CDM_ContinuousDiagnosticsMitigation_PostureChanged
| Id | fd950af9-d9db-4879-a60a-7267cc041beb |
| Rulename | CDM_ContinuousDiagnostics&Mitigation_PostureChanged |
| Description | This alert is designed to monitor Azure policies aligned with the Continuous Diagnostics & Mitigation (CDM) Program. The alert triggers when policy compliance falls below 70% within a 1 week timeframe. |
| Severity | Medium |
| Tactics | Discovery |
| Techniques | T1082 |
| Kind | Scheduled |
| Query frequency | 7d |
| Query period | 7d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContinuousDiagnostics&Mitigation/Analytic Rules/ContinuousDiagnostics&MitigationPostureChanged.yaml |
| Version | 1.0.0 |
| Arm template | fd950af9-d9db-4879-a60a-7267cc041beb.json |
SecurityRecommendation
| where RecommendationDisplayName <> ""
| extend MaturityLevel=iff(RecommendationDisplayName has_any("log", "defender", "asset", "arc"), "Hardware Asset Management (HWAM)",
iff(RecommendationDisplayName has_any("allow", "software", "application"), "Software Asset Management (SWAM)",
iff(RecommendationDisplayName has_any("account", "user", "identity", "trust"), "User Trust (TRUST)",
iff(RecommendationDisplayName has_any("access", "auth", "key", "cert", "token"), "Credentials & Authenticators (CRED)",
iff(RecommendationDisplayName has_any("priv", "admin", "root"), "Privileges (PRIV)",
iff(RecommendationDisplayName has_any("network", "internet", "traffic", "firewall", "intrusion", "bound", "tls", "gateway", "subnet", "web", "url", "proxy", "just", "port", "JIT", "http"), "Boundary Protection (BOUND)",
iff(RecommendationDisplayName has_any("event", "agent", "incident", "back", "privacy", "audit", "collect"), "Manage Events (MNGEVT)",
iff(RecommendationDisplayName has_any("edr", "malware", "endpoint protection", "detect", "respon"), "Endpoint Detection & Response (EDR)",
iff(RecommendationDisplayName has_any("aks", "contain", "kube", "supply"), "Design & Build in Security (DBS)",
iff(RecommendationDisplayName has_any("data", "storage", "sql", "cmk", "key"), "Data Protection Management (DPM)", "Other"))))))))))
| where MaturityLevel in ('Hardware Asset Management (HWAM)', 'Software Asset Management (SWAM)', 'User Trust (TRUST)', 'Credentials & Authenticators (CRED)', 'Privileges (PRIV)', 'Boundary Protection (BOUND)', 'Manage Events (MNGEVT)', 'Endpoint Detection & Response (EDR)', 'Design & Build in Security (DBS)', 'Data Protection Management (DPM)')
| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName
| summarize
Failed = countif(RecommendationState == "Unhealthy"),
Passed = countif(RecommendationState == "Healthy"),
NotApplicable = countif(RecommendationState == "NotApplicable" or RecommendationState == "Removed"),
Applicable = countif(RecommendationState == "Unhealthy" or RecommendationState == "Healthy"),
Total = countif(RecommendationState == "Unhealthy" or RecommendationState == "Healthy" or RecommendationState == "NotApplicable" or RecommendationState == "Removed")
by MaturityLevel
| extend PassedControls = (Passed / todouble(Applicable)) * 100
| project MaturityLevel, Total, PassedControls, Passed, Failed, Applicable, NotApplicable
| sort by Total, Passed desc
| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')
| project CapabilityArea=MaturityLevel, Total, PassedControls, Passed, Failed, RemediationLink, LastObserved=now()
| where CapabilityArea <> ''
| where PassedControls < 70
//Adjust Either FailedRatePercentage or PassedRatePercentage Thresholds within organizational requirements
| sort by PassedControls desc
| extend URLCustomEntity = RemediationLink
relevantTechniques:
- T1082
name: CDM_ContinuousDiagnostics&Mitigation_PostureChanged
requiredDataConnectors: []
entityMappings:
- fieldMappings:
- identifier: Url
columnName: URLCustomEntity
entityType: URL
triggerThreshold: 0
id: fd950af9-d9db-4879-a60a-7267cc041beb
tactics:
- Discovery
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContinuousDiagnostics&Mitigation/Analytic Rules/ContinuousDiagnostics&MitigationPostureChanged.yaml
queryPeriod: 7d
kind: Scheduled
queryFrequency: 7d
severity: Medium
status: Available
description: |
'This alert is designed to monitor Azure policies aligned with the Continuous Diagnostics & Mitigation (CDM) Program. The alert triggers when policy compliance falls below 70% within a 1 week timeframe.'
query: |
SecurityRecommendation
| where RecommendationDisplayName <> ""
| extend MaturityLevel=iff(RecommendationDisplayName has_any("log", "defender", "asset", "arc"), "Hardware Asset Management (HWAM)",
iff(RecommendationDisplayName has_any("allow", "software", "application"), "Software Asset Management (SWAM)",
iff(RecommendationDisplayName has_any("account", "user", "identity", "trust"), "User Trust (TRUST)",
iff(RecommendationDisplayName has_any("access", "auth", "key", "cert", "token"), "Credentials & Authenticators (CRED)",
iff(RecommendationDisplayName has_any("priv", "admin", "root"), "Privileges (PRIV)",
iff(RecommendationDisplayName has_any("network", "internet", "traffic", "firewall", "intrusion", "bound", "tls", "gateway", "subnet", "web", "url", "proxy", "just", "port", "JIT", "http"), "Boundary Protection (BOUND)",
iff(RecommendationDisplayName has_any("event", "agent", "incident", "back", "privacy", "audit", "collect"), "Manage Events (MNGEVT)",
iff(RecommendationDisplayName has_any("edr", "malware", "endpoint protection", "detect", "respon"), "Endpoint Detection & Response (EDR)",
iff(RecommendationDisplayName has_any("aks", "contain", "kube", "supply"), "Design & Build in Security (DBS)",
iff(RecommendationDisplayName has_any("data", "storage", "sql", "cmk", "key"), "Data Protection Management (DPM)", "Other"))))))))))
| where MaturityLevel in ('Hardware Asset Management (HWAM)', 'Software Asset Management (SWAM)', 'User Trust (TRUST)', 'Credentials & Authenticators (CRED)', 'Privileges (PRIV)', 'Boundary Protection (BOUND)', 'Manage Events (MNGEVT)', 'Endpoint Detection & Response (EDR)', 'Design & Build in Security (DBS)', 'Data Protection Management (DPM)')
| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName
| summarize
Failed = countif(RecommendationState == "Unhealthy"),
Passed = countif(RecommendationState == "Healthy"),
NotApplicable = countif(RecommendationState == "NotApplicable" or RecommendationState == "Removed"),
Applicable = countif(RecommendationState == "Unhealthy" or RecommendationState == "Healthy"),
Total = countif(RecommendationState == "Unhealthy" or RecommendationState == "Healthy" or RecommendationState == "NotApplicable" or RecommendationState == "Removed")
by MaturityLevel
| extend PassedControls = (Passed / todouble(Applicable)) * 100
| project MaturityLevel, Total, PassedControls, Passed, Failed, Applicable, NotApplicable
| sort by Total, Passed desc
| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')
| project CapabilityArea=MaturityLevel, Total, PassedControls, Passed, Failed, RemediationLink, LastObserved=now()
| where CapabilityArea <> ''
| where PassedControls < 70
//Adjust Either FailedRatePercentage or PassedRatePercentage Thresholds within organizational requirements
| sort by PassedControls desc
| extend URLCustomEntity = RemediationLink
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fd950af9-d9db-4879-a60a-7267cc041beb')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fd950af9-d9db-4879-a60a-7267cc041beb')]",
"properties": {
"alertRuleTemplateName": "fd950af9-d9db-4879-a60a-7267cc041beb",
"customDetails": null,
"description": "'This alert is designed to monitor Azure policies aligned with the Continuous Diagnostics & Mitigation (CDM) Program. The alert triggers when policy compliance falls below 70% within a 1 week timeframe.'\n",
"displayName": "CDM_ContinuousDiagnostics&Mitigation_PostureChanged",
"enabled": true,
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "URLCustomEntity",
"identifier": "Url"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContinuousDiagnostics&Mitigation/Analytic Rules/ContinuousDiagnostics&MitigationPostureChanged.yaml",
"query": "SecurityRecommendation\n| where RecommendationDisplayName <> \"\"\n| extend MaturityLevel=iff(RecommendationDisplayName has_any(\"log\", \"defender\", \"asset\", \"arc\"), \"Hardware Asset Management (HWAM)\",\n iff(RecommendationDisplayName has_any(\"allow\", \"software\", \"application\"), \"Software Asset Management (SWAM)\",\n iff(RecommendationDisplayName has_any(\"account\", \"user\", \"identity\", \"trust\"), \"User Trust (TRUST)\",\n iff(RecommendationDisplayName has_any(\"access\", \"auth\", \"key\", \"cert\", \"token\"), \"Credentials & Authenticators (CRED)\",\n iff(RecommendationDisplayName has_any(\"priv\", \"admin\", \"root\"), \"Privileges (PRIV)\",\n iff(RecommendationDisplayName has_any(\"network\", \"internet\", \"traffic\", \"firewall\", \"intrusion\", \"bound\", \"tls\", \"gateway\", \"subnet\", \"web\", \"url\", \"proxy\", \"just\", \"port\", \"JIT\", \"http\"), \"Boundary Protection (BOUND)\",\n iff(RecommendationDisplayName has_any(\"event\", \"agent\", \"incident\", \"back\", \"privacy\", \"audit\", \"collect\"), \"Manage Events (MNGEVT)\",\n iff(RecommendationDisplayName has_any(\"edr\", \"malware\", \"endpoint protection\", \"detect\", \"respon\"), \"Endpoint Detection & Response (EDR)\",\n iff(RecommendationDisplayName has_any(\"aks\", \"contain\", \"kube\", \"supply\"), \"Design & Build in Security (DBS)\",\n iff(RecommendationDisplayName has_any(\"data\", \"storage\", \"sql\", \"cmk\", \"key\"), \"Data Protection Management (DPM)\", \"Other\"))))))))))\n| where MaturityLevel in ('Hardware Asset Management (HWAM)', 'Software Asset Management (SWAM)', 'User Trust (TRUST)', 'Credentials & Authenticators (CRED)', 'Privileges (PRIV)', 'Boundary Protection (BOUND)', 'Manage Events (MNGEVT)', 'Endpoint Detection & Response (EDR)', 'Design & Build in Security (DBS)', 'Data Protection Management (DPM)')\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\n| summarize\n Failed = countif(RecommendationState == \"Unhealthy\"),\n Passed = countif(RecommendationState == \"Healthy\"),\n NotApplicable = countif(RecommendationState == \"NotApplicable\" or RecommendationState == \"Removed\"),\n Applicable = countif(RecommendationState == \"Unhealthy\" or RecommendationState == \"Healthy\"),\n Total = countif(RecommendationState == \"Unhealthy\" or RecommendationState == \"Healthy\" or RecommendationState == \"NotApplicable\" or RecommendationState == \"Removed\")\n by MaturityLevel\n| extend PassedControls = (Passed / todouble(Applicable)) * 100\n| project MaturityLevel, Total, PassedControls, Passed, Failed, Applicable, NotApplicable\n| sort by Total, Passed desc\n| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n| project CapabilityArea=MaturityLevel, Total, PassedControls, Passed, Failed, RemediationLink, LastObserved=now()\n| where CapabilityArea <> ''\n| where PassedControls < 70 \n//Adjust Either FailedRatePercentage or PassedRatePercentage Thresholds within organizational requirements\n| sort by PassedControls desc\n| extend URLCustomEntity = RemediationLink\n",
"queryFrequency": "P7D",
"queryPeriod": "P7D",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Discovery"
],
"techniques": [
"T1082"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}