Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. CDM_ContinuousDiagnosticsMitigation_PostureChanged

CDM_ContinuousDiagnosticsMitigation_PostureChanged

Back
Idfd950af9-d9db-4879-a60a-7267cc041beb
RulenameCDM_ContinuousDiagnostics&Mitigation_PostureChanged
DescriptionThis alert is designed to monitor Azure policies aligned with the Continuous Diagnostics & Mitigation (CDM) Program. The alert triggers when policy compliance falls below 70% within a 1 week timeframe.
SeverityMedium
TacticsDiscovery
TechniquesT1082
KindScheduled
Query frequency7d
Query period7d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContinuousDiagnostics&Mitigation/Analytic Rules/ContinuousDiagnostics&MitigationPostureChanged.yaml
Version1.0.0
Arm templatefd950af9-d9db-4879-a60a-7267cc041beb.json
Deploy To Azure
SecurityRecommendation
| where RecommendationDisplayName <> ""
| extend MaturityLevel=iff(RecommendationDisplayName has_any("log", "defender", "asset", "arc"), "Hardware Asset Management (HWAM)",
    iff(RecommendationDisplayName has_any("allow", "software", "application"), "Software Asset Management (SWAM)",
    iff(RecommendationDisplayName has_any("account", "user", "identity", "trust"), "User Trust (TRUST)",
    iff(RecommendationDisplayName has_any("access", "auth", "key", "cert", "token"), "Credentials & Authenticators (CRED)",
    iff(RecommendationDisplayName has_any("priv", "admin", "root"), "Privileges (PRIV)",
    iff(RecommendationDisplayName has_any("network", "internet", "traffic", "firewall", "intrusion", "bound", "tls", "gateway", "subnet", "web", "url", "proxy", "just", "port", "JIT", "http"), "Boundary Protection (BOUND)",
    iff(RecommendationDisplayName has_any("event", "agent", "incident", "back", "privacy", "audit", "collect"), "Manage Events (MNGEVT)",
    iff(RecommendationDisplayName has_any("edr", "malware", "endpoint protection", "detect", "respon"), "Endpoint Detection & Response (EDR)",
    iff(RecommendationDisplayName has_any("aks", "contain", "kube", "supply"), "Design & Build in Security (DBS)",
    iff(RecommendationDisplayName has_any("data", "storage", "sql", "cmk", "key"), "Data Protection Management (DPM)", "Other"))))))))))
| where MaturityLevel in ('Hardware Asset Management (HWAM)', 'Software Asset Management (SWAM)', 'User Trust (TRUST)', 'Credentials & Authenticators (CRED)', 'Privileges (PRIV)', 'Boundary Protection (BOUND)', 'Manage Events (MNGEVT)', 'Endpoint Detection & Response (EDR)', 'Design & Build in Security (DBS)', 'Data Protection Management (DPM)')
| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName
| summarize
    Failed = countif(RecommendationState == "Unhealthy"),
    Passed = countif(RecommendationState == "Healthy"),
    NotApplicable = countif(RecommendationState == "NotApplicable" or RecommendationState == "Removed"),
    Applicable = countif(RecommendationState == "Unhealthy" or RecommendationState == "Healthy"),
    Total = countif(RecommendationState == "Unhealthy" or RecommendationState == "Healthy" or RecommendationState == "NotApplicable" or RecommendationState == "Removed")
    by MaturityLevel
| extend PassedControls = (Passed / todouble(Applicable)) * 100
| project MaturityLevel, Total, PassedControls, Passed, Failed, Applicable, NotApplicable
| sort by Total, Passed desc
| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')
| project CapabilityArea=MaturityLevel, Total, PassedControls, Passed, Failed, RemediationLink, LastObserved=now()
| where CapabilityArea <> ''
| where PassedControls < 70 
//Adjust Either FailedRatePercentage or PassedRatePercentage Thresholds within organizational requirements
| sort by PassedControls desc
| extend URLCustomEntity = RemediationLink

queryPeriod: 7d
query: |
  SecurityRecommendation
  | where RecommendationDisplayName <> ""
  | extend MaturityLevel=iff(RecommendationDisplayName has_any("log", "defender", "asset", "arc"), "Hardware Asset Management (HWAM)",
      iff(RecommendationDisplayName has_any("allow", "software", "application"), "Software Asset Management (SWAM)",
      iff(RecommendationDisplayName has_any("account", "user", "identity", "trust"), "User Trust (TRUST)",
      iff(RecommendationDisplayName has_any("access", "auth", "key", "cert", "token"), "Credentials & Authenticators (CRED)",
      iff(RecommendationDisplayName has_any("priv", "admin", "root"), "Privileges (PRIV)",
      iff(RecommendationDisplayName has_any("network", "internet", "traffic", "firewall", "intrusion", "bound", "tls", "gateway", "subnet", "web", "url", "proxy", "just", "port", "JIT", "http"), "Boundary Protection (BOUND)",
      iff(RecommendationDisplayName has_any("event", "agent", "incident", "back", "privacy", "audit", "collect"), "Manage Events (MNGEVT)",
      iff(RecommendationDisplayName has_any("edr", "malware", "endpoint protection", "detect", "respon"), "Endpoint Detection & Response (EDR)",
      iff(RecommendationDisplayName has_any("aks", "contain", "kube", "supply"), "Design & Build in Security (DBS)",
      iff(RecommendationDisplayName has_any("data", "storage", "sql", "cmk", "key"), "Data Protection Management (DPM)", "Other"))))))))))
  | where MaturityLevel in ('Hardware Asset Management (HWAM)', 'Software Asset Management (SWAM)', 'User Trust (TRUST)', 'Credentials & Authenticators (CRED)', 'Privileges (PRIV)', 'Boundary Protection (BOUND)', 'Manage Events (MNGEVT)', 'Endpoint Detection & Response (EDR)', 'Design & Build in Security (DBS)', 'Data Protection Management (DPM)')
  | summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName
  | summarize
      Failed = countif(RecommendationState == "Unhealthy"),
      Passed = countif(RecommendationState == "Healthy"),
      NotApplicable = countif(RecommendationState == "NotApplicable" or RecommendationState == "Removed"),
      Applicable = countif(RecommendationState == "Unhealthy" or RecommendationState == "Healthy"),
      Total = countif(RecommendationState == "Unhealthy" or RecommendationState == "Healthy" or RecommendationState == "NotApplicable" or RecommendationState == "Removed")
      by MaturityLevel
  | extend PassedControls = (Passed / todouble(Applicable)) * 100
  | project MaturityLevel, Total, PassedControls, Passed, Failed, Applicable, NotApplicable
  | sort by Total, Passed desc
  | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')
  | project CapabilityArea=MaturityLevel, Total, PassedControls, Passed, Failed, RemediationLink, LastObserved=now()
  | where CapabilityArea <> ''
  | where PassedControls < 70 
  //Adjust Either FailedRatePercentage or PassedRatePercentage Thresholds within organizational requirements
  | sort by PassedControls desc
  | extend URLCustomEntity = RemediationLink  
name: CDM_ContinuousDiagnostics&Mitigation_PostureChanged
entityMappings:
- fieldMappings:
  - columnName: URLCustomEntity
    identifier: Url
  entityType: URL
queryFrequency: 7d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContinuousDiagnostics&Mitigation/Analytic Rules/ContinuousDiagnostics&MitigationPostureChanged.yaml
requiredDataConnectors: []
description: |
    'This alert is designed to monitor Azure policies aligned with the Continuous Diagnostics & Mitigation (CDM) Program. The alert triggers when policy compliance falls below 70% within a 1 week timeframe.'
kind: Scheduled
version: 1.0.0
status: Available
severity: Medium
relevantTechniques:
- T1082
triggerOperator: gt
triggerThreshold: 0
tactics:
- Discovery
id: fd950af9-d9db-4879-a60a-7267cc041beb