.0 Level 1 (Foundational) Readiness Posture
id: fb127436-e5c4-4e31-85a8-d3507128dd09
status: Available
description: |
    'CMMC 2.0 Level 1 (Foundational) assessments have deviated from configured threshold baselines. This alert is triggered when CMMC2.0 policy compliance is assessed below 70% compliance in 7 days.'
severity: Medium
queryFrequency: 7d
requiredDataConnectors: []
query: |
  SecurityRegulatoryCompliance
  | where ComplianceStandard == "NIST-SP-800-171-R2"
  | extend Level=iff(ComplianceControl in ("3.1.1","3.1.2","3.1.20","3.1.22","3.4.1","3.5.2","3.5.2","3.8.3","3.13.1","3.13.5","3.14.1","3.14.2","3.14.4","3.14.5"), "Level 1: Foundational","Level 2: Advanced")
  | where Level == "Level 1: Foundational"
  | summarize arg_max(TimeGenerated, *) by RecommendationName, AssessedResourceId, Level
  | summarize Failed=countif(State=="Failed"),Passed=countif(State=="Passed"),Total=countif(State=="Passed" or State == "Failed") by Level
  |extend PassedControlsPercentage = (Passed/todouble(Total))*100
  | where PassedControlsPercentage < 70 
  //Adjust Either Passed Thresholds within Organizational Needs
  | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')
  | project Level, Total, PassedControlsPercentage, Passed, Failed, RemediationLink, LastObserved=now()
  | extend URLCustomEntity = RemediationLink  
triggerOperator: gt