Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CMMC 20 Level 1 Foundational Readiness Posture

Back
Idfb127436-e5c4-4e31-85a8-d3507128dd09
RulenameCMMC 2.0 Level 1 (Foundational) Readiness Posture
DescriptionCMMC 2.0 Level 1 (Foundational) assessments have deviated from configured threshold baselines. This alert is triggered when CMMC2.0 policy compliance is assessed below 70% compliance in 7 days.
SeverityMedium
TacticsDiscovery
TechniquesT1082
KindScheduled
Query frequency7d
Query period7d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Analytic Rules/CMMC2.0Level1FoundationalPosture.yaml
Version1.0.0
Arm templatefb127436-e5c4-4e31-85a8-d3507128dd09.json
Deploy To Azure
SecurityRegulatoryCompliance
| where ComplianceStandard == "NIST-SP-800-171-R2"
| extend Level=iff(ComplianceControl in ("3.1.1","3.1.2","3.1.20","3.1.22","3.4.1","3.5.2","3.5.2","3.8.3","3.13.1","3.13.5","3.14.1","3.14.2","3.14.4","3.14.5"), "Level 1: Foundational","Level 2: Advanced")
| where Level == "Level 1: Foundational"
| summarize arg_max(TimeGenerated, *) by RecommendationName, AssessedResourceId, Level
| summarize Failed=countif(State=="Failed"),Passed=countif(State=="Passed"),Total=countif(State=="Passed" or State == "Failed") by Level
|extend PassedControlsPercentage = (Passed/todouble(Total))*100
| where PassedControlsPercentage < 70 
//Adjust Either Passed Thresholds within Organizational Needs
| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')
| project Level, Total, PassedControlsPercentage, Passed, Failed, RemediationLink, LastObserved=now()
| extend URLCustomEntity = RemediationLink
status: Available
queryFrequency: 7d
description: |
    'CMMC 2.0 Level 1 (Foundational) assessments have deviated from configured threshold baselines. This alert is triggered when CMMC2.0 policy compliance is assessed below 70% compliance in 7 days.'
severity: Medium
version: 1.0.0
relevantTechniques:
- T1082
name: CMMC 2.0 Level 1 (Foundational) Readiness Posture
triggerThreshold: 0
kind: Scheduled
query: |
  SecurityRegulatoryCompliance
  | where ComplianceStandard == "NIST-SP-800-171-R2"
  | extend Level=iff(ComplianceControl in ("3.1.1","3.1.2","3.1.20","3.1.22","3.4.1","3.5.2","3.5.2","3.8.3","3.13.1","3.13.5","3.14.1","3.14.2","3.14.4","3.14.5"), "Level 1: Foundational","Level 2: Advanced")
  | where Level == "Level 1: Foundational"
  | summarize arg_max(TimeGenerated, *) by RecommendationName, AssessedResourceId, Level
  | summarize Failed=countif(State=="Failed"),Passed=countif(State=="Passed"),Total=countif(State=="Passed" or State == "Failed") by Level
  |extend PassedControlsPercentage = (Passed/todouble(Total))*100
  | where PassedControlsPercentage < 70 
  //Adjust Either Passed Thresholds within Organizational Needs
  | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')
  | project Level, Total, PassedControlsPercentage, Passed, Failed, RemediationLink, LastObserved=now()
  | extend URLCustomEntity = RemediationLink  
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Analytic Rules/CMMC2.0Level1FoundationalPosture.yaml
requiredDataConnectors: []
tactics:
- Discovery
id: fb127436-e5c4-4e31-85a8-d3507128dd09
queryPeriod: 7d
entityMappings:
- fieldMappings:
  - columnName: URLCustomEntity
    identifier: Url
  entityType: URL
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fb127436-e5c4-4e31-85a8-d3507128dd09')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fb127436-e5c4-4e31-85a8-d3507128dd09')]",
      "properties": {
        "alertRuleTemplateName": "fb127436-e5c4-4e31-85a8-d3507128dd09",
        "customDetails": null,
        "description": "'CMMC 2.0 Level 1 (Foundational) assessments have deviated from configured threshold baselines. This alert is triggered when CMMC2.0 policy compliance is assessed below 70% compliance in 7 days.'\n",
        "displayName": "CMMC 2.0 Level 1 (Foundational) Readiness Posture",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "URLCustomEntity",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Analytic Rules/CMMC2.0Level1FoundationalPosture.yaml",
        "query": "SecurityRegulatoryCompliance\n| where ComplianceStandard == \"NIST-SP-800-171-R2\"\n| extend Level=iff(ComplianceControl in (\"3.1.1\",\"3.1.2\",\"3.1.20\",\"3.1.22\",\"3.4.1\",\"3.5.2\",\"3.5.2\",\"3.8.3\",\"3.13.1\",\"3.13.5\",\"3.14.1\",\"3.14.2\",\"3.14.4\",\"3.14.5\"), \"Level 1: Foundational\",\"Level 2: Advanced\")\n| where Level == \"Level 1: Foundational\"\n| summarize arg_max(TimeGenerated, *) by RecommendationName, AssessedResourceId, Level\n| summarize Failed=countif(State==\"Failed\"),Passed=countif(State==\"Passed\"),Total=countif(State==\"Passed\" or State == \"Failed\") by Level\n|extend PassedControlsPercentage = (Passed/todouble(Total))*100\n| where PassedControlsPercentage < 70 \n//Adjust Either Passed Thresholds within Organizational Needs\n| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n| project Level, Total, PassedControlsPercentage, Passed, Failed, RemediationLink, LastObserved=now()\n| extend URLCustomEntity = RemediationLink\n",
        "queryFrequency": "P7D",
        "queryPeriod": "P7D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [
          "T1082"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}