diff --git a/Solutions/TEST PB DODZERO/DoDZeroTrustWorkbook.json b/Solutions/TEST PB DODZERO/DoDZeroTrustWorkbook.json new file mode 100644 index 00000000000..98374075a4f --- /dev/null +++ b/Solutions/TEST PB DODZERO/DoDZeroTrustWorkbook.json @@ -0,0 +1,22483 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "e91c8eb5-55a1-4871-92af-3dd869f2380a", + "version": "KqlParameterItem/1.0", + "name": "Help", + "label": "πŸ”Ž Getting Started", + "type": 10, + "isRequired": true, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true}\r\n]" + }, + { + "id": "ec6cc4e7-c3b9-4161-94f4-2bd66866801c", + "version": "KqlParameterItem/1.0", + "name": "DoDZT", + "label": "πŸ”Ž Show DoD Zero Trust ", + "type": 10, + "isRequired": true, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Off\", \"label\": \"Off\", \"selected\":true},\r\n {\"value\": \"Capabilities\", \"label\": \"Capabilities\"},\r\n {\"value\": \"Activities\", \"label\": \"Activities\"}\r\n]" + }, + { + "id": "18302244-0cfb-46d8-92e2-554fa9974c38", + "version": "KqlParameterItem/1.0", + "name": "Workspace", + "type": 5, + "description": "Select at least one workspace that contains continuous export data based on the selected subscriptions", + "isRequired": true, + "query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| order by name asc\r\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\r\n| mvexpand All limit 100\r\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)", + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "CAPTime", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "9943b4a1-371e-4e50-8cbe-749a6dd87d76", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + }, + "value": { + "durationMs": 7776000000 + } + } + ], + "style": "pills", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + "name": "parameters - 22 - Copy" + }, + { + "type": 1, + "content": { + "json": "  Please take time to answer a quick survey,\r\n[ click here. ](https://forms.office.com/r/HpkqrXhQzq)" + }, + "name": "text - 14" + }, + { + "type": 1, + "content": { + "json": "## Getting Started\r\n### The Microsoft Sentinel: DoD Zero Trust Strategy Workbook Solution leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics. This workbook provides an intuitive, customizable, framework intended to help track/report Zero Trust implementation in accordance with the latest DoD CIO Zero Trust Strategy (November 2022). In addition, curated resources, specfiic to Microsoft Zero Trust product/capabilitty alignment and implementation, are also provided. Please note that any references and example visualizations contained in this workbook are intended to ONLY serve as general guidance for meeting and/or exceeding the Target capabilities/activities by 2027. This solutions is meant to be a starting point and customizations are expected (and encouraged) to better suit the respective environment(s). ###\r\n### [Recommended Microsoft Sentinel Roles](https://docs.microsoft.com/azure/sentinel/roles)\r\n| Roles | Rights/Permissions | \r\n|:--|:--|\r\n|Security Reader | View Workbooks, Analytics, Hunting, Security Recommendations |\r\n|Security Contributor| Deploy/Modify Workbooks, Analytics, Hunting Queries, Apply Security Recommendations |\r\n|Automation Contributor| Deploy/Modify Playbooks & Automation Rules |\r\n|Owner| Assign Regulatory Compliance Initiatives|\r\n\r\n### Onboarding Prerequisites \r\n1️⃣ [Design Log Management Architecture](https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment)
\r\n2️⃣ [Onboard Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)
\r\n3️⃣ [Connect & Ingest Data Sources](https://docs.microsoft.com/azure/sentinel/connect-data-sources)
\r\n4️⃣ [Extend Microsoft Sentinel Across Workspaces and Tenants](https://docs.microsoft.com/azure/sentinel/extend-sentinel-across-workspaces-tenants)
\r\n5️⃣ [Configure 12 Months Hot Path Storage with Data Retention](https://docs.microsoft.com/azure/azure-monitor/logs/data-retention-archive)
\r\n6️⃣ [Configure 18 Months Cold Path Storage with Azure Data Explorer](https://docs.microsoft.com/azure/sentinel/store-logs-in-azure-data-explorer) & [Configure Basic Logs](https://docs.microsoft.com/azure/azure-monitor/logs/basic-logs-configure)
\r\n\r\n### Print/Export Report\r\n1️⃣ Set Background Theme: Settings > Appearance > Theme: Azure > Apply
\r\n2️⃣ Print/Export Report: More Content Actions (...) > Print Content
\r\n3️⃣ Settings: Layout (Landscape), Pages (All), Print (One Sided), Scale (60), Pages Per Sheet (1), Quality (1,200 DPI), Margins (None) > Print
\r\n\r\n### Disclaimer\r\n_This Solution demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. All requirements, validations, and controls are governed by respective organizations. This solution provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective requirements._", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "Help" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [DoD Zero Trust Strategy Workbook](https://dodcio.defense.gov/Portals/0/Documents/Library/DoD-ZTExecutionRoadmap.pdf)\n---\n\n\"The journey to Zero Trust requires all DoD Components to adopt and integrate Zero Trust capabilities, technologies, solutions, and processes across their architectures, systems, and within their budget and execution plans. Perhaps most importantly, they must also address Zero Trust requirements within their staffing, training, and professional development processes as well.\" For more information, see the [DoD CIO Zero Trust Strategy](https://dodcio.defense.gov/Portals/0/Documents/Library/DoD-ZTStrategy.pdf).

\nThis workbook solution provides an intuitive, customizable, framework intended to help track/report Zero Trust implementation in accordance with the latest DoD Zero Trust Strategy (November 2022). It fully aligns with the DoD Zero Trust Strategy and also enables the following:
\n- Maturity Situational Awareness of the DoD Zero Trust Framework\n- Provides Configuration Guides, Examples, Resources, and Steps for Deployment \n- Enables actions and reporting on DoD Zero Trust Framework Pillars, Capabilities, and Activities \n\n" + }, + "name": "Workbook Overview" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "nav", + "links": [ + { + "id": "1bad541e-219a-4277-9510-876b0e8cad51", + "cellValue": "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/bg-p/MicrosoftSentinelBlog", + "linkTarget": "Url", + "linkLabel": "Sentinel Tech Community Blog", + "postText": "", + "style": "link" + }, + { + "id": "b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722", + "cellValue": "https://youtu.be/P3uzdmLhwj0", + "linkTarget": "Url", + "linkLabel": "Video Overview", + "postText": "", + "style": "link" + }, + { + "id": "7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31", + "cellValue": "https://github.com/Azure/Azure-Sentinel", + "linkTarget": "Url", + "linkLabel": "Sentinel GitHub Repo", + "postText": "", + "style": "link" + }, + { + "id": "2b573101-8841-45a7-ac7a-7139c7d321a5", + "cellValue": "https://www.microsoft.com/security/blog/2022/11/22/microsoft-supports-the-dods-zero-trust-strategy/", + "linkTarget": "Url", + "linkLabel": "Microsoft supports the DoD’s Zero Trust strategy", + "style": "link" + }, + { + "id": "facb5636-f90e-4a6f-a654-da9b1c77a65d", + "cellValue": "https://dodcio.defense.gov/Portals/0/Documents/Library/ZTCapabilityExecutionRoadmap.pdf", + "linkTarget": "Url", + "linkLabel": "DoD CIO Capability Execution Roadmap", + "style": "link" + } + ] + }, + "name": "links - 29" + } + ] + }, + "name": "group - 2" + } + ] + }, + "name": "TilePage" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "toolbar", + "links": [ + { + "id": "3161a702-0622-4e13-a446-7ea0348f3cc2", + "cellValue": "pillar", + "linkTarget": "parameter", + "linkLabel": "Zero Trust Essentials", + "subTarget": "ess", + "style": "link", + "icon": "ResourceFlat" + }, + { + "id": "b39ca7b9-0b5d-4f82-90a5-ef5c694b50e3", + "cellValue": "pillar", + "linkTarget": "parameter", + "linkLabel": "User", + "subTarget": "p1", + "style": "link", + "icon": "Person" + }, + { + "id": "411a469b-cbac-4a49-b229-9faeeeeed3ba", + "cellValue": "pillar", + "linkTarget": "parameter", + "linkLabel": "Device", + "subTarget": "p2", + "style": "link", + "icon": "Feedback" + }, + { + "id": "1ff02fa4-66ad-4ae4-b611-afb441b32951", + "cellValue": "pillar", + "linkTarget": "parameter", + "linkLabel": "Application & Workload", + "subTarget": "p3", + "style": "link", + "icon": "Globe" + }, + { + "id": "eaeab803-85b1-4755-a70b-9c0d35e066cc", + "cellValue": "pillar", + "linkTarget": "parameter", + "linkLabel": "Data", + "subTarget": "p4", + "style": "link", + "icon": "Backlog" + }, + { + "id": "74ad5f79-b4a6-4cc9-a31e-771cb4acaf22", + "cellValue": "pillar", + "linkTarget": "parameter", + "linkLabel": "Network & Environment", + "subTarget": "p5", + "style": "link", + "icon": "Connect" + }, + { + "id": "3d8a9d9b-f7db-4db9-a37a-4343b5c2e63b", + "cellValue": "pillar", + "linkTarget": "parameter", + "linkLabel": "Automation & Orchestration", + "subTarget": "p6", + "style": "link", + "icon": "Pending" + }, + { + "id": "1e53250a-c522-4722-9949-5e0ffac99886", + "cellValue": "pillar", + "linkTarget": "parameter", + "linkLabel": "Visibility & Analytics", + "subTarget": "p7", + "style": "link", + "icon": "Diagnostics" + } + ] + }, + "name": "ZTPillars" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"[\\r\\n\\t\\t{ \\\"Select All (User 1.x)\\\": \\\"1.1 User Inventory\\\", \\\"tab\\\": \\\"U11\\\" },\\r\\n\\t\\t{ \\\"Select All (User 1.x)\\\": \\\"1.2 Conditional User Access\\\", \\\"tab\\\": \\\"U12\\\" },\\r\\n\\t\\t{ \\\"Select All (User 1.x)\\\": \\\"1.3 Multi-Factor Authentication (MFA)\\\", \\\"tab\\\": \\\"U13\\\" },\\r\\n\\t\\t{ \\\"Select All (User 1.x)\\\": \\\"1.4 Privileged Access Management\\\", \\\"tab\\\": \\\"U14\\\" },\\r\\n\\t\\t{ \\\"Select All (User 1.x)\\\": \\\"1.5 Identity Federation & User Credentialing\\\", \\\"tab\\\": \\\"U15\\\" },\\r\\n\\t\\t{ \\\"Select All (User 1.x)\\\": \\\"1.6 Behavorial, Contextual ID, and Biometrics\\\", \\\"tab\\\": \\\"U16\\\" },\\r\\n\\t\\t{ \\\"Select All (User 1.x)\\\": \\\"1.7 Least Privileged Access\\\", \\\"tab\\\": \\\"U17\\\" },\\r\\n\\t\\t{ \\\"Select All (User 1.x)\\\": \\\"1.8 Continuous Authentication\\\", \\\"tab\\\": \\\"U18\\\" },\\r\\n\\t\\t{ \\\"Select All (User 1.x)\\\": \\\"1.9 Integrated ICAM Platform\\\", \\\"tab\\\": \\\"U19\\\" }\\r\\n\\t\\t]\",\"transformers\":null}", + "size": 3, + "exportMultipleValues": true, + "exportedParameters": [ + { + "fieldName": "tab", + "parameterName": "Tab", + "parameterType": 1 + } + ], + "queryType": 8, + "gridSettings": { + "formatters": [ + { + "columnMatch": "Select All (User 1.x)", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "75ch" + } + }, + { + "columnMatch": "tab", + "formatter": 5 + }, + { + "columnMatch": "Zero Trust", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "75ch" + } + } + ] + }, + "sortBy": [] + }, + "customWidth": "90", + "name": "UserZT", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "8f836776-6a60-46a6-8d25-be73bf045494", + "version": "KqlParameterItem/1.0", + "name": "isU11Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "U11", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "3758b348-e74f-437f-abd4-4e6e66b1be7e", + "version": "KqlParameterItem/1.0", + "name": "isU12Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "U12", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "isU13Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "U13", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + }, + "id": "aa7ebd19-042f-46e5-a510-cf22deda0491" + }, + { + "version": "KqlParameterItem/1.0", + "name": "isU14Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "U14", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + }, + "id": "03b0ef89-0638-4acc-a4db-2428fea9a844" + }, + { + "version": "KqlParameterItem/1.0", + "name": "isU15Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "U15", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + }, + "id": "ebe7944a-82bc-46c1-b377-0415f108cf95" + }, + { + "version": "KqlParameterItem/1.0", + "name": "isU16Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "U16", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + }, + "id": "8d3fb929-85ee-442c-8a95-cffe2c7a82fe" + }, + { + "version": "KqlParameterItem/1.0", + "name": "isU17Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "U17", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + }, + "id": "56cca2ba-e3d5-43d7-900e-fd0443293fa1" + }, + { + "version": "KqlParameterItem/1.0", + "name": "isU18Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "U18", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + }, + "id": "9f5dd66d-394f-4e26-b823-0427909e7be5" + }, + { + "version": "KqlParameterItem/1.0", + "name": "isU19Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "U19", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + }, + "id": "8ce15df1-6369-4337-8e0d-90e5ca528940" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "5", + "name": "parameters - 8" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "pillar", + "comparison": "isEqualTo", + "value": "p1" + }, + "customWidth": "50", + "name": "P1-1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR1.1", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 1.1\r\n| Descriptions | Outcomes | ZT Impact | \r\n|-|:--|:--|:--|:--|:-:|\r\n| Regular and Privileged users are identified and integrated into an inventory supporting regular modifications. Applications, software and services that have local users are all part of the inventory and highlighted. | System owners have control (visibility and administrative rights) of all authorized and authenticated users on the network | Users not on the authorized user list will be denied access by policy | \r\n" + }, + "name": "UserCR11" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusu11", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateu11", + "label": "Implementation Date", + "type": 1, + "timeContext": { + "durationMs": 86400000 + }, + "value": "DueDate=2027" + }, + { + "id": "9a20b8f8-cec0-43fa-8ad2-a9c07e8bb8e7", + "version": "KqlParameterItem/1.0", + "name": "Notesu11", + "label": "Notes", + "type": 1, + "value": "Enter Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "User11Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Entra ID |\r\n| Microsoft Sentinel UEBA |\r\n| Microsoft Defender for Cloud (MDfC) |\r\n\r\n" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isU11Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "UserCR11Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR1.2", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 1.2\r\n| Descriptions | Outcomes | ZT Impact | \r\n|-|:--|:--|:--|:--|\r\n| Through maturity levels Conditional Access works to create a dynamic level of access for users in the environment. This starts with traditional role-based access controls across a federate ICAM,expands to be application focused roles and ultimately utilizes enterprise attributes to provide dynamic access rules. | Eventually, organizations control user, device, and non-user entity DAAS access through dynamically changing user risk profiles and fine-grained access control to include the use of user risk assessments. | Users not known to the system and users who present an unacceptable degree of risk will be denied access with greater accuracy. \r\n" + }, + "name": "UserCR12" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "f28c401d-2da4-4960-8232-f659d30252d2", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusu12", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "a4b5ef42-9775-433e-ac25-55cc0eabd5c0", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateu12", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesu12", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "f06061bf-e951-4cc0-b335-c8eea6f55495", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "User12Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Entra ID Conditional Access (CA) |\r\n| Microsoft Defender for Cloud (MDfC) |\r\n| Microsoft Sentinel |\r\n| Microsoft 365 Defender |\r\n| Microsoft Intune |\r\n\r\n\r\n" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isU12Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "UserCR12Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR1.3", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 1.3\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|:-:|\r\n| This capability initially focuses on developing an organization focused MFA provider and Identity Provider to enable the centralization of users. Retirement of local and/or built-in accounts and groups is a critical piece to this capability. At the later maturity levels alternative and flexible MFA tokens can be used to provide access for standard and external users. | DoD organizations require users and non-user entities to authenticate using at least two of the following three attributes: knowledge (user ID/password), possession (CAC/token), or something you are (inherence, e.g., iris/fingerprints), in order to access DAAS. | Users not presenting multiple forms of authentication will be denied access to DAAS system and resources. |\r\n" + }, + "name": "UserCR13" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "6d883c79-17bf-432a-8d50-cf2280380232", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusu13", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "196b9437-34c4-4c58-9b54-81650c8e9cfa", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateu13", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesu13", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "15d3be75-9b31-44c4-8108-42122f1c1883", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "User13Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Entra ID |\r\n| Entra ID Certificate Based Authentication (CBA) |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isU13Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "UserCR13Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR1.4", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 1.4\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|:-:|\r\n| The capability focuses on removal of permanent administrator/elevated privileges by first creating a Privileged Account Management (PAM) system and migrating privileged users to it. The capability is then expanded upon by using automation with privilege escalation approvals and feeding analytics into the system for anomaly detection. | DoD organizations control, monitor, secure, and audit privileged identities (e.g., through password vaulting, JIT/JEA with PAWS) across their IT environments. | Critical assets and applications secured, controlled, monitored and managed through limits on admin access. |\r\n" + }, + "name": "User14CR" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusu14", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateu14", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesu14", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "User14Status" + }, + { + "type": 1, + "content": { + "json": "|Recommended Microsoft Solution(s) |\r\n|--------------------------------|\r\n| Entra ID |\r\n| Entra ID Privileged Identity Management (PIM) |\r\n" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isU14Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "UserCR14Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR1.5", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 1.5\r\n| Descriptions | Outcomes | ZT Impact | \r\n|-|:--|:--|:--|:--|:-:|\r\n| The initial scope of this capability focuses on standardizing the Identity Lifecycle Management (ILM) processes and integrating with the standard organizational IDP/IDM solution. Once completed the capability shifts to establishing an Enterprise ILM process/solution either through a single solution or identity federation. | DoD organizations manually issue, manage, and revoke credentials bound to DoD person, device, and NPE identities. Identity information is developed and shared across entitles and trust domains providing β€œsingle sign-on” convenience and efficiencies to identified (authenticated and authorized) users and devices. | Visibility and accuracy of user authentication information is increased, to include DoD users and users managed by other agencies. Users lacking sufficient credentials are denied access according to established policies. |\r\n" + }, + "name": "User15CR" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusu15", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateu15", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesu15", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "User15Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Entra ID Certificate-Based Authorization (CBA) |\r\n| Entra ID Guest Access |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isU15Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "UserCR15Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR1.6", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 1.6\r\n| Descriptions | Outcomes | ZT Impact | \r\n|-|:--|:--|:--|:--|:-:|\r\n| Utilizing the Enterprise IDP, user and entity behavioral analytics (UEBA) are enabled with basic user attributes. Once completed this is expanded into Organizational specific attributes using organizational IDPs as available. Finally UEBA are integrated with the PAM and JIT/JEA systems to better detect anomalous and malicious activities. | DoD organizations utilize behavioral,contextual, and biometric telemetry to enhance risk-based authentication and access controls. | Behavioral, contextual, and biometric telemetry enhances MFA. |" + }, + "name": "UserCR16" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusu16", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateu16", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesu16", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "User16Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Microsoft Sentinel UEBA | \r\n| Entra ID Identity Protection |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isU16Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "UserCR16Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR1.7", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 1.7\r\n| Descriptions | Outcomes | ZT Impact | \r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD organizations govern access to DAAS using the absolute minimum access required to perform outine, legitimate tasks or activities. DoD Application Owners identify the necessary roles and attributes for standard and privileged user access. Privileged access for all DoD organization DAAS is audited and removed when unneeded. | DoD organizations govern access to DAAS using the absolute minimum access required to perform routine, legitimate tasks or activities. | Users on the network only have access to the DAAS for which they are authorized and authenticated over a specific timeframe. |" + }, + "name": "UserCR17" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusu17", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateu17", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesu17", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "User17Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Entra ID Permissions | \r\n| Azure Policy| \r\n| Entra ID Privileged Identity Management (PIM)|" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isU17Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "UserCR17Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR1.8", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 1.8\r\n| Descriptions | Outcomes | ZT Impact | \r\n|-|:--|:--|:--|:--|:-:|\r\n| The DoD organizations and overall enterprise will methodically move towards continuous attribute based authentication. Initially the capability focuses on standardizing legacy single authentication to a organizationally approved IDP with users and groups. The second stages adds in based rule based (time) authentication and ultimately matures to Continuous Authentication based on the application/software activities and privileges requested. | DoD organizations continuously authenticate and authorize users' access to DAAS within and across sessions using MFA. | Users not continuously presenting multiple forms of authentication will be denied access to DAAS system and resources. |\r\n\r\n\r\n" + }, + "name": "UserCR18" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusu18", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateu18", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesu18", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "User18Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Entra ID Continuous Access Evaluation (CAE) |\r\n| Entra ID Privileged Identity Management (PIM) | \r\n| Entra ID Identity Protection |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isU18Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "UserCR18Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR1.9", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 1.9\r\n| Descriptions | Outcomes | ZT Impact | \r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD organizations and overall enterprise employ enterprise-level identity management and public key infrastructure (PKI) systems to track user, administrator and NPE identities across the network and ensure access is limited to only those who have the need and the right to know. Organizations can verify they need and have the right to access via credential management systems, identity governance and administration tools, and an access management tool. PKI systems can be federated but must either trust a central root certificate authority (CA) and/or cross-sign standardized organizational CA’s. | DoD organizations employ enterprise-level identity management systems to track user and NPE identities across the network and ensure access is limited to only those who have the need and the right to know; organizations can verify they need and have the right to access via credential management systems, identity governance and administration tools, and an access management tool. | Identities of users and NPE are centrally managed to ensure authorized and authenticated access to DAAS resources across platforms. |\r\n\r\n\r\n" + }, + "name": "UserCR19" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusu19", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateu19", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesu19", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "User19Status" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isU19Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "UserCR19Group" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Entra Entitlement Management |\r\n| Entra ID Certificate Based Authentication (CBA) | " + }, + "conditionalVisibility": { + "parameterName": "isU19Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "text - 9" + } + ], + "exportParameters": true + }, + "name": "UserCRGroup" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "pillar", + "comparison": "isEqualTo", + "value": "p1" + }, + "customWidth": "50", + "name": "P1-2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "1.1 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 1.1 User Inventory\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Entra ID](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\nπŸ”€ [Microsoft Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
\r\n\r\n\r\n" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Microsoft Portals Government \r\nπŸ”€ [Entra ID](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\nπŸ”€ [Microsoft Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
\r\n\r\n\r\n\r\n" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\nπŸ’‘ [Microsoft Identity Platform Entra (formerly AAD)](https://learn.microsoft.com/azure/active-directory/develop/v2-overview)
\r\nπŸ’‘ [Microsoft Hybrid Identity with Entra/AAD/AD](https://learn.microsoft.com/azure/active-directory/hybrid/)
\r\nπŸ’‘ [Using the Inventory in Secure Score - Microsoft Defender for Cloud](https://learn.microsoft.com/azure/defender-for-cloud/asset-inventory)
\r\nπŸ’‘ [Identity Decision Guide](https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/identity/)
\r\nπŸ’‘ [Microsoft Cloud Identity for Enterprise Architects](https://www.microsoft.com/download/details.aspx?id=54431)
\r\nπŸ’‘ [Identity Security Monitoring](https://github.com/Cloud-Architekt/AzureAD-Attack-Defense/blob/main/IdentitySecurityMonitoring.md#identity-security-monitoring-in-a-hybrid-environment)
\r\nπŸ’‘ [Collect Azure Active Directory (Azure AD) Logs](https://learn.microsoft.com/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics#send-logs-to-azure-monitor)
\r\nπŸ’‘ [Enable User Entity Behavorial Analytics](https://learn.microsoft.com/azure/sentinel/enable-entity-behavior-analytics#how-to-enable-user-and-entity-behavior-analytics)
\r\nπŸ’‘ [Deploy Microsoft Defender for Identity](https://learn.microsoft.com/defender-for-identity/deploy-defender-identity)
\r\nπŸ’‘ [Secure with Azure Active Directory](https://learn.microsoft.com/azure/active-directory/fundamentals/secure-with-azure-ad-introduction)
\r\nπŸ’‘ [AAD Hybrid Identity](https://learn.microsoft.com/azure/active-directory/hybrid/connect/plan-hybrid-identity-design-considerations-overview?WT.mc_id=DT-MVP-5001664)
\r\nπŸ’‘ [Azure AD Reports](https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports?WT.mc_id=DT-MVP-5001664)
\r\nπŸ’‘ [B2B Collaboration](https://learn.microsoft.com/azure/active-directory/external-identities/what-is-b2b?WT.mc_id=DT-MVP-5001664)
\r\n\r\n\r\n" + }, + "customWidth": "33", + "name": "text - 9" + } + ] + }, + "name": "1.1ActResources" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AuditLogs\r\n| summarize Count=count() by OperationName, LoggedByService\r\n| sort by Count asc \r\n| render piechart ", + "size": 0, + "showAnalytics": true, + "title": "Audit by Operation", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "showPin": true, + "name": "Audit by Op" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "IdentityInfo | union BehaviorAnalytics\r\n| where isnotempty(UserType)\r\n| summarize count() by UserType\r\n| render piechart ", + "size": 0, + "showAnalytics": true, + "title": "User Entity Behavior Analytics - IdentityInfo", + "noDataMessage": "UEBA is not enabled", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Group", + "formatter": 1 + } + ], + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "UserType" + ] + } + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "AccountObjectId", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "InvestigationPriority", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "33", + "showPin": true, + "name": "User Entity Behavior Analytics - IdentityInfo" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "IdentityDirectoryEvents | summarize count() by ActionType | render piechart ", + "size": 0, + "showAnalytics": true, + "title": "Microsoft Defender for Identity - IdentityLogonEvents", + "noDataMessage": "MDI is not enabled or being sent to the workspace", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "33", + "showPin": true, + "name": "Microsoft Defender for Identity - IdentityLogonEvents" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AzureActivity\r\n| where Caller contains \"@\"\r\n| summarize count() by Caller | render piechart ", + "size": 0, + "showAnalytics": true, + "title": "Azure Activity Count by Caller", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "33", + "showPin": true, + "name": "Azure Activity Count by Caller" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| where TimeGenerated > ago(30d)\r\n| project TimeGenerated, UserType, ResultType, AppDisplayName, UserPrincipalName\r\n| where ResultType == 0\r\n| summarize\r\n ['Total Member Signins']=countif(UserType == \"Member\"),\r\n ['Distinct Member Signins']=dcountif(UserPrincipalName, UserType == \"Member\"),\r\n ['Total Guest Signins']=countif(UserType == \"Guest\"),\r\n ['Distinct Guest Signins']=dcountif(UserPrincipalName, UserType == \"Guest\")\r\n by AppDisplayName\r\n| sort by AppDisplayName asc ", + "size": 0, + "showAnalytics": true, + "title": "Successful Signins by Members vs Guests by App", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "filter": true + } + }, + "customWidth": "66", + "showPin": true, + "name": "Successful Signins by Members vs Guests by App" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "80e332f7-8176-461f-b27a-0a52242fe6c9", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "isRequired": true, + "value": { + "durationMs": 7776000000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + } + }, + { + "id": "5a93ede8-361d-4cc6-93f8-967dfc355143", + "version": "KqlParameterItem/1.0", + "name": "Activity", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "SecurityEvent\r\n| summarize Count = count() by Activity\r\n| order by Count desc, Activity asc\r\n| project Value = Activity, Label = strcat(Activity, ' - ', Count)", + "value": [ + "value::all" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "All" + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let data = SecurityEvent\r\n| where \"{Activity:lable}\" == \"All\" or Activity in ({Activity});\r\ndata\r\n| summarize Count = count() by Activity\r\n| join kind = fullouter (datatable(Activity:string)['Medium', 'high', 'low']) on Activity\r\n| project Activity = iff(Activity == '', Activity1, Activity), Count = iff(Activity == '', 0, Count)\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Activity)\r\n on Activity\r\n| project-away Activity1, TimeGenerated\r\n| extend Activitys = Activity\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend Activity = 'All', Activitys = '*' \r\n)\r\n| order by Count desc\r\n| take 10", + "size": 4, + "title": "User Inventory- Filtered by Top 10 Activities", + "timeContextFromParameter": "TimeRange", + "exportFieldName": "Activity", + "exportParameterName": "ActivityPiker", + "exportDefaultValue": "All", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "Activity", + "formatter": 1, + "formatOptions": { + "showIcon": true + } + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto", + "showIcon": true + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "lightBlue", + "showIcon": true + } + }, + "showBorder": false + } + }, + "name": "query - 2" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isU11Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "1.1Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "1.2 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 1.2 Conditional User Access\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Entra ID - Diagnostic Settings](https://portal.azure.us/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/DiagnosticSettings)
\r\nπŸ”€ [Conditional Access Policies](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies)
\r\nπŸ”€ [Conditional Access Policy Templates](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/CaTemplates.ReactView)
\r\nπŸ”€ [Entra ID](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\nπŸ”€ [Microsoft Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
\r\n\r\n" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Microsoft Portals Government \r\nπŸ”€ [Entra ID - Diagnostic Settings](https://portal.azure.us/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/DiagnosticSettings)
\r\nπŸ”€ [Conditional Access Policies](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies)
\r\nπŸ”€ [Conditional Access Policy Templates](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/CaTemplates.ReactView)
\r\nπŸ”€ [Entra ID](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\nπŸ”€ [Microsoft Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
\r\n\r\n" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\nπŸ’‘ [What is Conditional Access](https://learn.microsoft.com/azure/active-directory/conditional-access/overview)
\r\nπŸ’‘ [Conditional Access Learning Path](https://learn.microsoft.com/training/modules/plan-implement-administer-conditional-access/)
\r\nπŸ’‘ [Conditional Access Licensing- Need at least AADP1](https://www.microsoft.com/security/business/identity-access/azure-active-directory-pricing?rtc=1)
\r\nπŸ’‘ [Conditional Access Design Principles](https://learn.microsoft.com/azure/architecture/guide/security/conditional-access-design)
\r\nπŸ’‘ [Templates -Secure Foundation & Work Toward ZT](https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policy-common)
\r\nπŸ’‘ [Conditional Access Trends and Changes](https://github.com/Cyberlorians/Workbooks/blob/main/ConditionalAccessTrendsandChanges.json)
\r\nπŸ’‘ [Implement Authentication Strengths](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/authentication-strength-choose-the-right-auth-method-for-your/ba-p/2365674)
\r\nπŸ’‘ [Intune Conditional Access](https://learn.microsoft.com/mem/intune/protect/conditional-access)
\r\nπŸ’‘ [Using Locations in Conditional Access Policies](https://learn.microsoft.com/azure/active-directory/conditional-access/location-condition)
\r\n\r\n\r\n" + }, + "customWidth": "33", + "name": "text - 9" + } + ] + }, + "name": "1.2ActResources" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| mv-expand ConditionalAccessPolicies\r\n| extend CAResult = tostring(ConditionalAccessPolicies.result)\r\n| project CAResult\r\n| summarize count() by CAResult", + "size": 2, + "showAnalytics": true, + "title": "Conditional Access 'SignIn' Summaries", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "gridSettings": { + "filter": true + }, + "tileSettings": { + "titleContent": { + "columnMatch": "CAResult", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "none" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": false, + "sortOrderField": 1, + "size": "full" + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "CAResult", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "count_", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "25", + "showPin": true, + "name": "Conditional Access 'SignIn' Summaries" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| mv-expand ConditionalAccessPolicies\r\n| extend CAResult = tostring(ConditionalAccessPolicies.result)\r\n| where CAResult <> \"success\"\r\n| summarize count() by AppDisplayName, CAResult\r\n", + "size": 0, + "showAnalytics": true, + "title": "Non-Success ConditionalAccess by App ", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Group", + "formatter": 1 + }, + { + "columnMatch": "AppDisplayName", + "formatter": 5, + "formatOptions": { + "customColumnWidthSetting": "10%" + } + } + ], + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "AppDisplayName" + ] + }, + "labelSettings": [ + { + "columnId": "CAResult", + "label": "Result" + }, + { + "columnId": "count_", + "label": "Count" + } + ] + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "AccountObjectId", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "InvestigationPriority", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "50", + "showPin": true, + "name": "Non-Success ConditionalAccess by App " + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| mv-expand ConditionalAccessPolicies\r\n| extend CAResult = tostring(ConditionalAccessPolicies.result)\r\n| where RiskLevelDuringSignIn <> \"none\"\r\n| summarize count() by RiskLevelDuringSignIn\r\n| render piechart \r\n", + "size": 2, + "showAnalytics": true, + "title": "ConditionalAccessPolicies SignIn Risk", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "25", + "showPin": true, + "name": "ConditionalAccessPolicies SignIn Risk" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| project UserDisplayName, ConditionalAccessStatus, Status, ResultType, location = tostring(LocationDetails.countryOrRegion)\r\n| where ConditionalAccessStatus == \"notApplied\"\r\n| where Status.additionalDetails != \"MFA requirement satisfied by claim in the token\" and Status.additionalDetails != \"MFA requirement skipped due to remembered device\" // Sign-in was not strong auth\r\n| where ResultType == 0\r\n| project UserDisplayName, ConditionalAccessStatus, location\r\n//| summarize count() by location, UserDisplayName\r\n//| summarize Count = count() by location\r\n//| order by Count desc", + "size": 0, + "title": "No Coverage by Location", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "filter": true, + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "ConditionalAccessStatus" + ] + } + } + }, + "customWidth": "50", + "name": "query - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| mv-expand ConditionalAccessPolicies\r\n| extend CAResult = tostring(ConditionalAccessPolicies.result)\r\n| summarize count() by Location\r\n", + "size": 3, + "title": "Location - Total", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "map", + "mapSettings": { + "locInfo": "CountryRegion", + "locInfoColumn": "Location", + "sizeSettings": "Location", + "sizeAggregation": "Sum", + "minSize": 10, + "maxSize": 30, + "defaultSize": 12, + "labelSettings": "Location", + "legendMetric": "count_", + "legendAggregation": "Sum", + "itemColorSettings": { + "nodeColorField": "Location", + "colorAggregation": "Sum", + "type": "heatmap", + "heatmapPalette": "greenDarkDark" + }, + "numberFormatSettings": { + "unit": 0, + "options": { + "style": "decimal", + "useGrouping": false + } + } + } + }, + "customWidth": "50", + "name": "query - 10", + "styleSettings": { + "margin": "40", + "padding": "0" + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isU12Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "1.2Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "1.3 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 1.3 Multi-Factor Authentication\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Entra ID - Diagnostic Settings](https://portal.azure.us/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/DiagnosticSettings)
\r\nπŸ”€ [Entra ID - AuthN Methods Activity](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AuthMethodsActivity/menuId/AuthMethodsActivity)
\r\nπŸ”€ [Entra ID - AuthN Methods Policies](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods)
\r\nπŸ”€ [Entra ID - AuthN Strengths](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AuthStrengths)
\r\nπŸ”€ [Defender for Cloud Recommendations](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_Azure_Security/SecurityMenuBlade/~/5)\r\n" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Microsoft Portals Government \r\nπŸ”€ [Entra ID - Diagnostic Settings](https://portal.azure.us/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/DiagnosticSettings)
\r\nπŸ”€ [Entra ID - AuthN Methods Activity](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AuthMethodsActivity/menuId/AuthMethodsActivity)
\r\nπŸ”€ [Entra ID - AuthN Methods Policies](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods)
\r\nπŸ”€ [Entra ID - AuthN Strengths](https://portal.azure.com/?feature.msaljs=true#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AuthStrengths)
\r\nπŸ”€ [Defender for Cloud Recommendations](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_Azure_Security/SecurityMenuBlade/~/5)\r\n\r\n\r\n" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\nπŸ’‘ [How MFA Works](https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks)
\r\nπŸ’‘ [Setup Multifactor Authenication for Users M365](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy)
\r\nπŸ’‘ [Configure the MFA Azure Active Directrory Registration Policies](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy)
\r\nπŸ’‘ [Deploy Passwordless Solution](https://learn.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-deployment)
\r\nπŸ’‘ [Configure Azure AD CBA](https://learn.microsoft.com/azure/active-directory/authentication/how-to-certificate-based-authentication)
\r\nπŸ’‘ [Conditional Access Policy - MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?WT.mc_id=DT-MVP-5001664)
\r\nπŸ’‘ [Plan AAD MFA](https://learn.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted?WT.mc_id=DT-MVP-5001664)
" + }, + "customWidth": "33", + "name": "text - 9" + } + ] + }, + "name": "1.3ActResources" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n//| where TimeGenerated > ago(30d)\r\n| where ResultType == 0\r\n| summarize Count=count() by AuthenticationRequirement\r\n| render piechart", + "size": 0, + "showAnalytics": true, + "title": "Single vs MultiFactor SignIns", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "showPin": true, + "name": "Single vs MultiFactor SignIns" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| where AuthenticationRequirement == \"multiFactorAuthentication\"​\r\n| mv-expand todynamic(AuthenticationDetails)​\r\n| extend ['Authentication Method'] = tostring(AuthenticationDetails.authenticationMethod)\r\n| where ['Authentication Method'] !in (\"Password\",\"Previously satisfied\")​\r\n| summarize Count=count()by ['Authentication Method']​\r\n| where isnotempty(['Authentication Method'])\r\n| sort by Count desc\r\n| render piechart", + "size": 0, + "showAnalytics": true, + "title": "Multifactor Authentication In Use", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Group", + "formatter": 1 + } + ], + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "UserType" + ] + } + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "AccountObjectId", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "InvestigationPriority", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "33", + "showPin": true, + "name": "Multifactor Authentication in use" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| where ResultType == \"500121\"\r\n| mv-expand todynamic(AuthenticationDetails)\r\n| project AuthenticationDetails, ResultType, UserPrincipalName\r\n| extend ['MFA Failure Type'] = tostring(parse_json(AuthenticationDetails).authenticationStepResultDetail)\r\n| where ['MFA Failure Type'] startswith \"MFA denied\"\r\n//| summarize Count=count()by ['MFA Failure Type'], UserPrincipalName //uncomment to see upn\r\n| summarize Count=count()by ['MFA Failure Type']", + "size": 0, + "showAnalytics": true, + "title": "MFA Failure Type", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "MFA Failure Type", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "33", + "showPin": true, + "name": "MFA Failure Type" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Visualize password vs passwordless signins per day\r\n\r\n//Data connector required for this query - Azure Active Directory - Signin Logs\r\n\r\nSigninLogs\r\n| mv-expand todynamic(AuthenticationDetails)\r\n| project TimeGenerated, AuthenticationDetails\r\n| extend AuthMethod = tostring(AuthenticationDetails.authenticationMethod)\r\n| summarize\r\n Passwordless=countif(AuthMethod in (\"Windows Hello for Business\", \"Passwordless phone sign-in\", \"FIDO2 security key\", \"X.509 Certificate\")),\r\n Password=countif(AuthMethod == \"Password\")\r\n by bin(TimeGenerated, 1d)\r\n| render barchart with (title=\"Passwordless vs Password Authentication\", ytitle=\"Count\")", + "size": 0, + "showAnalytics": true, + "title": "Password vs Passwordless Auth", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "showPin": true, + "name": "Password vs Passwordless Auth" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| where ResultType == 0\r\n| summarize\r\n ['Total Signin Count']=count(),\r\n ['Total MFA Count']=countif(AuthenticationRequirement == \"multiFactorAuthentication\"),\r\n ['Total non MFA Count']=countif(AuthenticationRequirement == \"singleFactorAuthentication\")\r\n by AppDisplayName\r\n| project\r\n AppDisplayName,\r\n ['Total Signin Count'],\r\n ['Total MFA Count'],\r\n ['Total non MFA Count'],\r\n MFAPercentage=(todouble(['Total MFA Count']) * 100 / todouble(['Total Signin Count']))\r\n| sort by ['Total Signin Count'] desc, MFAPercentage asc", + "size": 0, + "showAnalytics": true, + "title": "Total MFA Count by App", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "AppDisplayName", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "200px" + } + }, + { + "columnMatch": "MFAPercentage", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal" + } + } + } + ], + "filter": true, + "sortBy": [ + { + "itemKey": "$gen_number_MFAPercentage_4", + "sortOrder": 1 + } + ], + "labelSettings": [ + { + "columnId": "Total Signin Count", + "label": "Total SignIn" + }, + { + "columnId": "Total MFA Count", + "label": "Total MFA" + }, + { + "columnId": "Total non MFA Count", + "label": "Total Non-MFA" + }, + { + "columnId": "MFAPercentage", + "label": "MFA %" + } + ] + }, + "sortBy": [ + { + "itemKey": "$gen_number_MFAPercentage_4", + "sortOrder": 1 + } + ] + }, + "customWidth": "50", + "showPin": true, + "name": "Total MFA Count by App" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isU13Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "1.3Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "1.4 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 1.4 Privileged Access Management\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Entra ID DiagnosticSettings](https://portal.azure.us/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/DiagnosticSettings)
\r\nπŸ”€ [Entra ID - PIM](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_Azure_PIMCommon/CommonMenuBlade/~/quickStart)
\r\nπŸ”€ [Entra ID PIM - Audit History](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_Azure_PIMCommon/MyAuditsMenuBlade/~/aadmigratedroles)
\r\n\r\n" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Microsoft Portals Government \r\nπŸ”€ [Entra ID DiagnosticSettings](https://portal.azure.us/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/DiagnosticSettings)
\r\nπŸ”€ [Entra ID - PIM](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_Azure_PIMCommon/CommonMenuBlade/~/quickStart)
\r\nπŸ”€ [Entra ID PIM - Audit History](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_Azure_PIMCommon/MyAuditsMenuBlade/~/aadmigratedroles)
\r\n\r\n\r\n" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\nπŸ’‘ [Plan a Privileged Identity Management Deployment](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-deployment-plan)
\r\nπŸ’‘ [privileged Identity Management - Why use it with Defender for O365?](https://learn.microsoft.com/microsoft-365/security/office-365-security/use-privileged-identity-management-in-defender-for-office-365?view=o365-worldwide)
\r\nπŸ’‘ [Implementing PIM - Micrsoft Entra](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started)
\r\nπŸ’‘ [Secure Roadmap - PIM](https://learn.microsoft.com/azure/active-directory/roles/security-planning#use-azure-ad-privileged-identity-management)
\r\nπŸ’‘ [PIM for Groups](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/concept-pim-for-groups)
\r\nπŸ’‘ [PIM Compliancy with Sentinel](https://learnsentinel.blog/2021/07/26/enforce-pim-compliance-with-azure-sentinel-and-playbooks/)
\r\nπŸ’‘ [Configure Approve or Deny Request for AD Roles in PIM](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-approval-workflow)
\r\nπŸ’‘ [Azure Security Benchmark Defender for Identity](https://learn.microsoft.com/security/benchmark/azure/baselines/defender-for-identity-security-baseline)
\r\n" + }, + "customWidth": "33", + "name": "text - 9" + } + ] + }, + "name": "1.4ActResources" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Create a pivot table showing all the actions taken by your privileged users\r\n\r\n//Data connector required for this query - Azure Active Directory - Audit Logs\r\n//Data connector required for this query - Microsoft Sentinel UEBA\r\n\r\n//Lookup the IdentityInfo table for any users holding a privileged role\r\nlet privusers=\r\n IdentityInfo\r\n //| where TimeGenerated > ago(21d)\r\n | summarize arg_max(TimeGenerated, *) by AccountUPN\r\n | where isnotempty(AssignedRoles)\r\n | where AssignedRoles != \"[]\"\r\n | distinct AccountUPN;\r\n//Search for all actions taken by those users in the last 7 days\r\nAuditLogs\r\n//| where TimeGenerated > ago(7d)\r\n| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\r\n| where Actor in (privusers)\r\n//Create a pivot table counting each action for each user\r\n| evaluate pivot(OperationName, count(), Actor)\r\n| order by Actor asc ", + "size": 0, + "showAnalytics": true, + "title": "Privileged Users Actions", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "filter": true + } + }, + "customWidth": "100", + "showPin": true, + "name": "Privileged User Actions" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AuditLogs\r\n| summarize count() by OperationName\r\n| where OperationName contains \"PIM\"", + "size": 2, + "showAnalytics": true, + "title": "PIM Operations", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "piechart" + }, + "customWidth": "40", + "showPin": true, + "name": "PIM Operations" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Data connector required for this query - Azure Active Directory - Audit Logs\r\n\r\nAuditLogs\r\n| where OperationName in (\"Add member to role in PIM completed (permanent)\",\"Add member to role in PIM completed (timebound)\")\r\n//| where OperationName contains 'permanent'\r\n| where TargetResources[2].type == \"User\"\r\n| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\r\n| extend User = tostring(TargetResources[2].userPrincipalName)\r\n| extend ['Azure AD Role Name'] = tostring(TargetResources[0].displayName)\r\n| project TimeGenerated, Actor, User, ['Azure AD Role Name']", + "size": 0, + "showAnalytics": true, + "title": "Permanently Assigned Role", + "noDataMessage": "If query returns no results this means your PIM users are set to eligible, which is best security practices.", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "$gen_group", + "formatter": 6 + }, + { + "columnMatch": "Group", + "formatter": 6 + }, + { + "columnMatch": "TimeGenerated", + "formatter": 5 + } + ], + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "TimeGenerated" + ] + } + }, + "graphSettings": { + "type": 0 + } + }, + "customWidth": "50", + "showPin": true, + "name": "Permanently Assigned Role", + "styleSettings": { + "margin": "10px" + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isU14Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "1.4Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "1.5 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## 1.5 Identity Federation & User Credentialing\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Entra ID - Diagnostic Settings](https://portal.azure.us/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/DiagnosticSettings)
\r\nπŸ”€ [Entra ID - AAD Connect](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_Connect_Provisioning/AADConnectMenuBlade/~/GetStarted)
\r\nπŸ”€ [Entra ID - Enterprise Apps](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null)
\r\nπŸ”€ [Entra ID - Identity Governance](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_ERM/DashboardBlade/~/GettingStarted)\r\n\r\n" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Microsoft Portals Government \r\nπŸ”€ [Entra ID - Diagnostic Settings](https://portal.azure.us/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/DiagnosticSettings)
\r\nπŸ”€ [Entra ID - AAD Connect](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_Connect_Provisioning/AADConnectMenuBlade/~/GetStarted)
\r\nπŸ”€ [Entra ID - Enterprise Apps](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null)
\r\nπŸ”€ [Entra ID - Identity Governance](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_ERM/DashboardBlade/~/GettingStarted)\r\n\r\n\r\n" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\nπŸ’‘ [Azure Governement - Planning Identity for Azure Government Apps](https://learn.microsoft.com/azure/azure-government/documentation-government-plan-identity)
\r\nπŸ’‘ [Federated Identity Credentials](https://learn.microsoft.com/graph/api/resources/federatedidentitycredentials-overview?view=graph-rest-1.0)
\r\nπŸ’‘ [What is Hybrid Identity](https://learn.microsoft.com/azure/active-directory/hybrid/whatis-hybrid-identity)
\r\nπŸ’‘ [Azure AD Certificate Based Authentication](https://learn.microsoft.com/azure/active-directory/authentication/concept-certificate-based-authentication)
\r\nπŸ’‘ [Azure AD SCIM](https://learn.microsoft.com/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups)
\r\nπŸ’‘ [Provisioning with Google Cloud](https://cloud.google.com/architecture/identity/federating-gcp-with-azure-ad-configuring-provisioning-and-single-sign-on)
\r\nπŸ’‘ [Provisioning with Amazon Cloud](https://learn.microsoft.com/azure/active-directory/saas-apps/aws-single-sign-on-provisioning-tutorial)
\r\nπŸ’‘ [Azure AD Application Roles](https://learn.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps)
\r\nπŸ’‘ [What is Identity Governace?](https://learn.microsoft.com/azure/active-directory/governance/identity-governance-overview)
\r\n\r\n" + }, + "customWidth": "33", + "name": "text - 9" + } + ] + }, + "name": "1.5ActResources" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "union *\r\n| where UserDisplayName == \"On-Premises Directory Synchronization Service Account\"\r\n| extend Succession = tostring(parse_json(AuthenticationDetails)[0].succeeded)\r\n| where Succession == 'true'\r\n| project CreatedDateTime, UserPrincipalName, Succession\r\n| summarize count() by UserPrincipalName, Succession\r\n| render columnchart ", + "size": 0, + "showAnalytics": true, + "title": "Hybrid Identity - Syncing", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "showPin": true, + "name": "Hybrid Identity - Syncing", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//verifying users are on prem synced by InitiatedBy an setting DirectorySync attribute.\r\nAuditLogs\r\n| extend OnPremSyncEnabled = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue)))\r\n| where OnPremSyncEnabled contains \"DirectorySync\"\r\n| extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\r\n//| project TimeGenerated, InitiatedBy, OnPremSync,\r\n| extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\r\n| distinct InitiatedBy, UserPrincipalName, OnPremSyncEnabled\r\n", + "size": 0, + "showAnalytics": true, + "title": "Audit Directory Synced Users", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Group", + "formatter": 1 + } + ], + "sortBy": [ + { + "itemKey": "UserPrincipalName", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "UserPrincipalName", + "sortOrder": 1 + } + ], + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "AccountObjectId", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "InvestigationPriority", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "50", + "showPin": true, + "name": "Audit Directory Synced Users", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Detect when a new AAD App is added to an Azure AD application registration\r\nAuditLogs\r\n| where OperationName has \"application\"\r\n| extend ApplicationName = tostring(TargetResources[0].displayName)\r\n| extend ApplicationObjectId = tostring(TargetResources[0].id)\r\n| distinct ApplicationName, ApplicationObjectId, OperationName\r\n", + "size": 0, + "showAnalytics": true, + "title": "New Azure AD Application Registration", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "OperationName", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "210px" + } + } + ] + } + }, + "customWidth": "50", + "showPin": true, + "name": "New Azure AD Application Registration", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AuditLogs\r\n| where OperationName == \"Add app role assignment grant to user\"\r\n| extend TargetApp = tostring(TargetResources[0].displayName)\r\n| extend TargetUser = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[6].newValue)))\r\n| distinct TargetApp, TargetUser, OperationName\r\n", + "size": 0, + "showAnalytics": true, + "title": "App Role Assignment Added To User", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "filter": true + } + }, + "customWidth": "50", + "showPin": true, + "name": "App Role Assignment Added To User", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Creates a list of your applications and summarizes successful signins by members vs guests separated to total and distinct signins\r\nSigninLogs\r\n| project TimeGenerated, UserType, ResultType, AppDisplayName, UserPrincipalName\r\n| where ResultType == 0\r\n| summarize\r\n ['Total Member Signins']=countif(UserType == \"Member\"),\r\n ['Distinct Member Signins']=dcountif(UserPrincipalName, UserType == \"Member\"),\r\n ['Total Guest Signins']=countif(UserType == \"Guest\"),\r\n ['Distinct Guest Signins']=dcountif(UserPrincipalName, UserType == \"Guest\")\r\n by AppDisplayName\r\n| sort by AppDisplayName asc", + "size": 2, + "showAnalytics": true, + "title": "List Applications and Summarizes", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "filter": true + } + }, + "showPin": true, + "name": "List Applications and Summarizes", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Detect when an Azure AD Entitlement Package is created. You may want to review to see what resources and roles have been included in the package.\r\nAuditLogs\r\n| where OperationName == \"Create access package\"\r\n| where TargetResources[0].type == \"AccessPackage\"\r\n| extend AccessPackageName = tostring(TargetResources[0].displayName)\r\n| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\r\n| project OperationName, AccessPackageName, Actor", + "size": 0, + "showAnalytics": true, + "title": "Azure AD Entitlement Package Creation", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "50", + "showPin": true, + "name": "Azure AD Entitlement Package Creation", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AuditLogs\r\n| where OperationName has \"User requests access package assignment\"\r\n| extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\r\n| extend AccessPackageID = tostring(TargetResources[2].id)\r\n| distinct OperationName, InitiatedBy, AccessPackageID", + "size": 0, + "showAnalytics": true, + "title": "Users Requesting Access via Entitlement Mgmt", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "50", + "showPin": true, + "name": "Users Requesting Access via Entitlement Mgmt", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isU15Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "1.5Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "1.6 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## 1.6 Behavorial, Contextual ID, and Biometrics\r\n\r\n## Microsoft Portals Department of Defense\r\n\r\nπŸ”€ [Azure Face APIs](https://portal.azure.us/#view/Microsoft_Azure_ProjectOxford/CognitiveServicesHub/~/Face)
\r\nπŸ”€ [Sentinel - UEBA](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [Verified ID](https://portal.azure.us/#view/Microsoft_AAD_DecentralizedIdentity/InitialMenuBlade/~/setupBlade)
\r\n\r\n" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Microsoft Portals Government \r\nπŸ”€ [Azure Face APIs](https://portal.azure.us/#view/Microsoft_Azure_ProjectOxford/CognitiveServicesHub/~/Face)
\r\nπŸ”€ [Sentinel - UEBA](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [Verified ID](https://portal.azure.us/#view/Microsoft_AAD_DecentralizedIdentity/InitialMenuBlade/~/setupBlade)
\r\n\r\n" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\nπŸ’‘ [User Entity Behavorial Analytics - What is it?](https://learn.microsoft.com/azure/sentinel/identify-threats-with-entity-behavior-analytics)
\r\nπŸ’‘ [Windows Hello Biometrics](https://learn.microsoft.com/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise)
\r\nπŸ’‘ [Identify Advanced Threats with UEBA](https://learn.microsoft.com/azure/sentinel/identify-threats-with-entity-behavior-analytics)
\r\nπŸ’‘ [UEBA Reference](https://learn.microsoft.com/azure/sentinel/ueba-reference?WT.mc_id=AZ-MVP-5004810#ueba-enrichments)
\r\nπŸ’‘ [UEBA Sentinel Content Hub](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/ueba-essentials-solution-now-available-in-content-hub/ba-p/3651074)
\r\nπŸ’‘ [Guided UEBA Investigation Scenarios](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/guided-ueba-investigation-scenarios-to-empower-your-soc/ba-p/1857100)
\r\nπŸ’‘ [Combatting Risky Sign-ins in Azure Active Directory](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/combatting-risky-sign-ins-in-azure-active-directory/ba-p/3724786)
\r\nπŸ’‘ [Securing Workload Identities](https://learn.microsoft.com/azure/active-directory/identity-protection/concept-workload-identity-risk)
\r\nπŸ’‘ [Reprise99 UEBA](https://github.com/reprise99/Sentinel-Queries/tree/main/UEBA)
\r\n" + }, + "customWidth": "33", + "name": "text - 9" + } + ] + }, + "name": "1.6ActResources" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "9dd762f8-8594-432f-b1dc-9561e0b799c6", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "isRequired": true, + "value": { + "durationMs": 7776000000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + } + }, + { + "id": "b3974da2-c8c3-4023-a7c4-a904f2daa904", + "version": "KqlParameterItem/1.0", + "name": "Workload", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "OfficeActivity\r\n| summarize Count= count() by OfficeWorkload\r\n| extend label = strcat(OfficeWorkload, \" - \", Count)\r\n| project OfficeWorkload, label", + "value": [ + "value::all" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*" + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "b6db911d-6ecb-4a4f-812f-db1b1063813f", + "version": "KqlParameterItem/1.0", + "name": "UserType", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "OfficeActivity\r\n| summarize Count= count() by UserType\r\n| extend label = strcat(UserType, \" - \", Count)\r\n| project UserType, label", + "value": [ + "value::all" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*" + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "above", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let data = OfficeActivity\r\n| where \"*\" in ({Workload}) or OfficeWorkload in ({Workload}) \r\n| where \"*\" in ({UserType}) or UserType in ({UserType});\r\nlet appData = data\r\n| summarize TotalCount = count() by UserId\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on bin(TimeGenerated, 1d) in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by UserId\r\n | project-away TimeGenerated) on UserId\r\n| order by TotalCount desc, UserId asc\r\n| project UserId, TotalCount, Trend\r\n| serialize Id = row_number();\r\ndata\r\n| summarize TotalCount = count() by Operation , UserId\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on bin(TimeGenerated, 1d) in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by UserId, Operation\r\n | project-away TimeGenerated) on UserId, Operation\r\n| order by TotalCount desc, UserId asc\r\n| project UserId, Operation, TotalCount, Trend\r\n| serialize Id = row_number(1000000)\r\n| join kind=inner (appData) on UserId\r\n| project Id, Name = Operation, Type = 'Operation', ['Operation Count'] = TotalCount, Trend, ParentId = Id1\r\n| union (appData \r\n | project Id, Name = UserId, Type = 'UserId', ['Operation Count'] = TotalCount, Trend )\r\n| order by ['Operation Count'] desc, Name asc", + "size": 0, + "title": "User activities", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Id", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "Operation Count", + "formatter": 3, + "formatOptions": { + "palette": "lightBlue", + "showIcon": true + } + }, + { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "lightBlue", + "showIcon": true + } + }, + { + "columnMatch": "ParentId", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + } + ], + "filter": true, + "hierarchySettings": { + "idColumn": "Id", + "parentColumn": "ParentId", + "treeType": 0, + "expanderColumn": "Name" + } + } + }, + "name": "Activity by users" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Visualize the different risk types (e.g password spray, unlikely travel) per month\r\n//Data connector required for this query - Azure Active Directory - AAD User Risk Events\r\nAADUserRiskEvents\r\n//| where TimeGenerated > ago (180d)\r\n| where isnotempty(RiskEventType)\r\n| summarize Count=count()by RiskEventType, startofmonth(TimeGenerated)\r\n| render columnchart with (kind=unstacked, title=\"Risk event types per month\", xtitle=\"Month\")", + "size": 0, + "showAnalytics": true, + "title": "Visualize Different Risk Types", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "showPin": true, + "name": "Visualize Different Risk Types", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Calculate the percentage of signins to all your Azure AD apps considered risky. Those requiring single factor authentication, coming from an unknown location and from an unknown device\r\nSigninLogs\r\n| where TimeGenerated > ago (30d)\r\n| where ResultType == 0\r\n| extend DeviceTrustType = tostring(DeviceDetail.trustType)\r\n| summarize\r\n ['Total Signins']=count(),\r\n ['At Risk Signins']=countif(NetworkLocationDetails == '[]' and isempty(DeviceTrustType) and AuthenticationRequirement == \"singleFactorAuthentication\")\r\n by AppDisplayName\r\n| extend ['At Risk Percentage']=(todouble(['At Risk Signins']) * 100 / todouble(['Total Signins']))", + "size": 0, + "showAnalytics": true, + "title": "SignIns with AAD Apps Considered Risky", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "filter": true + } + }, + "customWidth": "50", + "showPin": true, + "name": "SignIns with AAD Apps Considered Risky", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "// Active service principal risk detections \r\n// Gets a list of active service principal risk detections. \r\nAADServicePrincipalRiskEvents\r\n//| where TimeGenerated >= ago(365d)\r\n| summarize arg_max(LastUpdatedDateTime, *) by RequestId, ServicePrincipalId\r\n| where RiskState == \"atRisk\"", + "size": 0, + "showAnalytics": true, + "title": "Service Principals At Risk", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "50", + "showPin": true, + "name": "Service Principals At Risk", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "BehaviorAnalytics\r\n| where ActivityInsights.CountryUncommonlyConnectedFromInTenant == true\r\n| where InvestigationPriority > 0\r\n| project UserPrincipalName, SourceIPLocation, SourceIPAddress, ActionType", + "size": 0, + "showAnalytics": true, + "title": "Country Uncommonly Connected", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "50", + "showPin": true, + "name": "Country Uncommonly Connected", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": " BehaviorAnalytics\r\n | where ActivityInsights.UnusualNumberOfAADConditionalAccessFailures == \"True\"\r\n | extend UserPrincipalName = tolower(UserPrincipalName)\r\n | join kind=inner (\r\n union SigninLogs, AADNonInteractiveUserSignInLogs\r\n | where ConditionalAccessStatus == \"failure\"\r\n | mv-expand ConditionalAccessPolicies_dynamic\r\n | extend ConditionalAccessResult = parse_json(ConditionalAccessPolicies_dynamic.result)\r\n | extend ConditionalAccessName = parse_json(ConditionalAccessPolicies_dynamic.displayName)\r\n | extend ConditionalAccessId = parse_json(ConditionalAccessPolicies_dynamic.id)\r\n | extend ConditionalAccessEnforcedControl = parse_json(tostring(ConditionalAccessPolicies_dynamic.enforcedGrantControls))\r\n | extend SourceIPAddress = IPAddress\r\n | extend UserPrincipalName = tolower(UserPrincipalName)\r\n | where ConditionalAccessResult == \"failure\"\r\n | distinct CorrelationId, UserDisplayName, UserPrincipalName, SourceIPAddress, tostring(ConditionalAccessName), tostring(ConditionalAccessId), tostring(ConditionalAccessResult), tostring(ConditionalAccessEnforcedControl), ResultType, AADTenantId\r\n ) on UserPrincipalName, SourceIPAddress\r\n | summarize count() by ConditionalAccessName, ConditionalAccessId, ResultType, AADTenantId\r\n | join kind=inner (\r\n AuditLogs\r\n | where OperationName == \"Update conditional access policy\"\r\n | extend ConditionalAccessId = tostring(TargetResources[0].id)\r\n ) on ConditionalAccessId\r\n | extend Actor = parse_json(tostring(InitiatedBy.user)).userPrincipalName\r\n | project TimeGenerated, OperationName, Actor, ConditionalAccessName, CorrelationId, ResultType, count_\r\n | extend AccountCustomEntity = Actor", + "size": 2, + "showAnalytics": true, + "title": "Unusual AAD Conditional Access Failures After Policy Change", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "showPin": true, + "name": "Unusual AAD Conditional Access Failures After Policy Change", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let PrivRoles = dynamic([\"Global Administrator\", \"Security Administrator\", \"Teams Administrator\"]);\r\nlet identityinfo=\r\n IdentityInfo\r\n | summarize arg_max(TimeGenerated, *) by AccountUPN\r\n | where AssignedRoles has_any (PrivRoles)\r\n | extend TargetUserName = AccountName\r\n | extend UserPrincipalName = AccountUPN\r\n | project TargetUserName, UserPrincipalName, AssignedRoles;\r\nSecurityAlert\r\n//| where TimeGenerated >= ago(90d)\r\n| extend AlertTime = TimeGenerated\r\n| extend UserPrincipalName = CompromisedEntity\r\n| join kind=inner identityinfo on UserPrincipalName\r\n| project AlertTime, TargetUserName, UserPrincipalName, AlertName, AssignedRoles", + "size": 0, + "showAnalytics": true, + "title": "Alerts From Privileged Users", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "50", + "showPin": true, + "name": "Alerts From Privileged Users", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Detect when a group is added to Azure AD with the 'Azure AD roles can be assigned to this group' flag enabled\r\n\r\n//Data connector required for this query - Azure Active Directory - Audit Logs\r\n\r\nAuditLogs\r\n//| where TimeGenerated > ago(90d)\r\n| where OperationName == \"Add group\"\r\n| where parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName == \"IsAssignableToRole\"\r\n| where parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))[0] == true\r\n| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue))[0])\r\n| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\r\n| extend ['Actor IP Address'] = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\r\n| project TimeGenerated, OperationName, GroupName, Actor, ['Actor IP Address']", + "size": 0, + "showAnalytics": true, + "title": "Detect New Privileged Group Added", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "50", + "showPin": true, + "name": "Detect New Privileged Group Added", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isU16Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "1.6Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "1.7 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## 1.7 Least Privelege Access\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Entra ID - Enterprise Apps](https://portal.azure.us/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null)
\r\nπŸ”€ [Entra ID - Conditional Access Policies](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/CaTemplates.ReactView)
\r\nπŸ”€ [Entra ID - Identity Protection](https://portal.azure.us/#view/Microsoft_AAD_IAM/IdentityProtectionMenuBlade/~/Overview)
\r\nπŸ”€ [Microsoft Defender for Cloud Apps](https://security.microsoft.us/cloudapps/)
\r\nπŸ”€ [Application Security Groupss](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FapplicationSecurityGroups)" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Microsoft Portals Government \r\nπŸ”€ [Entra ID - Enterprise Apps](https://portal.azure.us/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null)
\r\nπŸ”€ [Entra ID - Conditional Access Policies](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/CaTemplates.ReactView)
\r\nπŸ”€ [Entra ID - Identity Protection](https://portal.azure.us/#view/Microsoft_AAD_IAM/IdentityProtectionMenuBlade/~/Overview)
\r\nπŸ”€ [Microsoft Defender for Cloud Apps](https://security.microsoft.us/cloudapps/)
\r\nπŸ”€ [Application Security Groupss](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FapplicationSecurityGroups)" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\nπŸ’‘ [Implementing Least-privileged Administrative Models](https://learn.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models)
\r\nπŸ’‘ [enhance Application Security with Lease Privilege Access Controls](https://learn.microsoft.com/azure/active-directory/develop/secure-least-privileged-access)
\r\nπŸ’‘ [Identity Protection](https://techcommunity.microsoft.com/t5/itops-talk-blog/what-s-the-difference-between-azure-active-directory-identity/ba-p/1320887?WT.mc_id=itopstalk-newsletter-abartolo)
\r\nπŸ’‘ [Continuous Access Evaluation Monitoring](https://learn.microsoft.com/azure/active-directory/conditional-access/howto-continuous-access-evaluation-troubleshoot#continuous-access-evaluation-sign-in-reporting)
\r\n" + }, + "customWidth": "33", + "name": "text - 9" + } + ] + }, + "name": "1.7ActResources" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AuditLogs\r\n//| where TimeGenerated >= ago(24h)\r\n| extend SingleSignOnClaim = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[6].newValue))[0])\r\n| extend ClaimValue = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[4].newValue))[0].ClaimValue)\r\n| extend SSOAppName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[3].newValue))[0])\r\n| extend AppId = tostring(AdditionalDetails[0].value)\r\n| where OperationName == \"Add application\"\r\n| where Identity == \"AAD App Management\"\r\n| project AppId, SingleSignOnClaim, ClaimValue", + "size": 0, + "showAnalytics": true, + "title": "Single Sign-On App Created", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "50", + "showPin": true, + "name": "Single Sign-On App Created", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| mv-expand ConditionalAccessPolicies\r\n| extend CAResult = tostring(ConditionalAccessPolicies.result)\r\n| where CAResult <> \"success\"\r\n| summarize count() by AppDisplayName, CAResult\r\n", + "size": 0, + "showAnalytics": true, + "title": "Non-Success ConditionalAccess by App ", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Group", + "formatter": 1 + }, + { + "columnMatch": "AppDisplayName", + "formatter": 5, + "formatOptions": { + "customColumnWidthSetting": "10%" + } + } + ], + "filter": true, + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "AppDisplayName" + ] + }, + "labelSettings": [ + { + "columnId": "CAResult", + "label": "Result" + }, + { + "columnId": "count_", + "label": "Count" + } + ] + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "AccountObjectId", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "InvestigationPriority", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "50", + "showPin": true, + "name": "Non-Success ConditionalAccess by App ", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AuditLogs\r\n//| where TargetResources[0].userPrincipalName contains \"\"\r\n//| where Identity == \"Microsoft Invitation Acceptance Portal\"\r\n| where parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[4].newValue))[0] == \"Accepted\"\r\n| extend User = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue))[0])\r\n| extend ConsentGrant = tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].displayName)\r\n| project User, ConsentGrant, Result", + "size": 0, + "showAnalytics": true, + "title": "Consent Grant Accepted", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "50", + "showPin": true, + "name": "Consent Grant Accepted", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Detect when a user flags a risky sign in within 8 hours of installing a service principal, could be a sign of OAuth consent phishing. This example uses 8 hours between events.\r\nlet threshold=8;\r\nCloudAppEvents\r\n| where ActionType == \"Add service principal.\"\r\n| where AccountType == \"Regular\"\r\n| extend UserId = tostring(RawEventData.UserId)\r\n| project\r\n ['Service Principal Install Time']=TimeGenerated,\r\n UserId,\r\n ['Service Principal Name']=ObjectName\r\n| join kind=inner (\r\n AADUserRiskEvents\r\n | where DetectionTimingType == \"realtime\"\r\n | where RiskDetail !in (\"aiConfirmedSigninSafe\", \"userPerformedSecuredPasswordReset\")\r\n | project\r\n ['Risk Event Time']=TimeGenerated,\r\n UserId=UserPrincipalName,\r\n ['Risk Event IP']=IpAddress\r\n )\r\n on UserId\r\n| extend ['Minutes Between Events']=datetime_diff(\"hour\", ['Service Principal Install Time'], ['Risk Event Time'])\r\n| where ['Minutes Between Events'] < threshold\r\n| project\r\n UserId,\r\n ['Risk Event Time'],\r\n ['Service Principal Install Time'],\r\n ['Minutes Between Events'],\r\n ['Risk Event IP'],\r\n ['Service Principal Name']", + "size": 0, + "showAnalytics": true, + "title": "Risky sign in within 8 hours of installing a service principal", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "50", + "showPin": true, + "name": "Risky sign in within 8 hours of installing a service principal", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityAlert\r\n| where AlertName contains 'unsanctioned'\r\n| extend CompromisedEntity = tostring(parse_json(CompromisedEntity))\r\n| distinct CompromisedEntity, AlertName, AlertSeverity, AlertLink", + "size": 0, + "showAnalytics": true, + "title": "Unscantioned Cloup Apps", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "showPin": true, + "name": "Unscantioned Cloup Apps", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CloudAppEvents\r\n//| extend Name_ = tostring(parse_json(tostring(RawEventData.ModifiedProperties))[0].Name)\r\n| where AccountType == \"Application\"\r\n| extend Target = tostring(parse_json(tostring(RawEventData.Target))[3].ID)\r\n| extend Actor = tostring(parse_json(tostring(RawEventData.Actor))[0].ID)\r\n| where isnotempty(Actor)\r\n| project AccountType, ActionType, ActivityType, Application, Actor, Target", + "size": 0, + "showAnalytics": true, + "title": "Cloud App Events by Application", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "showPin": true, + "name": "Cloud App Events by Application", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isU17Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "1.7Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "1.8 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## 1.8 Continuous Authentication\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Entra ID - Device Inventory](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
\r\nπŸ”€ [Entra ID - Connect Sync (Hybrid Join)](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_Connect_Provisioning/AADConnectMenuBlade/~/ConnectSync)
\r\nπŸ”€ [Entra ID - Enterprise Apps](https://portal.azure.us/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null)
\r\nπŸ”€ [Entra ID - Conditional Access Policies](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/CaTemplates.ReactView)
\r\nπŸ”€ [Entra ID - Identity Governance](https://portal.azure.us/#view/Microsoft_AAD_ERM/DashboardBlade/~/GettingStarted)
\r\nπŸ”€ [Entra ID - PIM Insights](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_Azure_PIMCommon/ResourceMenuBlade/~/aaddiscovery/resourceId//resourceType/tenant/provider/aadroles)" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Microsoft Portals Government \r\nπŸ”€ [Entra ID - Device Inventory](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
\r\nπŸ”€ [Entra ID - Connect Sync (Hybrid Join)](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_Connect_Provisioning/AADConnectMenuBlade/~/ConnectSync)
\r\nπŸ”€ [Entra ID - Enterprise Apps](https://portal.azure.us/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null)
\r\nπŸ”€ [Entra ID - Conditional Access Policies](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/CaTemplates.ReactView)
\r\nπŸ”€ [Entra ID - Identity Governance](https://portal.azure.us/#view/Microsoft_AAD_ERM/DashboardBlade/~/GettingStarted)
\r\nπŸ”€ [Entra ID - PIM Insights](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_Azure_PIMCommon/ResourceMenuBlade/~/aaddiscovery/resourceId//resourceType/tenant/provider/aadroles)
" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\nπŸ’‘ [Implement Continuous Access Evaluation Microsoft Entra](https://learn.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation)
\r\nπŸ’‘ [Implementing Primary Refresh Token](https://learn.microsoft.com/azure/active-directory/devices/concept-primary-refresh-token)
\r\nπŸ’‘ [Privileged Identity Management Insights](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-security-wizard#discovery-and-insights-preview)
\r\nπŸ’‘ [Entra Permissions Managment](https://learn.microsoft.com/azure/active-directory/cloud-infrastructure-entitlement-management/permissions-management-trial-user-guide)
\r\nπŸ’‘ [Session Management with Conditional Access](https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime)
\r\n" + }, + "customWidth": "33", + "name": "text - 9" + } + ] + }, + "name": "1.8ActResources" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DeviceInfo\r\n| where isnotempty(DeviceName) and isnotempty(JoinType)\r\n| distinct DeviceName, JoinType\r\n| summarize count() by JoinType", + "size": 3, + "showAnalytics": true, + "title": "HAADJ/AADJ - Primary Refresh Token", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "25", + "showPin": true, + "name": "HAADJ/AADJ - Primary Refresh Token" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Create a summary of PIM activations\r\nAuditLogs\r\n//| where TimeGenerated > ago (330d)\r\n| where OperationName == \"Add member to role completed (PIM activation)\"\r\n| extend User = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\r\n| extend Role = tostring(TargetResources[0].displayName)\r\n| where isnotempty(User)\r\n| project User, Role, TimeGenerated\r\n| sort by TimeGenerated desc", + "size": 0, + "showAnalytics": true, + "title": "Visualize Roles Activated by PIM", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Group", + "formatter": 1 + }, + { + "columnMatch": "User", + "formatter": 5 + } + ], + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "User" + ] + } + } + }, + "customWidth": "50", + "showPin": true, + "name": "Visualize Roles Activated by PIM" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n//| where TimeGenerated >= ago(365d)\r\n| extend value_ = tostring(parse_json(AuthenticationProcessingDetails)[1].value)\r\n| where value_ == 'True' or value_ == 'False'\r\n| summarize count() by value_\r\n| render piechart ", + "size": 3, + "showAnalytics": true, + "title": "Continuous Access Evaluation Summary", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "25", + "showPin": true, + "name": "Continuous Access Evaluation Summary" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AuditLogs\r\n| where OperationName contains 'create access package'\r\n| extend CreatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\r\n| project CreatedBy, OperationName, Result", + "size": 0, + "showAnalytics": true, + "title": "Created Access Packages", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "50", + "showPin": true, + "name": "Created Access Packages", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AuditLogs\r\n| where OperationName == 'User requests access package assignment'\r\n| extend CreatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\r\n| project CreatedBy, OperationName, Result", + "size": 0, + "showAnalytics": true, + "title": "Access Package Requests", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "50", + "showPin": true, + "name": "Access Package Requests", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isU18Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "1.8Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "1.9 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## 1.9 Integrated ICAM Platform\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Entra ID - AuthN Methods](https://portal.azure.us/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods)
\r\nπŸ”€ [Entra ID - AuthN Strengths](https://portal.azure.us/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AuthStrengths)
\r\nπŸ”€ [Entra ID - AuthN Insights](https://portal.azure.us/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AuthMethodsActivity)
\r\nπŸ”€ [Entra ID - Conditional Access Policies](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/CaTemplates.ReactView)" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Microsoft Portals Government \r\nπŸ”€ [Entra ID - AuthN Methods](https://portal.azure.us/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods)
\r\nπŸ”€ [Entra ID - AuthN Strengths](https://portal.azure.us/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AuthStrengths)
\r\nπŸ”€ [Entra ID - AuthN Insights](https://portal.azure.us/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AuthMethodsActivity)
\r\nπŸ”€ [Entra ID - Conditional Access Policies](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/CaTemplates.ReactView)
" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\nπŸ’‘ [Microsoft Integrated Identity Platform Entra](https://learn.microsoft.com/azure/active-directory/develop/v2-overview)
\r\nπŸ’‘ [Implement Passwordless Auth with Microsoft Entra](https://learn.microsoft.com/azure/active-directory/fundamentals/auth-passwordless)
\r\nπŸ’‘ [Configure Passwordless Key with Microsoft Entra](https://learn.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
\r\nπŸ’‘ [Entra Certificate Based Authorization](https://learn.microsoft.com/azure/active-directory/authentication/concept-certificate-based-authentication)
\r\n" + }, + "customWidth": "33", + "name": "text - 9" + } + ] + }, + "name": "1.9ActResources" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Visualize password vs passwordless signins per week\r\nSigninLogs\r\n| project TimeGenerated, AuthenticationDetails\r\n//| where TimeGenerated > ago (180d)\r\n| mv-expand todynamic(AuthenticationDetails)\r\n| extend AuthMethod = tostring(parse_json(AuthenticationDetails).authenticationMethod)\r\n| where AuthMethod != \"Previously satisfied\"\r\n| summarize\r\n Password=countif(AuthMethod == \"Password\"),\r\n Passwordless=countif(AuthMethod in (\"FIDO2 security key\", \"Passwordless phone sign-in\", \"Windows Hello for Business\", \"Mobile app notification\", \"X.509 Certificate\"))\r\n by startofweek(TimeGenerated)\r\n| render timechart\r\n with (\r\n xtitle=\"Week\",\r\n ytitle=\"Signin Count\",\r\n title=\"Password vs Passwordless signins per week\")", + "size": 0, + "showAnalytics": true, + "title": "Password vs Passwordless SignIns Per Week", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "showPin": true, + "name": "Password vs Passwordless SignIns Per Week" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Passwordless Is Primary Auth\r\nSigninLogs\r\n| mv-expand todynamic(AuthenticationDetails)\r\n| extend AuthMethod = tostring(parse_json(AuthenticationDetails).authenticationMethod)\r\n| where AuthMethod != \"Previously satisfied\"\r\n| extend authreq = tostring(AuthenticationDetails.authenticationStepRequirement)\r\n//| where authreq contains \"primary\"\r\n| where AuthMethod contains 'x.509'\r\n or AuthMethod contains 'Windows Hello for Business'\r\n or AuthMethod contains 'FIDO2'\r\n or AuthMethod contains 'mobile app notification'\r\n or AuthMethod contains 'passwordless phone sign-in'\r\n| project TimeGenerated, UserPrincipalName, AuthMethod, authreq\r\n| distinct UserPrincipalName, AuthMethod, authreq", + "size": 0, + "showAnalytics": true, + "title": "Passwordless Is Primary Auth", + "timeContext": { + "durationMs": 2592000000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Group", + "formatter": 1 + }, + { + "columnMatch": "UserPrincipalName", + "formatter": 5 + } + ], + "filter": true, + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "UserPrincipalName" + ] + } + } + }, + "customWidth": "50", + "showPin": true, + "name": "Passwordless Is Primary Auth", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n//| where TimeGenerated > ago (30d)\r\n| where UserType == 'Guest'\r\n| where AuthenticationRequirement == \"multiFactorAuthentication\"\r\n| extend ['MFA Method'] = tostring(parse_json(AuthenticationDetails)[1].authenticationMethod)\r\n//| summarize Count=count()by ['MFA Method']\r\n| where ['MFA Method'] != \"Previously satisfied\" and isnotempty(['MFA Method'])\r\n| distinct TimeGenerated, UserPrincipalName, ['MFA Method']", + "size": 0, + "showAnalytics": true, + "title": "Guest MFA Challenge Where Not Previously Satisifed", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "showPin": true, + "name": "Guest MFA Challenge Where Not Previously Satisifed", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| mv-expand todynamic(AuthenticationDetails)\r\n| extend AuthMethod = tostring(parse_json(AuthenticationDetails).authenticationMethod)\r\n| extend authreq = tostring(AuthenticationDetails.authenticationStepRequirement)\r\n| where AuthMethod contains 'x.509' \r\n| where TokenIssuerType == \"AzureAD\"\r\n| project TimeGenerated, UserPrincipalName, AuthMethod, TokenIssuerType, AppDisplayName, ConditionalAccessStatus\r\n| sort by TimeGenerated desc", + "size": 0, + "showAnalytics": true, + "title": "Azure AD - Certificate Based Auth ", + "noDataMessage": "You are not using AAD CBA", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "showPin": true, + "name": "Azure AD - Certificate Based Auth ", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isU19Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "1.9Activities", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "pillar", + "comparison": "isEqualTo", + "value": "p1" + }, + "name": "P1Activites" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"[\\r\\n\\t\\t{ \\\"Select All (Device 2.x)\\\": \\\"2.1 Device Inventory\\\", \\\"tab\\\": \\\"D21\\\" },\\r\\n\\t\\t{ \\\"Select All (Device 2.x)\\\": \\\"2.2 Device Detection and Compliance\\\", \\\"tab\\\": \\\"D22\\\" },\\r\\n\\t\\t{ \\\"Select All (Device 2.x)\\\": \\\"2.3 Device Authorization with Real Time Inspection\\\", \\\"tab\\\": \\\"D23\\\" },\\r\\n\\t\\t{ \\\"Select All (Device 2.x)\\\": \\\"2.4 Remote Access\\\", \\\"tab\\\": \\\"D24\\\" },\\r\\n\\t\\t{ \\\"Select All (Device 2.x)\\\": \\\"2.5 Partially & Fully Automated Asset, Vulnerability & Patch Management\\\", \\\"tab\\\": \\\"D25\\\" },\\r\\n\\t\\t{ \\\"Select All (Device 2.x)\\\": \\\"2.6 Unified Endpoint Management & Mobile Device Management\\\", \\\"tab\\\": \\\"D26\\\" },\\r\\n\\t\\t{ \\\"Select All (Device 2.x)\\\": \\\"2.7 Endpoint & Extended Detection & Response (EDR & XDR)\\\", \\\"tab\\\": \\\"D27\\\" }\\r\\n\\t\\t]\",\"transformers\":null}", + "size": 3, + "exportMultipleValues": true, + "exportedParameters": [ + { + "fieldName": "tab", + "parameterName": "Tab", + "parameterType": 1 + } + ], + "queryType": 8, + "gridSettings": { + "formatters": [ + { + "columnMatch": "Device", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "75ch" + } + }, + { + "columnMatch": "tab", + "formatter": 5 + }, + { + "columnMatch": "Zero Trust", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "80ch" + } + } + ] + } + }, + "customWidth": "90", + "name": "DeviceZT", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "4406c0a9-247a-4fab-bb8b-4ecb21459063", + "version": "KqlParameterItem/1.0", + "name": "isD21Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "D21", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "921293a1-1a11-4909-b335-f17a49b24379", + "version": "KqlParameterItem/1.0", + "name": "isD22Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "D22", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "isD23Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "D23", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + }, + "id": "0e4427fe-73e5-4507-b080-68f5a5afa332" + }, + { + "version": "KqlParameterItem/1.0", + "name": "isD24Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "D24", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + }, + "id": "5083dd8f-531c-47bc-b9d6-11c5c213d62a" + }, + { + "version": "KqlParameterItem/1.0", + "name": "isD25Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "D25", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + }, + "id": "e5cc857d-0ba9-48e9-be67-07713db6465c" + }, + { + "version": "KqlParameterItem/1.0", + "name": "isD26Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "D26", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + }, + "id": "368104ec-8112-474f-8aa9-30b00bfe1d73" + }, + { + "version": "KqlParameterItem/1.0", + "name": "isD27Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "D27", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + }, + "id": "70ae2318-9121-43be-8264-9fd860116c7a" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "5", + "name": "parameters - 8 - Copy" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "pillar", + "comparison": "isEqualTo", + "value": "p2" + }, + "customWidth": "50", + "name": "P2-1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR2.1", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 2.1\r\n| Descriptions | Outcomes | ZT Impact | \r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD organizations establish and maintain an approved inventory list of all devices authorized to access the network and enroll all devices on the network prior to network connection. Device attributes will include technical details such as the PKI (802.1x) machine certificate, device object, patch/vulnerability status and others to enable successor activities. | DoD organizations establish and maintain a trusted inventory list of all devices authorized to access the network and enroll all devices on the network prior to network connection. | By default policy, devices will be denied network access; the only devices permitted access to the network shall be known, authorized,and listed in the device inventory. | \r\n" + }, + "name": "DevCR21" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusd21", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDated21", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesd21", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Dev21Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Microsft Entra ID |\r\n| Microsft Entra ID Conditional Access (CA) |\r\n| Microsoft Defender for Endpoint (MDE) | \r\n| Microsoft Defender for Cloud (MDfC) |\r\n| Microsoft Defender for Identity (MDI) |\r\n| Microsoft Intune |\r\n" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isD21Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "DevCR21Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR2.2", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 2.2\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|\r\n| DoD organizations employ asset management systems for user devices to maintain and report on IT and Cybersecurity compliance. Managed devices (enterprise and mobile) attempting to connect to a DoD network or access a DAAS resource is detected and has its compliance status confirmed (via C2C).| DoD organizations employ asset management systems for user devices to maintain and report on IT compliance. Any device (including mobile, IOT, managed, and unmanaged) attempting to connect to a DoD network or access a DAAS resource is detected and has its compliance status confirmed (via C2C). | Any device attempting to connect to the network will be detected; only those devices that are compliant (e.g., anti-virus is up to date, approved configuration) will receive access to requested DAAS |\r\n" + }, + "name": "DevCR21" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "f28c401d-2da4-4960-8232-f659d30252d2", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusd22", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "a4b5ef42-9775-433e-ac25-55cc0eabd5c0", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDated22", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesd22", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "f06061bf-e951-4cc0-b335-c8eea6f55495", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Dev21Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Entra ID Conditional Access (CA) |\r\n| Microsoft Defender for Endpoint (MDE) | \r\n| Microsoft Intune |\r\n" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isD22Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "DevCR21Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR2.3", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 2.3\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD Organizations conduct foundational and extended device tooling (NextGen AV, AppControl, File Integrity Monitoring (FIM), etc.) integration to better understand the risk posture. Organizational PKI systems are integrated to expand the existing Enterprise PKI to devices as well. Lastly Entity Activity Monitoring is also integrated to identify anomalous activities. | DoD organizations establish processes (e.g., Enterprise PKI) and utilize tools to identify any device (including unmanaged devices, infrastructure devices, and endpoint devices) attempting to access the network, and make a determination if the device should be authorized to access the network. Maturation of this capability monitoring and detection of this activity on endpoints and IT infrastructure in real time. | Components can use policies to deny devices by default and explicitly allow access to DAAS resources only by devices that meet mandated configuration standards. Security threats identified are remediated faster through continuous activity inspection enables faster remediation of security threats. |\r\n" + }, + "name": "DevCR23" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "6d883c79-17bf-432a-8d50-cf2280380232", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusd23", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "196b9437-34c4-4c58-9b54-81650c8e9cfa", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDated23", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesd23", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "15d3be75-9b31-44c4-8108-42122f1c1883", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Dev23Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Microsft Entra ID | \r\n| Microsoft Intune | \r\n| Microsoft Defender for Endpoint (MDE) |\r\n| Microsoft Defender for Cloud (MDfC) |\r\n| Microsoft Sentinel |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isD23Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "DevCR23Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR2.4", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 2.4\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD organizations audit existing device access processes and tooling to set a least privilege baseline. In phase 2 this access is expanded to cover basic BYOD and IOT support using the Enterprise IDP for approved applications. The final phases expand coverage to include all BYOD and IOT devices for services using the approved set of device attributes. | DoD organizations establish policies to allow authorized users and devices access to the network or a device from a geographical distance through a network connection. | Enables properly authorized and authenticated users and NPEs to access DAAS from remote locations. |\r\n" + }, + "name": "Dev24CR" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusd24", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDated24", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesd24", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Dev24Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Microsft Entra ID | \r\n| Microsft Entra ID Conditional Access (CA) |\r\n| Microsoft Intune |\r\n| Microsoft Defender for Endpoint (MDE) |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isD24Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "DevCR24Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR2.5", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 2.5\r\n| Descriptions | Outcomes | ZT Impact | \r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD organizations establish processes to automatically test and deploy vendor patches for connected devices; hybrid patch management (both human and automated) is employed. | DoD organizations establish processes to automatically test and deploy vendor patches for connected devices; hybrid patch management (both human and automated) is employed. | Risk is minimized by automatically deploying vendor patches to all network devices. |\r\n" + }, + "name": "DevCR25" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusd25", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDated25", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesd25", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Dev25Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Microsoft Intune |\r\n| Microsoft Endpoint Configuration Manager (MECM) |\r\n| Mircosoft Defender for Endpoint (MDE) Threat & Vulnerability Management (TVM) | \r\n| Azure Arc-enabled Servers |\r\n| Azure Automation |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isD25Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "DevCR25Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR2.6", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 2.6\r\n| Descriptions | Outcomes | ZT Impact | \r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD organizations establish a centralized UEM solution that provides the choices of agent and/or agentless management of computer and mobile devices to a single console regardless of device location. DoD-issued devices can be remotely managed and security policies are enforced. | DoD organizations establish a centralized UEM tool that provides the choices of agent and/or agentless management of computer and mobile devices to a single console. DoD-issued mobile devices are remotely managed and security policies are enforced. | DAAS resources are protected through agent and agentless management, IT is able to manage, secure, and deploy resources and applications on any device from a single console to provide redress of cybersecurity threats. Security vulnerabilities are mitigated, and policy enforcement measures are received through IT remote management of DoD-issued mobile devices. |\r\n\r\n" + }, + "name": "DevCR26" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusd26", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDated26", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesd26", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Dev26Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Microsoft Intune |\r\n| Azure Arc-enabled Servers | \r\n| Azure Autiomation |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isD26Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "DevCR26Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR2.7", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 2.7\r\n| Descriptions | Outcomes | ZT Impact | \r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD organizations use endpoint detection and response (EDR) tooling to monitor, detect, and remediate malicious activity on endpoints. Expanding the capability to include XDR tooling allows organizations to account for activity beyond the endpoints such as cloud and network as well. | DoD organizations use EDR tools to monitor, detect, and remediate malicious activity on endpoints as a baseline. Upgrading to XDR tools allows organizations to account for activity beyond the endpoints. | Threats originating from networkconnected endpoints are initially reduced through active investigation and response. Maturation focuses on forensics and faster threat detection and remediation are enabled by correlating data across multiple security layers (e.g., email, cloud,endpoint). |" + }, + "name": "DevCR27" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusd27", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDated27", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesd27", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Dev27Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Microsoft 365 Defender | \r\n| Microsoft Defender for Endpoint (MDE) |\r\n| Microsoft Defednder for Identity (MDI) |\r\n| Microsoft Defender for Office 365 (MDO) |\r\n| Microsoft Defender for Cloud Apps (MDA) | \r\n| Microsoft Defender for Cloud (MDfC) |\r\n| Microsoft Sentinel | " + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isD27Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "DevCR27Group" + } + ], + "exportParameters": true + }, + "customWidth": "100", + "name": "DeviceCRGroup" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "pillar", + "comparison": "isEqualTo", + "value": "p2" + }, + "customWidth": "50", + "name": "p2-2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "2.1 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 2.1 Device Inventory\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
\r\nπŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/#view/Microsoft_Intune_DeviceSettings/DevicesMenu/~/overview)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)
\r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)" + }, + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Microsoft Portals Government\r\nπŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
\r\nπŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/#view/Microsoft_Intune_DeviceSettings/DevicesMenu/~/overview)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)
\r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)\r\n" + }, + "customWidth": "33", + "name": "text - 9" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [M365 Defender Device inventory](https://learn.microsoft.com/graph/api/resources/intune-graph-overview?view=graph-rest-1.0%22%20%EF%BF%BDHYPERLINK%20%22https://learn.microsoft.com/microsoft-365/security/defender-endpoint/machines-view-overview?view=o365-worldwide)
\r\nπŸ’‘ [What is a device identity (Azure Active Directory)?](https://learn.microsoft.com/azure/active-directory/devices/overview)
\r\nπŸ’‘ [Manage device identities by using the Azure portal](https://learn.microsoft.com/azure/active-directory/devices/device-management-azure-portal)Β 
\r\nπŸ’‘ [Manage your devices and control features with Microsoft Intune](https://learn.microsoft.com/mem/intune/fundamentals/manage-devices)Β 
\r\nπŸ’‘ [Hybrid Azure AD joined devices](https://learn.microsoft.com/azure/active-directory/devices/concept-azure-ad-join-hybrid)Β 
\r\nπŸ’‘ [Conditional Access policy: Device Compliancy](https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device)
\r\nπŸ’‘ [ZT Guide: Endpoint Zero Trust Deployment Objectives](https://learn.microsoft.com/security/zero-trust/deploy/endpoints#endpoint-zero-trust-deployment-objectives)
\r\nπŸ’‘ [Intune Reporting](https://learn.microsoft.com/mem/intune/fundamentals/review-logs-using-azure-monitor) ** not yet availble in DoD cloud
\r\nπŸ’‘ [Provide Additional Intune Reporting](https://www.linkedin.com/pulse/provide-additional-intune-reporting-data-wmi-iren%C3%A4us-becker/)
\r\nπŸ’‘ [Working with Intune in Microsoft Graph](https://learn.microsoft.com/graph/api/resources/intune-graph-overview?view=graph-rest-1.0)
\r\n" + }, + "customWidth": "33", + "name": "text - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AuditLogs\r\n| where Category == 'Device'\r\n| extend AADOS = tostring(AdditionalDetails[1].value)\r\n| summarize count() by AADOS\r\n| render piechart", + "size": 3, + "showAnalytics": true, + "title": "AAD Device Count by OS Platform", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "25", + "showPin": true, + "name": "AAD Device Count by OS Platform" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AuditLogs\r\n| where Category contains 'Device'\r\n//| extend AADOS = tostring(AdditionalDetails[1].value)\r\n//| project OSPlatform, OSversion, JoinType\r\n| extend DeviceName = tostring(TargetResources[0].displayName)\r\n| extend JoinType = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[11].newValue))[0])\r\n| extend deviceOS = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[9].newValue))[0])\r\n//| where isnotempty(displayName_)\r\n| where isnotempty(DeviceName)\r\n//| where isnotempty(deviceOS)\r\n| project TimeGenerated, DeviceName, OperationName\r\n| sort by TimeGenerated desc\r\n", + "size": 0, + "showAnalytics": true, + "title": "AAD Device List", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "45", + "showPin": true, + "name": "AAD Device List" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AuditLogs\r\n| where Category contains 'Device'\r\n| extend value_ = tostring(AdditionalDetails[2].value)\r\n| where isnotempty(value_)\r\n| project value_\r\n| summarize count() by value_", + "size": 3, + "showAnalytics": true, + "title": "AAD Device Count by Join Type", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "25", + "showPin": true, + "name": "AAD Device Count by Join Type" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DeviceInfo\r\n|Β whereΒ isnotempty(DeviceName) and isnotempty(OSPlatform)\r\n|Β distinctΒ OSPlatform, DeviceName\r\n|Β summarizeΒ count()Β byΒ OSPlatform, DeviceName\r\n|Β sortΒ byΒ count_Β desc\r\n|Β renderΒ piechart", + "size": 3, + "showAnalytics": true, + "title": "365D Device Count by OS Platform", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "25", + "showPin": true, + "name": "365D Device Count by OS Platform" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DeviceInfo\r\n|Β whereΒ isnotempty(DeviceName)Β andΒ isnotempty(OSPlatform) and isnotempty(JoinType)\r\n|Β distinctΒ DeviceName,Β OSPlatform,Β JoinType,Β OSVersion\r\n|Β summarizeΒ byΒ DeviceName,Β OSPlatform,Β OSVersion,Β JoinType\r\n", + "size": 1, + "showAnalytics": true, + "title": "365D Device List", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Group", + "formatter": 1 + }, + { + "columnMatch": "DeviceName", + "formatter": 1 + }, + { + "columnMatch": "OSPlatform", + "formatter": 5 + } + ], + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "OSPlatform" + ] + } + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "AccountObjectId", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "InvestigationPriority", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "45", + "showPin": true, + "name": "365D Device List" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DeviceInfo\r\n| where isnotempty(DeviceName) and isnotempty(JoinType)\r\n| distinct DeviceName, JoinType\r\n| summarize count() by JoinType", + "size": 3, + "showAnalytics": true, + "title": "365D Device Count by Join Type", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "JoinType", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "JoinType", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "count_", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "", + "label": "Other", + "color": "magenta" + } + ] + } + }, + "customWidth": "25", + "showPin": true, + "name": "365D Device Count by Join Type" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "IntuneDevices\r\n| where isnotempty(OS)\r\n| distinct OS\r\n| summarize count() by OS", + "size": 3, + "showAnalytics": true, + "title": "Intune Device Count by OS Platform", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "25", + "showPin": true, + "name": "Intune Device Count by OS Platform" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "IntuneDevices\r\n| summarize by DeviceName, OSVersion", + "size": 0, + "showAnalytics": true, + "title": "Intune Device List", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "45", + "showPin": true, + "name": "Intune Device List" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "IntuneDevices\r\n| where isnotempty(DeviceName) and isnotempty(JoinType)\r\n| distinct DeviceName, JoinType\r\n| summarize count() by JoinType", + "size": 3, + "showAnalytics": true, + "title": "Intune Device Count by Join Type", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "25", + "showPin": true, + "name": "Intune Device Count by Join Type" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isD21Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "2.1Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "2.2 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 2.2 Device Detection & Compliance\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
\r\nπŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/#view/Microsoft_Intune_Enrollment/ReportingMenu/~/deviceCompliance)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)\r\n" + }, + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Microsoft Portals Government\r\nπŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
\r\nπŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/#view/Microsoft_Intune_Enrollment/ReportingMenu/~/deviceCompliance)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)
" + }, + "customWidth": "33", + "name": "text - 6" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [Device compliance policies in Microsoft Intune | Microsoft Learn](https://learn.microsoft.com/mem/intune/protect/device-compliance-get-started)
\r\nπŸ’‘ [Configure Microsoft Defender for Endpoint in Intune | Microsoft Learn](https://learn.microsoft.com/mem/intune/protect/advanced-threat-protection-configure)
\r\nπŸ’‘ [Configure Conditional Access in Microsoft Defender for Endpoint | Microsoft Learn](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-conditional-access?view=o365-worldwide)
\r\nπŸ’‘ [Scenarios for using Conditional Access with Microsoft Intune | Microsoft Learn](https://learn.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use?source=recommendations)\r\n\r\n" + }, + "customWidth": "33", + "name": "text - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "IntuneDevices\r\n| where isnotempty(CompliantState)\r\n| distinct CompliantState\r\n| summarize count() by CompliantState", + "size": 3, + "showAnalytics": true, + "title": "Intune Compliance State", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "25", + "showPin": true, + "name": "Intune Compliance State", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "IntuneDevices\r\n| where isnotempty(CompliantState)\r\n//| distinct CompliantState\r\n| distinct TimeGenerated, DeviceName, CompliantState, Ownership", + "size": 0, + "showAnalytics": true, + "title": "Intune Compliance State Details", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Group", + "formatter": 1 + } + ] + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "AccountObjectId", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "InvestigationPriority", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "40", + "showPin": true, + "name": "Intune Compliance State Details", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "IntuneDevices\r\n| where isnotempty(DeviceName) and isnotempty(JoinType)\r\n//| distinct DeviceName, JoinType, CompliantState\r\n| summarize count() by JoinType, CompliantState", + "size": 0, + "showAnalytics": true, + "title": "Intune Compliance State By Join Type", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "customWidth": "35", + "showPin": true, + "name": "Intune Compliance State By Join Type", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isD22Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "2.2Activites", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "2.3 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 2.3 Device Automation with Real Time Inspection\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
\r\nπŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/#view/Microsoft_Intune_Enrollment/ReportingMenu/~/deviceCompliance)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)
\r\nπŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/)
\r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)\r\n" + }, + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Microsoft Portals Government\r\nπŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
\r\nπŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/#view/Microsoft_Intune_Enrollment/ReportingMenu/~/deviceCompliance)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)
\r\nπŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/)
\r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
\r\n\r\n\r\n" + }, + "customWidth": "33", + "name": "text - 6" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Resources\r\n\r\nπŸ’‘ [Configure Microsoft Defender for Endpoint in Intune](https://learn.microsoft.com/mem/intune/protect/advanced-threat-protection-configure)
\r\nπŸ’‘ [Device discovery overview](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide)
\r\nπŸ’‘ [Learn about Conditional Access and Intune](https://learn.microsoft.com/mem/intune/protect/conditional-access)
\r\nπŸ’‘ [Device compliance policies in Microsoft Intune](https://learn.microsoft.com/mem/intune/protect/device-compliance-get-started)
\r\nπŸ’‘ [Configure compliance policies with actions for noncompliance in Microsoft Intune](https://learn.microsoft.com/mem/intune/protect/actions-for-noncompliance)
\r\nπŸ’‘ [Require compliant, hybrid joined devices, or MFA - Microsoft Entra](https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device)
\r\nπŸ’‘ [Conditional Access insights and reporting workbook - Microsoft Entra](https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting)
\r\nπŸ’‘ [Plan an Azure Active Directory Conditional Access deployment - Microsoft Entra](https://learn.microsoft.com/azure/active-directory/conditional-access/plan-conditional-access)
\r\nπŸ’‘ [Azure Samples for Conditional Access (PowerShell) - GitHub](https://github.com/Azure-Samples/azure-ad-conditional-access-apis/tree/main/01-configure/powershell)
\r\n
\r\n#### Additional References:
\r\nπŸ’‘ [Track changes to system files and registry keys](https://learn.microsoft.com/azure/defender-for-cloud/file-integrity-monitoring-overview)
\r\nπŸ’‘ [Connect Microsoft Defender for Cloud alerts to Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/connect-defender-for-cloud)
\r\nπŸ’‘ [Deploying and Managing Microsoft Defender for Cloud as Code](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/deploying-and-managing-microsoft-defender-for-cloud-as-code/ba-p/3649653)
\r\nπŸ’‘ [Collect data in custom log formats to Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/connect-custom-logs?tabs=DCG)
\r\nπŸ’‘ [Azure Monitor Agent overview - Azure Monitor](https://learn.microsoft.com/azure/azure-monitor/agents/agents-overview)
\r\nπŸ’‘ [Use entity behavior analytics to detect advanced threats](https://learn.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)
" + }, + "customWidth": "33", + "name": "text - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DeviceInfo\r\n| summarize arg_max(Timestamp, *) by DeviceId \r\n| where OnboardingStatus == \"Can be onboarded\"\r\n| where isempty(MergedToDeviceId)\r\n| project ['Time last seen']=Timestamp, DeviceName, DeviceId, OSDistribution, OSVersion, DeviceCategory, IsAzureADJoined, JoinType", + "size": 0, + "showAnalytics": true, + "title": "Devices That Can Be Onboarded To Defender", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table" + }, + "customWidth": "50", + "showPin": true, + "name": "Devices That Can Be Onboarded To Defender", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Advanced Hunting query\r\n//Data connector required for this query - Advanced Hunting license\r\nDeviceLogonEvents\r\n//| where Timestamp > ago(30d)\r\n| project DeviceName, ActionType, LogonType, AdditionalFields, InitiatingProcessCommandLine, AccountName, IsLocalAdmin\r\n| where ActionType == \"LogonSuccess\"\r\n| where LogonType == \"Interactive\"\r\n| where InitiatingProcessCommandLine == \"lsass.exe\"\r\n| summarize\r\n ['Local Admin Count']=dcountif(AccountName,IsLocalAdmin == \"true\"),\r\n ['Local Admins']=make_set_if(AccountName, IsLocalAdmin == \"true\"), \r\n ['Standard User Count']=dcountif(AccountName, IsLocalAdmin == \"false\"),\r\n ['Standard Users']=make_set_if(AccountName, IsLocalAdmin == \"false\")\r\n by DeviceName\r\n| sort by ['Local Admin Count'] desc ", + "size": 0, + "showAnalytics": true, + "title": "Device Logon Event by User Type", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table" + }, + "customWidth": "50", + "showPin": true, + "name": "Device Logon Event by User Type", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Summarize attack surface reduction audit hits for each device\r\n//Data connector required for this query - M365 Defender - Device* tables\r\nDeviceEvents\r\n//| where TimeGenerated > ago (1d)\r\n| where ActionType startswith \"Asr\"\r\n| extend isAudit = tostring(AdditionalFields.IsAudit)\r\n| where isAudit = true\r\n| project\r\n TimeGenerated,\r\n ActionType,\r\n DeviceName,\r\n FileName,\r\n InitiatingProcessAccountDomain,\r\n InitiatingProcessAccountName,\r\n InitiatingProcessCommandLine,\r\n InitiatingProcessParentFileName,\r\n ProcessTokenElevation\r\n| summarize\r\n ['Total ASR audit hits']=count(),\r\n ['Distinct ASR audit rule hits']=dcount(ActionType),\r\n ['List of processes']=make_set(InitiatingProcessCommandLine)\r\n by DeviceName\r\n| sort by ['Total ASR audit hits'] desc ", + "size": 0, + "showAnalytics": true, + "title": "Summarize Attack Surface Reduction Audit By Device", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Group", + "formatter": 1 + } + ], + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "UserType" + ] + } + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "AccountObjectId", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "InvestigationPriority", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "50", + "showPin": true, + "name": "Summarize Attack Surface Reduction Audit By Device", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DeviceEvents\r\n//| where TimeGenerated > ago (timerange) and TimeGenerated < ago(7d)\r\n| where ActionType startswith \"Asr\"\r\n| distinct ActionType;\r\n DeviceEvents\r\n //| where TimeGenerated > ago(7d)\r\n | where ActionType startswith \"Asr\"\r\n //| where ActionType !in (existingalerts)\r\n| summarize ['Device List']=make_set(DeviceName) by ActionType", + "size": 0, + "showAnalytics": true, + "title": "Attack Surface Reduction Alerts By Device", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Group", + "formatter": 1 + } + ], + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "UserType" + ] + } + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "AccountObjectId", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "InvestigationPriority", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "50", + "showPin": true, + "name": "Attack Surface Reduction Alerts By Device", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationName == \"File integrity monitoring should be enabled on machines\"\r\n//| distinct RecommendationName, DeviceId\r\n| extend id_ = tostring(parse_json(tostring(Properties.resourceDetails)).id)\r\n| distinct Environment, RecommendationName, RecommendationState, id_", + "size": 0, + "showAnalytics": true, + "title": "File Integrity Management By Environment", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "showPin": true, + "name": "File Integrity Management By Environment", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": " DeviceEvents\r\n | where ActionType == \"AntivirusScanCompleted\"\r\n //| where Timestamp > ago(Timerange)\r\n | summarize LastSuccessfulAVScan = max(Timestamp) by DeviceName, DeviceId\r\n | join kind=innerunique (\r\n DeviceInfo\r\n | where isnotempty( OSVersion )\r\n ) on DeviceId\r\n | summarize LastSeen = arg_max(Timestamp,*) by DeviceName\r\n | project LastSeen, DeviceId, DeviceName, MachineGroup, OSPlatform, OSVersion, DeviceType, LastSuccessfulAVScan, JoinType", + "size": 0, + "showAnalytics": true, + "title": "Device Event - Latest AV Scan", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "showPin": true, + "name": "Device Event - Latest AV Scan", + "styleSettings": { + "margin": "10px", + "padding": "10px", + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isD23Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "2.3Activites", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "2.4 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 2.4 Remote Access\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
\r\nπŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/#view/Microsoft_Intune_Enrollment/ReportingMenu/~/deviceCompliance)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)" + }, + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Microsoft Portals Government\r\nπŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
\r\nπŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/#view/Microsoft_Intune_Enrollment/ReportingMenu/~/deviceCompliance)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)
" + }, + "customWidth": "33", + "name": "text - 6" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [Require compliant, hybrid joined devices, or MFA - Microsoft Entra](https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device)
\r\nπŸ’‘ [Conditional Access APIs and PowerShell - Microsoft Entra](https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-apis)
\r\nπŸ’‘ [Device compliance policies in Microsoft Intune](https://learn.microsoft.com/mem/intune/protect/device-compliance-get-started)
\r\nπŸ’‘ [Configure compliance policies with actions for noncompliance in Microsoft Intune](https://learn.microsoft.com/mem/intune/protect/actions-for-noncompliance)
\r\nπŸ’‘ [Configure Microsoft Defender for Endpoint in Intune](https://learn.microsoft.com/mem/intune/protect/advanced-threat-protection-configure)
\r\nπŸ’‘ [Configure Conditional Access in Microsoft Defender for Endpoint](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-conditional-access?view=o365-worldwide)
\r\nπŸ’‘ [Enhance security with the principle of least privilege](https://learn.microsoft.com/azure/active-directory/develop/secure-least-privileged-access)
\r\nπŸ’‘ [Best practices for Azure AD roles](https://learn.microsoft.com/azure/active-directory/roles/best-practices)
\r\nπŸ’‘ [Least privileged roles by task in Azure Active Directory](https://learn.microsoft.com/azure/active-directory/roles/delegate-by-task)
\r\n\r\n\r\n" + }, + "customWidth": "33", + "name": "text - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| mv-expand ConditionalAccessPolicies\r\n| extend ConditionalAccessPolicyName = tostring(ConditionalAccessPolicies.displayName)\r\n| distinct ConditionalAccessPolicyName\r\n| sort by ConditionalAccessPolicyName asc\r\n", + "size": 0, + "showAnalytics": true, + "title": "VERIFY Deny Device by Default On Non-Compliant Conditional Access", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "showPin": true, + "name": "VERIFY Deny Device by Default On Non-Compliant Conditional Access" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "IntuneDeviceComplianceOrg\r\n//| where TimeGenerated between (ago(30d) ..now() )\r\n//| where ComplianceState contains ''\r\n| distinct DeviceId, DeviceName, ComplianceState, OS, UserName, OSVersion\r\n| summarize by DeviceName, ComplianceState, OS, OSVersion, UserName\r\n| order by ComplianceState\r\n| sort by ComplianceState desc", + "size": 0, + "showAnalytics": true, + "title": "Intune Device Compliancy ", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "showPin": true, + "name": "Intune Device Compliancy " + } + ] + }, + "conditionalVisibility": { + "parameterName": "isD24Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "2.4Activites", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "2.5 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 2.5 Partially & Fully Automated Asset, Vulnerability & Patch Management\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
\r\nπŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/#view/Microsoft_Intune_Enrollment/ReportingMenu/~/deviceCompliance)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)
\r\nπŸ”€ [Azure Arc](https://portal.azure.us/#view/Microsoft_Azure_HybridCompute/AzureArcCenterBlade/~/overview)\r\n" + }, + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Microsoft Portals Government\r\nπŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
\r\nπŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/#view/Microsoft_Intune_Enrollment/ReportingMenu/~/deviceCompliance)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)
\r\nπŸ”€ [Azure Arc](https://portal.azure.us/#view/Microsoft_Azure_HybridCompute/AzureArcCenterBlade/~/overview)\r\n" + }, + "customWidth": "33", + "name": "text - 6" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [What is Windows Update for Business?](https://learn.microsoft.com/windows/deployment/update/waas-manage-updates-wufb)
\r\nπŸ’‘ [Microsoft Configuration Manager MECEM](https://learn.microsoft.com/mem/configmgr/core/understand/introduction)
\r\nπŸ’‘ [Update rings for Windows 10 and later policy in Intune](https://learn.microsoft.com/mem/intune/protect/windows-10-update-rings?source=recommendations)
\r\nπŸ’‘ [Manage Windows 10 and Windows 11 software updates in Intune](https://learn.microsoft.com/mem/intune/protect/windows-update-for-business-configure)
\r\nπŸ’‘ [Deploy software updates with Configuration Manager](https://learn.microsoft.com/mem/configmgr/sum/deploy-use/deploy-software-updates)
\r\nπŸ’‘ [Use Intune to remediate vulnerabilities identified by Microsoft Defender for Endpoint](https://learn.microsoft.com/mem/intune/protect/atp-manage-vulnerabilities)
\r\nπŸ’‘ [Remediate vulnerabilities (Defender for Endpoint)](https://learn.microsoft.com/microsoft-365/security/defender-vulnerability-management/tvm-remediation?view=o365-worldwide)
\r\nπŸ’‘ [Choose how to deliver updates for the Microsoft 365 Apps](https://learn.microsoft.com/deployoffice/fieldnotes/choose-how-to-deliver-updates)
\r\nπŸ’‘ [Windows Release Health](https://learn.microsoft.com/windows/release-health/)
\r\nπŸ’‘ [Manage updates and patches for your VMs](https://learn.microsoft.com/azure/automation/update-management/manage-updates-for-vm)
\r\nπŸ’‘ [Automate your patching using Azure Arc and Azure Automation](https://techcommunity.microsoft.com/t5/manufacturing/automate-your-patching-using-azure-arc-and-azure-automation/ba-p/3214141)
\r\n" + }, + "customWidth": "33", + "name": "text - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let secured =\r\nIntuneDeviceComplianceOrg\r\n| where isnotempty(DeviceHealthThreatLevel)\r\n| where DeviceHealthThreatLevel == \"Secured\"\r\n| distinct DeviceName, UserName , DeviceHealthThreatLevel\r\n| summarize count(DeviceName)\r\n| extend ['Number of Devices'] = count_DeviceName\r\n| extend Status = \"Secured\";\r\nlet notsecured =\r\nIntuneDeviceComplianceOrg\r\n| where isnotempty(DeviceHealthThreatLevel)\r\n| where DeviceHealthThreatLevel == \"Not Secured\"\r\n| distinct DeviceName, UserName , DeviceHealthThreatLevel\r\n| summarize count(DeviceName)\r\n| extend ['Number of Devices'] = count_DeviceName\r\n| extend Status = \"Not Secured\";\r\nlet unknown =\r\nIntuneDeviceComplianceOrg\r\n| where isnotempty(DeviceHealthThreatLevel)\r\n| where DeviceHealthThreatLevel == \"Unknown\"\r\n| distinct DeviceName, UserName , DeviceHealthThreatLevel\r\n| summarize count(DeviceName)\r\n| extend ['Number of Devices'] = count_DeviceName\r\n| extend Status = \"Unknown\";\r\nsecured\r\n| union notsecured, unknown\r\n| project Status, ['Number of Devices']\r\n| sort by ['Number of Devices']", + "size": 0, + "showAnalytics": true, + "title": "Number Of Devices With DeviceHealthThreatLevel Status", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "showPin": true, + "name": "Number Of Devices With DeviceHealthThreatLevel Status" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "// Compare OS Version changes between yesterday and today. It will calculate the difference (number of devices) between two days.\r\nlet Yesterday=\r\nIntuneDevices\r\n| where TimeGenerated < ago(1d) \r\n| summarize arg_max(TimeGenerated, *) by DeviceName\r\n| where todatetime(LastContact) > ago(30d) \r\n| summarize count() by OSVersion\r\n| sort by OSVersion desc\r\n| extend CustomName = OSVersion\r\n| extend Version_Yesterday = count_;\r\nlet Today=\r\nIntuneDevices \r\n| summarize arg_max(TimeGenerated, *) by DeviceName\r\n| where todatetime(LastContact) > ago(30d) \r\n| summarize count() by OSVersion\r\n| sort by OSVersion desc\r\n| extend CustomName = OSVersion\r\n| extend Version_Today = count_;\r\nYesterday\r\n| join kind=inner Today on OSVersion\r\n| project CustomName, Version_Today, Version_Yesterday, Difference = Version_Today-Version_Yesterday\r\n| sort by CustomName desc", + "size": 0, + "showAnalytics": true, + "title": "Compare OS Version Changes Between Yesterday & Today", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Group", + "formatter": 1 + } + ], + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "UserType" + ] + } + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "AccountObjectId", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "InvestigationPriority", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "33", + "showPin": true, + "name": "Compare OS Version Changes Between Yesterday & Today" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "IntuneDevices\r\n//| where TimeGenerated > ago(90d)\r\n| where isnotempty(LastContact)\r\n//Retrieve latest record for each DeviceId\r\n| summarize arg_max(TimeGenerated, *) by DeviceId\r\n//Convert string to datetime format\r\n| extend LastContactTime = todatetime(LastContact)\r\n| project DeviceId, LastContactTime\r\n//Exclude devices reporting as 0001-01-01\r\n| where LastContactTime <> todatetime('0001-01-01T00:00:00Z')\r\n//Group by month and render chart\r\n| summarize ['Device Count']=count()by startofmonth(LastContactTime)\r\n| render columnchart with (title=\"Intune devices by last contact time\", xtitle=\"Month\")", + "size": 0, + "showAnalytics": true, + "title": "Visualize When Devices Last Contacted Intune", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "showPin": true, + "name": "Visualize When Devices Last Contacted Intune" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isD25Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "2.5Activites", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "2.6 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 2.6 Unified Endpoint Management & Mobile Patch Management\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
\r\nπŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/#view/Microsoft_Intune_Enrollment/ReportingMenu/~/deviceCompliance)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)
\r\nπŸ”€ [Azure Arc](https://portal.azure.us/#view/Microsoft_Azure_HybridCompute/AzureArcCenterBlade/~/overview)" + }, + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Microsoft Portals Government\r\nπŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
\r\nπŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/#view/Microsoft_Intune_Enrollment/ReportingMenu/~/deviceCompliance)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)
\r\nπŸ”€ [Azure Arc](https://portal.azure.us/#view/Microsoft_Azure_HybridCompute/AzureArcCenterBlade/~/overview)" + }, + "customWidth": "33", + "name": "text - 6" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [What is Microsoft Intune](https://learn.microsoft.com/mem/intune/fundamentals/what-is-intune)
\r\nπŸ’‘ [Manage your devices and control device features in Microsoft Intune](https://learn.microsoft.com/mem/intune/fundamentals/manage-devices)
\r\nπŸ’‘ [Zero Trust with Microsoft Intune](https://learn.microsoft.com/mem/intune/fundamentals/zero-trust-with-microsoft-intune)
\r\nπŸ’‘ [Supported operating systems and browsers in Intune](https://learn.microsoft.com/mem/intune/fundamentals/supported-devices-browsers)
\r\nπŸ’‘ [Enrollment guide: Microsoft Intune enrollment](https://learn.microsoft.com/mem/intune/fundamentals/deployment-guide-enrollment)
\r\nπŸ’‘ [Manage iOS/iPadOS software update policies in Intune](https://learn.microsoft.com/mem/intune/protect/software-updates-ios)
\r\nπŸ’‘ [Manage macOS software update policies in Intune](https://learn.microsoft.com/mem/intune/protect/software-updates-macos)
\r\nπŸ’‘ [Microsoft Intune How-To Guides](https://learn.microsoft.com/mem/intune/#how-to-guides)
\r\nπŸ’‘ [What is Azure Arc-enabled servers?](https://learn.microsoft.com/azure/azure-arc/servers/overview)
\r\nπŸ’‘ [Automate your patching using Azure Arc and Azure Automation](https://techcommunity.microsoft.com/t5/manufacturing/automate-your-patching-using-azure-arc-and-azure-automation/ba-p/3214141)
\r\n\r\n\r\n\r\n" + }, + "customWidth": "33", + "name": "text - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "// Visualize Android Versions and filtering for devices that had a connection to intune in the last 30 days.\r\nIntuneDevices\r\n| where OS contains \"Android\"\r\n//| where todatetime(LastContact) > ago(30d) \r\n| summarize arg_max(TimeGenerated, *) by DeviceName\r\n| summarize Versionen=count() by OSVersion\r\n| sort by Versionen desc \r\n| render piechart with (title=\"Android Versions\")", + "size": 0, + "showAnalytics": true, + "title": "Intune - Visualize Android Versions", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "showPin": true, + "name": "Intune - Visualize Android Versions" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "// Visualize iOS Versions and filtering for devices that had a connection to intune in the last 30 days.\r\nIntuneDevices\r\n| where OS contains \"iOS/iPadOS\"\r\n//| where todatetime(LastContact) > ago(30d) \r\n| summarize arg_max(TimeGenerated, *) by DeviceName\r\n| summarize Versionen=count() by OSVersion\r\n| sort by Versionen desc \r\n| render piechart with ( title=\"iOS/iPadOS Versions\")", + "size": 0, + "showAnalytics": true, + "title": "Intune - Visualize iOS Versions", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Group", + "formatter": 1 + } + ], + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "UserType" + ] + } + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "AccountObjectId", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "InvestigationPriority", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "33", + "showPin": true, + "name": "Intune - Visualize iOS Versions" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "// Visualize Windows Versions and filtering for devices that had a connection to intune in the last 30 days.\r\nIntuneDevices\r\n| where OS contains \"Windows\"\r\n//| where todatetime(LastContact) > ago(30d) \r\n| summarize arg_max(TimeGenerated, *) by DeviceName\r\n| summarize Versionen=count() by OSVersion\r\n| sort by Versionen desc \r\n| render piechart with ( title=\"Windows Build Versions\")", + "size": 0, + "showAnalytics": true, + "title": "Intune - Visualize Windows Versions", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "33", + "showPin": true, + "name": "Intune - Visualize Windows Versions" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isD26Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "2.6Activites", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "2.7 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 2.7 Endpoint & Extended Detection & Response (EDR & XDR)\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Entra ID](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\nπŸ”€ [Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)\r\n\r\n" + }, + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Microsoft Portals Government\r\nπŸ”€ [Entra ID](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\nπŸ”€ [Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
" + }, + "customWidth": "33", + "name": "text - 6" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [What is Microsoft Defender for Endpoint?](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide)
\r\nπŸ’‘ [Zero Trust with Microsoft Defender for Endpoint](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/zero-trust-with-microsoft-defender-endpoint?view=o365-worldwide)
\r\nπŸ’‘ [What is Microsoft 365 Defender?](https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender?view=o365-worldwide)
\r\nπŸ’‘ [Zero Trust with Microsoft 365 Defender](https://learn.microsoft.com/microsoft-365/security/defender/zero-trust-with-microsoft-365-defender?view=o365-worldwide)
\r\nπŸ’‘ [Overview of endpoint detection and response (EDR) with Microsoft 365 Defender](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response?view=o365-worldwide)
\r\nπŸ’‘ [Implement Microsoft Sentinel and Microsoft 365 Defender for Zero Trust](https://learn.microsoft.com/security/operations/siem-xdr-overview)
\r\nπŸ’‘ [Manage endpoint detection and response (EDR) policy for endpoint security in Intune](https://learn.microsoft.com/mem/intune/protect/endpoint-security-edr-policy)
\r\nπŸ’‘ [Set up your XDR tools](https://learn.microsoft.com/security/operations/setup-xdr-tools)
\r\nπŸ’‘ [Architect your Microsoft Sentinel workspace](https://learn.microsoft.com/security/operations/siem-workspace)
\r\nπŸ’‘ [Ingest data sources and configure incident detection in Sentinel](https://learn.microsoft.com/security/operations/ingest-data-sources)
\r\nπŸ’‘ [Respond to an incident using Microsoft Sentinel and Microsoft 365 Defender](https://learn.microsoft.com/security/operations/respond-incident)
\r\n\r\n\r\n\r\n\r\n\r\n" + }, + "customWidth": "33", + "name": "text - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AlertInfo\r\n| where TimeGenerated >= ago(365d)\r\n| where ServiceSource == \"Microsoft Defender for Endpoint\"\r\n| distinct TimeGenerated, Title, Category, Severity, ServiceSource, DetectionSource\r\n| sort by TimeGenerated desc", + "size": 0, + "showAnalytics": true, + "title": "Alert Info By EDR (Microsoft MDE)", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "showPin": true, + "name": "Alert Info By EDR (Microsoft MDE)" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityIncident\r\n| where ProviderName == \"Microsoft 365 Defender\"\r\n| where Status <> \"Closed\"\r\n| project TimeGenerated, Title, Status, ProviderName, IncidentNumber\r\n| sort by TimeGenerated desc\r\n", + "size": 0, + "showAnalytics": true, + "title": "Security Incidents From 365 Defender", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "showPin": true, + "name": "Security Incidents From 365 Defender" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isD27Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "2.7Activites", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "pillar", + "comparison": "isEqualTo", + "value": "p2" + }, + "name": "P2Activities" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"[\\r\\n\\t\\t{ \\\"Select All (Application & Workload 3.x)\\\": \\\"3.1 Application Inventory\\\", \\\"tab\\\": \\\"A31\\\" },\\r\\n\\t\\t{ \\\"Select All (Application & Workload 3.x)\\\": \\\"3.2 Secure Software Development & Integration\\\", \\\"tab\\\": \\\"A32\\\" },\\r\\n\\t\\t{ \\\"Select All (Application & Workload 3.x)\\\": \\\"3.3 Software Risk Management\\\", \\\"tab\\\": \\\"A33\\\" },\\r\\n\\t\\t{ \\\"Select All (Application & Workload 3.x)\\\": \\\"3.4 Resource Authorization & Integration\\\", \\\"tab\\\": \\\"A34\\\" },\\r\\n\\t\\t{ \\\"Select All (Application & Workload 3.x)\\\": \\\"3.5 Continuous Monitoring and Ongoing Authorizations\\\", \\\"tab\\\": \\\"A35\\\" }\\r\\n\\t\\t]\",\"transformers\":null}", + "size": 3, + "exportMultipleValues": true, + "exportedParameters": [ + { + "fieldName": "tab", + "parameterName": "Tab", + "parameterType": 1 + } + ], + "queryType": 8, + "gridSettings": { + "formatters": [ + { + "columnMatch": "Select All (Application & Workload 3.x)", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "75ch" + } + }, + { + "columnMatch": "tab", + "formatter": 5 + }, + { + "columnMatch": "Zero Trust", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "75ch" + } + } + ] + } + }, + "customWidth": "90", + "name": "AppZT", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "42fc8445-0772-439f-b490-461fb17e5d2f", + "version": "KqlParameterItem/1.0", + "name": "isA31Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "A31", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "6d0940d2-e259-49de-b490-75d026dd6ad3", + "version": "KqlParameterItem/1.0", + "name": "isA32Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "A32", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "f727f39d-ec12-43f9-a6ed-e44515f19b66", + "version": "KqlParameterItem/1.0", + "name": "isA33Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "A33", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "a354cdb5-4a2c-4d66-8cd9-30b0f23d8cef", + "version": "KqlParameterItem/1.0", + "name": "isA34Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "A34", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "bc47e30b-b2bf-4c0f-9125-94ebf62e7c92", + "version": "KqlParameterItem/1.0", + "name": "isA35Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "A35", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "5", + "name": "AppZTParameters" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "pillar", + "comparison": "isEqualTo", + "value": "p3" + }, + "customWidth": "50", + "name": "P3-1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR3.1", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 3.1\r\n| Descriptions | Outcomes | ZT Impact | \r\n|-|:--|:--|:--|:--|:-:|\r\n| System owners ensure that all applications and application components are identified and inventoried; only applications and application components that have been authorized by the appropriate authorizing official/CISO/CIO shall be utilized within the system owner's purview. | System owners ensure that all applications and application components are identified and inventoried; only applications and application components that have been authorized by the appropriate authorizing official/CISO/CIO shall be utilized within the system owner's purview. | Unauthorized applications and application components are not used on or within the system. |" + }, + "name": "AppCR31" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusapp31", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateapp31", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesapp31", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "App31Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Entra ID | \r\n| Microsoft Defender for Cloud Apps (MDA) | \r\n| Microsoft Defender for Endpoint (MDE) | \r\n| Microsoft Intune |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isA31Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "AppCR31Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR3.2", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 3.2\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|\r\n| Foundational software and application security processes and infrastructure are established following Zero Trust principles and best practices. Controls such as code review, runtime rotection, secure API gateways, container and serverless security are integrated and automated. | Organization-defined security controls and practices are integrated, to include Zero Trust security controls and virtualization, into the software development lifecycle and DevOps toolchain. Custom software development teams use DevSecOps to integrate static and dynamic application security testing into software delivery workflows in accordance with the organization's requirements policies, technologies, and processes). | Zero Trust security concepts, processes, and capabilities are accepted and integrated across the DevOps toolchain, to include static and dynamic application security testing necessary for the discovery of weaknesses and vulnerabilities during application development. |" + }, + "name": "AppCR32" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "f28c401d-2da4-4960-8232-f659d30252d2", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusapp32", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "a4b5ef42-9775-433e-ac25-55cc0eabd5c0", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateapp32", + "label": "Implementation Date", + "type": 1, + "timeContext": { + "durationMs": 86400000 + }, + "value": "DueDate=2027" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesapp32", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "f06061bf-e951-4cc0-b335-c8eea6f55495", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "App32Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Azure Policy | \r\n| Microsoft Defender for Cloud (MDfC) | \r\n| Microsoft Defender for Endpoint (MDE) |\r\n| Microsoft Intune |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isA32Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "AppCR32Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR3.3", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 3.3\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD organizations establish software/application risk management program. Foundational controls include Bill of Materials risk management, Supplier Risk Management, approved repositories and update channels, and vulnerability management program. Additional controls include Continual validation within the CI/CD pipelines and vulnerability maturation with external sources. | DoD establishes policies and procedures to secure supply chain cybersecurity for code components within DoD and DIB systems by evaluating and identifying supplier sourcing risk for approved sources,creating repositories and update channels for use by development teams, creating Bill of Materials for applications to identify source, supportability and risk posture, and establishing industry standard (DIB) and approved vulnerability databases for use in DevSecOps. | Code used in DAAS and associated components of the supply chain is secure, vulnerabilities are reduced, and DoD is aware of potential risks. |" + }, + "name": "AppCR33" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "6d883c79-17bf-432a-8d50-cf2280380232", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusapp33", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "196b9437-34c4-4c58-9b54-81650c8e9cfa", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateapp33", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesapp33", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "15d3be75-9b31-44c4-8108-42122f1c1883", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "App33Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Microsoft Defender for Cloud Apps (MDA) | \r\n| Mircosoft Defender for Endpoint (MDE) Threat & Vulnerability Management (TVM) |\r\n| Microsoft Intune |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isA33Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "AppCR33Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR3.4", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 3.4\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD establishes a standardized resource authorization gateway for authorizations via the CI/CD pipelines in a risk approach that reviews the User, Device and Data security posture. Authorizations utilize a programmatic (e.g., Software Defined) approach in a live/production environment. Attributes are enriched utilizing other pillar activities and the API and Authorization gateway. Approved enterprise APIs are micro-segmented using authorizations. | DoD establishes a standard approach managing the authorizations of resources in a risk approach that reviews the User, Device and Data security posture. | Resource authorization enables the ability for limited access to those resources and in a programmatic way in later stages. This improvise the ability to remove access when it is not needed. | " + }, + "name": "AppCR34" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusapp34", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateapp34", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesapp34", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "App34Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Entra ID Conditional Access (CA) | \r\n| Entra ID Application Proxy | \r\n| Azure Policy | \r\n| Entra ID Privilleged Identity Management (PIM) |\r\n| Microsoft 365 Defender |\r\n| Microsoft Intune |\r\n| Microsoft Defender for Cloud (MDfC)|" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isA34Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "AppCR34Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR3.5", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 3.5\r\n| Descriptions | Outcomes | ZT Impact | \r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD organizations employ automated tools and processes to continuously monitor applications and assess their authorization to operate. | DoD organizations employ automated tools and processes to continuously monitor applications and assess their authorization to operate. | Near real time visibility into the effectiveness of deployed security controls. |" + }, + "name": "AppCR35" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusapp35", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateapp35", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesapp35", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "App35Status" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isA35Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "AppCR35Group" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Entra ID Conditional Access (CA) | \r\n| Microsoft Defender for Cloud Apps (MDA) | \r\n| Microsoft Senitnel Playbooks | \r\n| Entra ID Privilleged Identity Management (PIM) |" + }, + "conditionalVisibility": { + "parameterName": "isA35Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "text - 5" + } + ], + "exportParameters": true + }, + "name": "AppCRGroup" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "pillar", + "comparison": "isEqualTo", + "value": "p3" + }, + "customWidth": "50", + "name": "P3-2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "3.1 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 3.1 Application Inventory\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Entra ID Applications - Useage & Insights](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_IAM/EnterpriseApplicationsInsightsMenuBlade/~/ApplicationActivity)
\r\nπŸ”€ [Application Security Groups](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FapplicationSecurityGroups)
\r\nπŸ”€ [Microsoft Defender for Cloud Apps - Discovery](https://security.microsoft.us/cloudapps/discovery)
\r\nπŸ”€ [Virtual Network Gateways](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways)
\r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)\r\n\r\n\r\n\r\n" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Microsoft Portals Government \r\nπŸ”€ [Entra ID Applications - Useage & Insights](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_IAM/EnterpriseApplicationsInsightsMenuBlade/~/ApplicationActivity)
\r\nπŸ”€ [Application Security Groups](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FapplicationSecurityGroups)
\r\nπŸ”€ [Microsoft Defender for Cloud Apps - Discovery](https://security.microsoft.us/cloudapps/discovery)
\r\nπŸ”€ [Virtual Network Gateways](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways)
\r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
\r\n\r\n\r\n" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\nπŸ’‘ [Cloud Discovery Setup](https://learn.microsoft.com/defender-cloud-apps/set-up-cloud-discovery)
\r\nπŸ’‘ [Deploy Intune Softare inventory & Security Policies](https://learn.microsoft.com/answers/questions/67892/can-we-use-intune-to-inventory-software-on-devices)
\r\nπŸ’‘ [Configure Blocking Unwanted or Unapproved Applications](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus?view=o365-worldwide)
\r\nπŸ’‘ [Generating Software Bill of Materials (SBOM)](https://devblogs.microsoft.com/engineering-at-microsoft/generating-software-bills-of-materials-sboms-with-spdx-at-microsoft/)
\r\nπŸ’‘ [Microsoft Open Source Software Bill of Materials SBOM](https://devblogs.microsoft.com/engineering-at-microsoft/microsoft-open-sources-software-bill-of-materials-sbom-generation-tool/)
\r\nπŸ’‘ [Github Software Bill of Materials - SBOM-Tool](https://github.com/microsoft/sbom-tool)
\r\nπŸ’‘ [Active Directory Federation Services Health](https://learn.microsoft.com/azure/active-directory/hybrid/connect/how-to-connect-health-adfs)
\r\nπŸ’‘ [Azure Active Directory Application Audit](https://github.com/jsa2/AADAppAudit#azure-ad-application-analytics-solution)
\r\nπŸ’‘ [Azure Active Directory Application Proxy](https://learn.microsoft.com/azure/active-directory/app-proxy/what-is-application-proxy)
\r\nπŸ’‘ [Using Microsoft Defender for Cloud Asset Inventory](https://learn.microsoft.com/azure/defender-for-cloud/asset-inventory)
\r\nπŸ’‘ [Working with Discovered Apps](https://learn.microsoft.com/defender-cloud-apps/discovered-apps)
\r\nπŸ’‘ [Software Inventory](https://learn.microsoft.com/microsoft-365/security/defender-vulnerability-management/tvm-software-inventory?view=o365-worldwide)
\r\n" + }, + "customWidth": "33", + "name": "text - 9" + } + ] + }, + "name": "3.1ActResources" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs \r\n| where SourceSystem == 'Azure AD'\r\n| distinct TimeGenerated, UserPrincipalName,AppDisplayName, status = case(Status.errorCode == \"0\", \"success\", \"failure\")\r\n| sort by TimeGenerated desc\r\n", + "size": 0, + "showAnalytics": true, + "title": "Application Inventory Audit by Source System Azure Active Directory", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "AppDisplayName", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "150px" + } + } + ] + } + }, + "customWidth": "50", + "showPin": true, + "name": "Application Audit by Source System Azure Active Directory" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isA31Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "3.1Activites", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "3.2 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 3.2 Secure Software Development & Integration\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Azure DevOps](https://portal.azure.us/#view/AzureTfsExtension/OrganizationsTemplateBlade)
\r\nπŸ”€ [Azure Dev Test Center](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.DevTestLab%2Flabs)
\r\nπŸ”€ [Azure DevTest Lab](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.DevTestLab%2Flabs)
\r\nπŸ”€ [Intune App Security](https://endpoint.microsoft.us)
\r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/)\r\n\r\n\r\n\r\n" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Microsoft Portals Government \r\nπŸ”€ [Azure DevOps](https://portal.azure.us/#view/AzureTfsExtension/OrganizationsTemplateBlade)
\r\nπŸ”€ [Azure Dev Test Center](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.DevTestLab%2Flabs)
\r\nπŸ”€ [Azure DevTest Lab](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.DevTestLab%2Flabs)
\r\nπŸ”€ [Intune App Security](https://endpoint.microsoft.us)
\r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/)\r\n\r\n\r\n\r\n" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\nπŸ’‘ [DoD CIO DevSecOps with IaC & Microsoft](https://dodcio.defense.gov/Portals/0/Documents/Library/DoDRefDesignCloudGithub.pdf?ver=zXJ_uO5LfouVaysHo5Ejsw%3d%3d)
\r\nπŸ’‘ [Microsoft Secure DevSecOps](https://www.microsoft.com/securityengineering/sdl/)
\r\nπŸ’‘ [Application Security & DevSecOps Security](https://learn.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops?wt.mc_id=searchAPI_azureportal_inproduct_rmskilling&sessionId=eb8cd3d8eb27486d87bbb4d96d996220)
\r\nπŸ’‘ [Generating Software Bill of Materials (SBOM)](https://devblogs.microsoft.com/engineering-at-microsoft/generating-software-bills-of-materials-sboms-with-spdx-at-microsoft/)
\r\nπŸ’‘ [Microsoft Open Source Software Bill of Materials SBOM](https://devblogs.microsoft.com/engineering-at-microsoft/microsoft-open-sources-software-bill-of-materials-sbom-generation-tool/)
\r\nπŸ’‘ [Github Software Bill of Materials - SBOM-Tool](https://github.com/microsoft/sbom-tool)
\r\nπŸ’‘ [Azure AI Content Moderator API Security](https://learn.microsoft.com/azure/ai-services/content-moderator/overview)\r\n\r\n\r\n" + }, + "customWidth": "33", + "name": "text - 9" + } + ] + }, + "name": "3.2ActResources" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "securityresources\r\n| where type == \"microsoft.security/assessments\"\r\n| where name == \"c68a8c2a-6ed4-454b-9e37-4b7654f2165f\" \r\n or name == \"4e07c7d0-e06c-47d7-a4a9-8c7b748d1b27\" \r\n or name == \"822425e3-827f-4f35-bc33-33749257f851\"\r\n or name == \"2ebc815f-7bc7-4573-994d-e1cc46fb4a35\" \r\n or name == \"6672df26-ff2e-4282-83c3-e2f20571bd11\"\r\n or name == \"1a600c61-6443-4ab4-bd28-7a6b6fb4691d\" \r\n or name == \"92643c1f-1a95-4b68-bbd2-5117f92d6e35\"\r\n| extend Status = tostring(properties.status.code)\r\n| where Status == 'Unhealthy'\r\n| project assessmentKey=name, parse_json(properties)\r\n| where properties.metadata.severity in ('Low','Medium','High')\r\n| extend SeverityRank = case(\r\n properties.metadata.severity == 'High', 3,\r\n properties.metadata.severity == 'Medium', 2,\r\n properties.metadata.severity == 'Low', 1,\r\n 0)\r\n| project-away SeverityRank\r\n| extend Severity = properties.metadata.severity\r\n| project Severity = tostring(Severity)\r\n| summarize Count = count() by Severity", + "size": 3, + "showAnalytics": true, + "title": "Dynamic Security testing posture by severity", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "value::all" + ], + "visualization": "piechart" + }, + "customWidth": "35", + "showPin": true, + "name": "Security posture by severity" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "securityresources\r\n| where type == \"microsoft.security/assessments\"\r\n| extend assessmentKey = extract(\".*assessments/(.+?)/.*\",1, id)\r\n| extend Repository = tostring(split(properties.resourceDetails.Id,\"/\",12))\r\n| extend Status = tostring(properties.status.code)\r\n| extend TimeGenerated = todatetime(properties.timeGenerated)\r\n| where Status == 'Unhealthy'\r\n| where name == \"c68a8c2a-6ed4-454b-9e37-4b7654f2165f\" \r\n or name == \"4e07c7d0-e06c-47d7-a4a9-8c7b748d1b27\" \r\n or name == \"822425e3-827f-4f35-bc33-33749257f851\"\r\n or name == \"2ebc815f-7bc7-4573-994d-e1cc46fb4a35\" \r\n or name == \"6672df26-ff2e-4282-83c3-e2f20571bd11\"\r\n or name == \"1a600c61-6443-4ab4-bd28-7a6b6fb4691d\" \r\n or name == \"92643c1f-1a95-4b68-bbd2-5117f92d6e35\"\r\n| summarize count(name) by trim(@'^\\[\"|\"]$',Repository)", + "size": 0, + "showAnalytics": true, + "title": "Posture Assessment By Repository", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "value::all" + ], + "visualization": "barchart", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Group", + "formatter": 1 + } + ], + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "UserType" + ] + } + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "AccountObjectId", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "InvestigationPriority", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "65", + "showPin": true, + "name": "Posture Assessment By Repository" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "securityresources\r\n| where type == \"microsoft.security/assessments\"\r\n| where name == \"1a600c61-6443-4ab4-bd28-7a6b6fb4691d\" or name == \"6672df26-ff2e-4282-83c3-e2f20571bd11\" or name == \"92643c1f-1a95-4b68-bbd2-5117f92d6e35\" or name == \"c68a8c2a-6ed4-454b-9e37-4b7654f2165f\" or name == \"580dbad4-33c2-44c8-a37d-22874d8ef4c3\" or name == \"0db7ca3c-bd65-4244-9be3-2194c13a3893\" or name == \"822425e3-827f-4f35-bc33-33749257f851\" or name == \"4e07c7d0-e06c-47d7-a4a9-8c7b748d1b27\" or name == \"92643c1f-1a95-4b68-bbd2-5117f92d6e35\"\r\n| extend Status = tostring(properties.status.code)\r\n| where Status == 'Unhealthy'\r\n| extend Repository = tostring(split(id, '/')[12]), \r\n Threats = tostring(strcat_array(properties.metadata.threats,\",\")), \r\n Tactics = tostring(strcat_array(properties.metadata.tactics,\",\")), \r\n Techniques = tostring(strcat_array(properties.metadata.techniques,\",\")),\r\n Details = \"info\"\r\n| project Repository, Threats, Tactics, Techniques, properties, Details", + "size": 0, + "showAnalytics": true, + "title": "Threats & Tactics", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "value::all" + ], + "visualization": "table" + }, + "showPin": true, + "name": "Threats & Tactics" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isA32Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "3.2Activites", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "3.3 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 3.3 Software Risk Management\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Azure Managed Application Center](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Solutions%2Fapplications)
\r\nπŸ”€ [Azure Enterprise Apps Portal](https://portal.azure.us/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview)
\r\nπŸ”€ [Intune Application Security](https://endpoint.microsoft.us/#view/Microsoft_Intune_DeviceSettings/AppsMenu/~/overview)
\r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/)\r\n\r\n\r\n" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Microsoft Portals Government \r\nπŸ”€ [Azure Managed Application Center](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Solutions%2Fapplications)
\r\nπŸ”€ [Azure Enterprise Apps Portal](https://portal.azure.us/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview)
\r\nπŸ”€ [Intune Application Security](https://endpoint.microsoft.us/#view/Microsoft_Intune_DeviceSettings/AppsMenu/~/overview)
\r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/)\r\n\r\n\r\n\r\n\r\n" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\nπŸ’‘ [Manage and Secure Apps In Intune](https://learn.microsoft.com/mem/intune/fundamentals/manage-apps)
\r\nπŸ’‘ [App Protection Policies in Intune](https://learn.microsoft.com/mem/intune/apps/app-protection-policy)
\r\nπŸ’‘ [Microsoft Container Registry](https://mcr.microsoft.com/)
\r\nπŸ’‘ [GitHub Actaion For Vulnerability Scanning](https://github.com/marketplace/actions/anchore-container-scan)
\r\nπŸ’‘ [Code Scanning with CodeQL](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql)
\r\nπŸ’‘ [Keeping your supply chain secure with Dependabot](https://docs.github.com/en/code-security/dependabot)
\r\nπŸ’‘ [Secure Supply Chain Consumption Framework](https://www.microsoft.com/securityengineering/opensource/osssscframeworkguide)
\r\nπŸ’‘ [Generating Software Bill of Materials (SBOM)](https://devblogs.microsoft.com/engineering-at-microsoft/generating-software-bills-of-materials-sboms-with-spdx-at-microsoft/)
\r\nπŸ’‘ [Microsoft Open Source Software Bill of Materials SBOM](https://devblogs.microsoft.com/engineering-at-microsoft/microsoft-open-sources-software-bill-of-materials-sbom-generation-tool/)
\r\nπŸ’‘ [Github Software Bill of Materials - SBOM-Tool](https://github.com/microsoft/sbom-tool)
\r\n\r\n" + }, + "customWidth": "33", + "name": "text - 9" + } + ] + }, + "name": "3.3ActResources" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| where ResultType == 0\r\n| where Location <> \"\"\r\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude)\r\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)\r\n| extend city_ = tostring(LocationDetails.city)", + "size": 3, + "showAnalytics": true, + "title": "Sign Ins By GeoLocation", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "map", + "mapSettings": { + "locInfo": "LatLong", + "locInfoColumn": "Location", + "latitude": "latitude_", + "longitude": "longitude_", + "sizeSettings": "city_", + "sizeAggregation": "Count", + "labelSettings": "city_", + "legendMetric": "city_", + "legendAggregation": "Count", + "itemColorSettings": null, + "numberFormatSettings": { + "unit": 0, + "options": { + "style": "decimal" + } + } + } + }, + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| where ResultType == 0\r\n| summarize Count=count() by AppDisplayName\r\n| render piechart ", + "size": 0, + "title": "SigInLogs by App", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "query - 2" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isA33Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "3.3Activites", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "3.4 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 3.4 Resource Authorization & Integration\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Azure Identity Governance](https://portal.azure.us/#blade/Microsoft_AAD_ERM/DashboardBlade)
\r\nπŸ”€ [Entra ID](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\nπŸ”€ [Azure Application Proxy](https://portal.azure.us/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppProxy)
\r\nπŸ”€ [Managed Service Identity](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/6f3afa5d-4b81-4f10-8806-fb75689672da/appId/c75517e9-05c9-49e9-9990-94f68b04ffc4)
\r\nπŸ”€ [Intune Application Security](https://endpoint.microsoft.us/#view/Microsoft_Intune_DeviceSettings/AppsMenu/~/overview)
\r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/)" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Microsoft Portals Government \r\nπŸ”€ [Azure Identity Governance](https://portal.azure.us/#blade/Microsoft_AAD_ERM/DashboardBlade)
\r\nπŸ”€ [Entra ID](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\nπŸ”€ [Azure Application Proxy](https://portal.azure.us/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppProxy)
\r\nπŸ”€ [Managed Service Identity](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/6f3afa5d-4b81-4f10-8806-fb75689672da/appId/c75517e9-05c9-49e9-9990-94f68b04ffc4)
\r\nπŸ”€ [Intune Application Security](https://endpoint.microsoft.us/#view/Microsoft_Intune_DeviceSettings/AppsMenu/~/overview)
\r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/)\r\n\r\n\r\n\r\n\r\n" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\nπŸ’‘ [Deploy Microsoft Defender for Cloud - Enterprise Cloud Application Protection](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction)
\r\nπŸ’‘ [Configure Microsoft Cloud Identity for Enterprise Architects](https://www.microsoft.com/download/details.aspx?id=54431)
\r\nπŸ’‘ [Deploying Application & Authorization Azure App Services](https://learn.microsoft.com/azure/app-service/overview-authentication-authorization)
\r\nπŸ’‘ [How to create and deploy a custome Authorization Manager](https://learn.microsoft.com/dotnet/framework/wcf/extending/how-to-create-a-custom-authorization-manager-for-a-service)
\r\nπŸ’‘ [Configure with Entra Identity Platform](https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow)
\r\nπŸ’‘ [How-to Manage Apps Remove User Access with Entra](https://learn.microsoft.com/azure/active-directory/manage-apps/methods-for-removing-user-access)
\r\nπŸ’‘ [Setup Protecting Apps w. Entra Conditional Access](https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps)
\r\nπŸ’‘ [Role Based Access Control Configuration with Intune](https://learn.microsoft.com/mem/intune/fundamentals/role-based-access-control)
\r\n\r\n" + }, + "customWidth": "33", + "name": "text - 9" + } + ] + }, + "name": "3.4ActResources" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "bullets", + "links": [] + }, + "name": "links - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| where ResultType == 0\r\n| summarize Count=count() by AppDisplayName\r\n| render piechart ", + "size": 0, + "title": "SigInLogs by App", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "IdentityInfo | union BehaviorAnalytics\r\n| where isnotempty(UserType)\r\n| summarize count() by UserType\r\n| render piechart ", + "size": 0, + "title": "UEBA - IdentityInfo", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Group", + "formatter": 1 + } + ], + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "UserType" + ] + } + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "AccountObjectId", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "InvestigationPriority", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "33", + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "IdentityDirectoryEvents | summarize count() by ActionType | render piechart ", + "size": 0, + "title": "MDI - IdentityLogonEvents", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "33", + "name": "query - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let maxSummarizedTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n NetworkCustomAnalytics_protocol_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('minute',10,max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nunion isfuzzy=true \r\n (\r\n _Im_NetworkSession(starttime=todatetime(maxSummarizedTime), endtime=now())\r\n | where isnotempty(DstAppName)\r\n | summarize Instances=toint(count()) by DstAppName, bin(TimeGenerated, 6h)\r\n ),\r\n (\r\n NetworkCustomAnalytics_protocol_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DstAppName_s)\r\n | summarize Instances=toint(sum(count__d)) by DstAppName=DstAppName_s, TimeGenerated=bin(EventTime_t, 6h)\r\n )\r\n | summarize Instances = sum(Instances) by DstAppName, bin(TimeGenerated, 6h)", + "size": 0, + "title": "Events By Destination Application", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar" + }, + "name": "query - 5" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isA34Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "3.4Activites", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "3.5 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 3.5 Continuous Monitoring and Ongoing Authorizations\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
\r\nπŸ”€ [Application Insights](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.insights%2Fcomponents)
\r\nπŸ”€ [Entra ID](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\nπŸ”€ [Application Security Groups Portal](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FapplicationSecurityGroups)
\r\nπŸ”€ [Microsoft Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Microsoft Portals Government \r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
\r\nπŸ”€ [Application Insights](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.insights%2Fcomponents)
\r\nπŸ”€ [Entra ID](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\nπŸ”€ [Application Security Groups Portal](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FapplicationSecurityGroups)
\r\nπŸ”€ [Microsoft Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)\r\n\r\n\r\n\r\n\r\n" + }, + "customWidth": "100", + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\nπŸ’‘ [How-to-Build a Successful App Security Program](https://www.microsoft.com/security/blog/2021/03/29/how-to-build-a-successful-application-security-program/)
\r\nπŸ’‘ [Setting up Hybrid Continuous Monitoring with Sentinel](https://learn.microsoft.com/azure/architecture/hybrid/hybrid-security-monitoring)
\r\nπŸ’‘ [Deploy Adaptive Appliation Conrols Microsoft Defender for Cloud](https://learn.microsoft.com/azure/defender-for-cloud/adaptive-application-controls)
\r\nπŸ’‘ [Configure Azure Security Management & Monitoring](https://learn.microsoft.com/azure/security/fundamentals/management-monitoring-overview)
\r\nπŸ’‘ [Leverage Security Baselines for M365 Apps Enterprise](https://learn.microsoft.com/deployoffice/security/security-baseline)
\r\nπŸ’‘ [Utilize Application Control for Windows](https://learn.microsoft.com/windows/security/application-security/application-control/windows-defender-application-control/wdac)
\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n" + }, + "customWidth": "33", + "name": "text - 9" + } + ] + }, + "name": "3.5ActResources" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let FailedAssets=SecurityBaseline\r\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\r\n| where Description contains \"config\"\r\n| where AnalyzeResult == \"Failed\"\r\n| summarize FailedAssets = makelist(Computer) by Description;\r\nlet PassedAssets=SecurityBaseline\r\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\r\n| where Description contains \"config\"\r\n| where AnalyzeResult == \"Passed\"\r\n| summarize PassedAssets = makelist(Computer) by Description;\r\nSecurityBaseline\r\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\r\n| where Description contains \"config\"\r\n| summarize\r\n Failedβ€―=β€―countif(AnalyzeResult == \"Failed\"),\r\n Passedβ€―=β€―countif(AnalyzeResult == \"Passed\"),\r\n Totalβ€―=β€―countif(AnalyzeResult == \"Failed\" or AnalyzeResult == \"Passed\")\r\n by Description\r\n| extend PassedControlsβ€―= (Passed / todouble(Total)) * 100\r\n| join kind=fullouter(FailedAssets) on Description\r\n| join kind=fullouter(PassedAssets) on Description\r\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\r\n| sort by Total, Passed desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Security Appllication Authorization Baselines", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true, + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "UserType" + ] + } + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "AccountObjectId", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "InvestigationPriority", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let LastObserved = SigninLogs\r\n| where ResultType == 0\r\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\r\n| project UserPrincipalName, LastSignIn=TimeGenerated;\r\nSigninLogs\r\n| extend UserProfile = strcat(\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\", UserId)\r\n| where ResultType == 0\r\n| summarize count() by UserPrincipalName, UserProfile, UserId, AppDisplayName\r\n| join (LastObserved) on UserPrincipalName\r\n| project UserPrincipalName, AppDisplayName, SignInCount=count_, UserProfile, LastSignIn, UserId\r\n| sort by SignInCount desc\r\n| limit 2500\r\n", + "size": 0, + "showAnalytics": true, + "title": "User Access by Application", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "SignInCount", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "UserProfile", + "formatter": 7, + "formatOptions": { + "linkTarget": "OpenBlade", + "linkLabel": "AAD User Profile >>", + "bladeOpenContext": { + "bladeName": "UserDetailsMenuBlade", + "extensionName": "Microsoft_AAD_IAM", + "bladeParameters": [ + { + "name": "userId", + "source": "column", + "value": "UserId" + } + ] + } + } + }, + { + "columnMatch": "UserId", + "formatter": 5 + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "yellowOrangeRed" + } + } + ], + "rowLimit": 2500, + "filter": true + }, + "tileSettings": { + "titleContent": { + "columnMatch": "OperationName", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Runs", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "TrendList", + "formatter": 9, + "formatOptions": { + "palette": "blue" + } + }, + "showBorder": false + }, + "mapSettings": { + "locInfo": "LatLong", + "locInfoColumn": "Location", + "latitude": "latitude_", + "longitude": "longitude_", + "sizeSettings": "city_", + "sizeAggregation": "Count", + "labelSettings": "city_", + "legendMetric": "city_", + "numberOfMetrics": 100, + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "state_", + "colorAggregation": "Count", + "type": "heatmap", + "heatmapPalette": "coldHot" + } + } + }, + "name": "query - 9" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| where ResultType == 0\r\n| summarize Count=count() by AppDisplayName\r\n| render piechart ", + "size": 0, + "title": "SigInLogs by App", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "30", + "name": "query - 2" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isA35Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "3.5Activites", + "styleSettings": { + "showBorder": true + } + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "pillar", + "comparison": "isEqualTo", + "value": "p3" + }, + "name": "P3Activities" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"[\\r\\n\\t\\t{ \\\"Select All (Data 4.x)\\\": \\\"4.1 Data Catalog Risk Alignment\\\", \\\"tab\\\": \\\"DA41\\\" },\\r\\n\\t\\t{ \\\"Select All (Data 4.x)\\\": \\\"4.2 DoD Enterprise Data Governance\\\", \\\"tab\\\": \\\"DA42\\\" },\\r\\n\\t\\t{ \\\"Select All (Data 4.x)\\\": \\\"4.3 Data Labeling and Tagging\\\", \\\"tab\\\": \\\"DA43\\\" },\\r\\n\\t\\t{ \\\"Select All (Data 4.x)\\\": \\\"4.4 Data Monitoring and Sensing\\\", \\\"tab\\\": \\\"DA44\\\" },\\r\\n\\t\\t{ \\\"Select All (Data 4.x)\\\": \\\"4.5 Data Encryption & Rights Management\\\", \\\"tab\\\": \\\"DA45\\\" },\\r\\n\\t\\t{ \\\"Select All (Data 4.x)\\\": \\\"4.6 Data Loss Prevention (DLP)\\\", \\\"tab\\\": \\\"DA46\\\" },\\r\\n\\t\\t{ \\\"Select All (Data 4.x)\\\": \\\"4.7 Data Access Control\\\", \\\"tab\\\": \\\"DA47\\\" }\\r\\n\\t\\t]\",\"transformers\":null}", + "size": 3, + "exportMultipleValues": true, + "exportedParameters": [ + { + "fieldName": "tab", + "parameterName": "Tab", + "parameterType": 1 + } + ], + "queryType": 8, + "gridSettings": { + "formatters": [ + { + "columnMatch": "Select All (Data 4.x)", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "75ch" + } + }, + { + "columnMatch": "tab", + "formatter": 5 + }, + { + "columnMatch": "Zero Trust", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "75ch" + } + } + ] + } + }, + "customWidth": "90", + "name": "DataZT", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "42fc8445-0772-439f-b490-461fb17e5d2f", + "version": "KqlParameterItem/1.0", + "name": "isDA41Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "DA41", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "6d0940d2-e259-49de-b490-75d026dd6ad3", + "version": "KqlParameterItem/1.0", + "name": "isDA42Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "DA42", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "f727f39d-ec12-43f9-a6ed-e44515f19b66", + "version": "KqlParameterItem/1.0", + "name": "isDA43Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "DA43", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "a354cdb5-4a2c-4d66-8cd9-30b0f23d8cef", + "version": "KqlParameterItem/1.0", + "name": "isDA44Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "DA44", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "bc47e30b-b2bf-4c0f-9125-94ebf62e7c92", + "version": "KqlParameterItem/1.0", + "name": "isDA45Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "DA45", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "isDA46Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "DA46", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + }, + "id": "c59bde53-5573-4b3a-8ea5-6814faa954a7" + }, + { + "version": "KqlParameterItem/1.0", + "name": "isDA47Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "DA47", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + }, + "id": "174fa33f-5a69-46d0-9dcc-8cb1626b56ca" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "5", + "name": "DataZTParameters" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "pillar", + "comparison": "isEqualTo", + "value": "p4" + }, + "customWidth": "50", + "name": "p4-1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR4.1", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 4.1\r\n| Descriptions | Outcomes | ZT Impact | \r\n|-|:--|:--|:--|:--|:-:|\r\n| Data owners ensure that data is identified and inventoried and any changes to the data landscape are automatically detected and included within the catalog. The data landscape must then be reviewed to identify potential risks related to data loss, attack, or any other unauthorized alteration and/or access. | Data owners ensure that data is identified and inventoried and any changes to the data landscape are automatically detected and included within the catalog. The data landscape must then be reviewed to identify potential risks related to data loss, attack, or any other unauthorized alteration and/or access. | Data assets are known and can therefore be collected, tagged, and protected according to risk levels in alignment with a prioritization framework, and encrypted for protection. |" + }, + "name": "DataCR41" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusdata41", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDatedata41", + "label": "Implementation Date", + "type": 1, + "timeContext": { + "durationMs": 86400000 + }, + "value": "DueDate=2027" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesdata41", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Data1Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Purview Data Catalog | \r\n| Purview Data Map |\r\n| Microsoft Sentinel |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isDA41Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "DataCR41Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR4.2", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 4.2\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|\r\n| DoD establishes enterprise data labeling/tagging and DAAS access control/sharing policies (e.g., SDS policy) that are enforceable. Developed enterprise standards ensure an appropriate level of interoperability between DoD Organizations. | DoD establishes enterprise data labeling/tagging and DAAS access control/sharing policies (e.g., SDS policy) that are enforceable at the field level. | Decision rights and accountability framework ensure appropriate behavior in the valuation, creation,consumption, and control of data and analytics. |" + }, + "name": "DataCR42" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "f28c401d-2da4-4960-8232-f659d30252d2", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusdata42", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "a4b5ef42-9775-433e-ac25-55cc0eabd5c0", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDatedata42", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesdata42", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "f06061bf-e951-4cc0-b335-c8eea6f55495", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Data42Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Purview Data Governance |\r\n| Purview Data Estate Insights |\r\n| Microsoft Defender for Cloud (MDfC) |\r\n| Microsoft Sentinel |\r\n" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isDA42Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "DataCR42Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR4.3", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 4.3\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|:-:|\r\n| Data owners label and tag data in compliance with DoD enterprise governance on labeling/tagging policy. As phases advance automation is used to meet scaling demands and provide better accuracy. | Data owners label and tag data in compliance with DoD enterprise governance on labeling/tagging policy. | Establishing machine enforceable data access controls, risk assessment, and situational awareness require consistently and correctly labeled and tagged data. |" + }, + "name": "DataCR43" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "6d883c79-17bf-432a-8d50-cf2280380232", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusdata43", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "196b9437-34c4-4c58-9b54-81650c8e9cfa", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDatedata43", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesdata43", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "15d3be75-9b31-44c4-8108-42122f1c1883", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Data43Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Purview Information Protection |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isDA43Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "DataCR43Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR4.4", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 4.4\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|:-:|\r\n| Data owners will capture active metadata that includes information about the access, sharing,transformation, and use of their data assets. Data Loss Prevention (DLP) and Data Rights Management (DRM) enforcement point analysis is conducted to determine where tooling will be deployed. Data outside of DLP and DRM scope such as File Shares and Databases is actively monitored for anomalous and malicious activity using alternative tooling. | Data owners will capture active metadata that includes information about the access, sharing, transformation, and use of their data assets. | Data in all states are detectable and observable. |" + }, + "name": "DataCR44" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusdata44", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDatedata44", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesdata44", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Data44Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Purview Data Loss Protection (DLP) | \r\n| Microsoft Defender for Cloud Apps (MDA) | \r\n| Microsoft Defender for Endpoint (MDE) |\r\n| Microsoft Sentinel |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isDA44Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "DataCR44Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR4.5", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 4.5\r\n| Descriptions | Outcomes | ZT Impact | \r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD organizations establish and implement a strategy for encrypting data at rest and in transit using Data Rights Management (DRM) tooling. The DRM solution utilizes data tags to determine protection and lastly integrates with ML and AI to automate protection. | DoD organizations establish and implement a strategy for encrypting data at rest and in transit. | Encrypting data in all states reduces the risk of unauthorized data access and improves data security. |" + }, + "name": "DataCR45" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusdata45", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDatedata45", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesdata45", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Data45Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Purview Data Loss Protection (DLP) | \r\n| Microsoft Defender for Cloud Apps (MDA) | \r\n| Microsoft Defender for Endpoint (MDE) |\r\n" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isDA45Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "DataCR45Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR4.6", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 4.6\r\n| Descriptions | Outcomes | ZT Impact | \r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD organizations utilize the identified enforcement points to deploy approved DLP tools and integrate tagged data attributes with DLP. Initially the DLP solution is put into a \"monitor-only\" mode to limit business impact and later using analytics is put into a \"prevent\" mode. Extended data tag attributes are used to feed the DLP solution and lastly integrate with ML and AI. | DoD organizations have identified enforcement points, deployed approved DLP tools at those enforcement points, and integrate tagged data attributes with DLP. | Data breaches and data exfiltration transmissions are detected and mitigated. |" + }, + "name": "DataCR46" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusdata46", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDatedata46", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesdata46", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Data46Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Purview Data Loss Protection (DLP) |\r\n| Purview Information Protection |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isDA46Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "DataCR46Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR4.7", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 4.7\r\n| Descriptions | Outcomes | ZT Impact | \r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD organizations ensure appropriate access to and use of data based on the data and user/NPE/device properties. Software Defined Storage (SDS) is utilized to scale manage permissions to DAAS. Lastly the SDS solution(s) is integrated with DRM tooling improving protections. | DoD organizations ensure appropriate access to and use of data based on the data and user/NPE/device properties. | Unauthorized entities, or any entity on an unauthorized device cannot access data; Zero Trust cybersecurity will be sufficiently strong to separate community of interest data access for data in the same classification. |" + }, + "name": "DataCR47" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusdata47", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDatedata47", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesdata47", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Data47Status" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isDA47Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "DataCR47Group" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Microsoft Defender for Cloud Apps (MDA) | \r\n| Entra ID Conditional Access (CA) | \r\n| Purview Insider Risk Management | \r\n| Purview Information Protection | \r\n| Purview Data Loss Prevention (DLP) | \r\n| Microsoft Intune |" + }, + "conditionalVisibility": { + "parameterName": "isDA47Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "text - 7" + } + ], + "exportParameters": true + }, + "customWidth": "100", + "name": "DataCRGroup" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "pillar", + "comparison": "isEqualTo", + "value": "p4" + }, + "customWidth": "50", + "name": "p4-2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "4.1 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 4.1 Data Catalog Risk Alignment\r\n\r\n## Microsoft Portals Department of Defense\r\n\r\nπŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
\r\nπŸ”€ [Microsoft Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/)
\r\nπŸ”€ [Azure Data Classification Service](https://portal.azure.us/#view/Microsoft_AAD_IAM/ManagedAppMenuBlade/~/Overview/objectId/30ea52ed-e5a7-4e51-a4ea-6c3b96a8be36/appId/7c99d979-3b9c-4342-97dd-3239678fb300)" + }, + "name": "LT-1" + } + ] + }, + "customWidth": "33", + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "

\r\n\r\n## Microsoft Portals Government\r\n\r\nπŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
\r\nπŸ”€ [Microsoft Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)
\r\nπŸ”€ [Azure Data Classification Service](https://portal.azure.us/#view/Microsoft_AAD_IAM/ManagedAppMenuBlade/~/Overview/objectId/30ea52ed-e5a7-4e51-a4ea-6c3b96a8be36/appId/7c99d979-3b9c-4342-97dd-3239678fb300)
" + }, + "customWidth": "33", + "name": "text - 6" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [Create a Azrure Data Catalog](https://learn.microsoft.com/azure/data-catalog/data-catalog-get-started)
\r\nπŸ’‘ [Use the Service Catalog](https://learn.microsoft.com/system-center/scsm/service-catalog?view=sc-sm-2022)
\r\nπŸ’‘ [Azure Data Catalog FAQ](https://learn.microsoft.com/azure/data-catalog/data-catalog-frequently-asked-questions)
\r\nπŸ’‘ [Establishing Sensitivity Labels](https://learn.microsoft.com/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide)
\r\nπŸ’‘ [Create and Publish Sensitivity Labels](https://learn.microsoft.com/microsoft-365/compliance/create-sensitivity-labels?view=o365-worldwide)Β 
\r\nπŸ’‘ [Get Started with Trainable Classifiers](https://learn.microsoft.com/microsoft-365/compliance/classifier-get-started-with?view=o365-worldwide)Β 
\r\nπŸ’‘ [Set up Azure Rights Management](https://learn.microsoft.com/azure/information-protection/what-is-azure-rms)
\r\nπŸ’‘ [Deploy Azure Information Protection](https://learn.microsoft.com/azure/information-protection/aip-classification-and-protection)
\r\nπŸ’‘ [Sentinel Data Connectors](https://learn.microsoft.com/azure/sentinel/connect-data-sources)
\r\nπŸ’‘ [Discover Data & Apply Sensitivity Labels Automatically](https://learn.microsoft.com/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide)
\r\n\r\n\r\n\r\n" + }, + "customWidth": "33", + "name": "text - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "9dd762f8-8594-432f-b1dc-9561e0b799c6", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "isRequired": true, + "value": { + "durationMs": 7776000000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + } + }, + { + "id": "b3974da2-c8c3-4023-a7c4-a904f2daa904", + "version": "KqlParameterItem/1.0", + "name": "Workload", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "OfficeActivity\r\n| summarize Count= count() by OfficeWorkload\r\n| extend label = strcat(OfficeWorkload, \" - \", Count)\r\n| project OfficeWorkload, label", + "value": [ + "value::all" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*" + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "b6db911d-6ecb-4a4f-812f-db1b1063813f", + "version": "KqlParameterItem/1.0", + "name": "UserType", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "OfficeActivity\r\n| summarize Count= count() by UserType\r\n| extend label = strcat(UserType, \" - \", Count)\r\n| project UserType, label", + "value": [ + "value::all" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*" + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "OfficeActivity\r\n| where \"*\" in ({Workload}) or OfficeWorkload in ({Workload}) \r\n| where \"*\" in ({UserType}) or UserType in ({UserType})\r\n| summarize Update = countif(Operation contains 'update'), Create = countif(Operation contains 'create'), Delete = countif(Operation contains 'delete'), Add = countif(Operation contains 'add') by bin_at(TimeGenerated, 1d, now())", + "size": 0, + "title": "Data Catalog Update, create, add, and delete activities", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart" + }, + "customWidth": "50", + "name": "activities over time per week" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isDA41Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "4.1Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "4.2 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 4.2 Enterprise Data Governance\r\n\r\n## Microsoft Portals Department of Defense\r\n\r\nπŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
\r\nπŸ”€ [Microsoft Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/)
\r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
" + }, + "customWidth": "33", + "name": "LT-1" + }, + { + "type": 1, + "content": { + "json": "

\r\n\r\n## Microsoft Portals Government\r\n\r\nπŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
\r\nπŸ”€ [Microsoft Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)
\r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
\r\n" + }, + "customWidth": "33", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\nπŸ’‘ [Implement Microsoft Purview - IRM & Compliance - DoD Deployments](https://learn.microsoft.com/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/plan-for-microsoft-purview-dod-deployments)
\r\nπŸ’‘ [Implement a Data Governance Maturity Model Framework](https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/cloud-scale-analytics/govern)
\r\nπŸ’‘ [Deploy Azure Data Governance](https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/cloud-scale-analytics/govern)
\r\nπŸ’‘ [Leverage Microsoft Defender for For Cloud Goverance Rules](https://learn.microsoft.com/azure/defender-for-cloud/governance-rules)
\r\nπŸ’‘ [Implement Purview Data Governance](https://learn.microsoft.com/purview/?view=o365-worldwide)
\r\nπŸ’‘ [Purview Data Lineage Machine Learning](https://learn.microsoft.com/samples/microsoft/purview-machine-learning-lineage-solution-accelerator/purview-machine-learning-lineage-solution-accelerator/)Β 
\r\nπŸ’‘ [Get Started with Trainable Classifiers](https://learn.microsoft.com/microsoft-365/compliance/classifier-get-started-with?view=o365-worldwide)Β 
\r\nπŸ’‘ [Azure Collaboration Governance](https://learn.microsoft.com/microsoft-365/solutions/collaboration-governance-overview?view=o365-worldwide)
\r\nπŸ’‘ [Deploy Azure Information Protection](https://learn.microsoft.com/azure/information-protection/aip-classification-and-protection)
\r\nπŸ’‘ [Configure Sentinel Data Connectors](https://learn.microsoft.com/azure/sentinel/connect-data-sources)
\r\nπŸ’‘ [Monitor Your SQL Deployments](https://learn.microsoft.com/azure/azure-sql/database/sql-insights-overview?view=azuresql)
\r\nπŸ’‘ [Apply Sensitivity Labels Automatically](https://learn.microsoft.com/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide)
\r\n\r\n" + }, + "customWidth": "33", + "name": "text - 2" + } + ] + }, + "customWidth": "100", + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 1, + "content": { + "json": "## Data Activity By Workload" + }, + "name": "text - 4" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "9dd762f8-8594-432f-b1dc-9561e0b799c6", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "isRequired": true, + "value": { + "durationMs": 7776000000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + } + }, + { + "id": "b3974da2-c8c3-4023-a7c4-a904f2daa904", + "version": "KqlParameterItem/1.0", + "name": "Workload", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "OfficeActivity\r\n| summarize Count= count() by OfficeWorkload\r\n| extend label = strcat(OfficeWorkload, \" - \", Count)\r\n| project OfficeWorkload, label", + "value": [ + "value::all" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*" + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "b6db911d-6ecb-4a4f-812f-db1b1063813f", + "version": "KqlParameterItem/1.0", + "name": "UserType", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "OfficeActivity\r\n| summarize Count= count() by UserType\r\n| extend label = strcat(UserType, \" - \", Count)\r\n| project UserType, label", + "value": [ + "value::all" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*" + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "OfficeActivity\r\n| where \"*\" in ({Workload}) or OfficeWorkload in ({Workload}) \r\n| where \"*\" in ({UserType}) or UserType in ({UserType})\r\n| summarize count() by OfficeWorkload, bin_at(TimeGenerated, 1h, now())", + "size": 0, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "areachart" + }, + "customWidth": "50", + "name": "office activity by workload" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isDA42Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "4.2Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "4.3 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 4.3 Data Labeling & Tagging \r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
\r\nπŸ”€ [Microsoft Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/)
\r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
" + }, + "customWidth": "33", + "name": "text - 0" + }, + { + "type": 1, + "content": { + "json": "

\r\n\r\n## Microsoft Portals Government\r\n\r\nπŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
\r\nπŸ”€ [Microsoft Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)
\r\nπŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
" + }, + "customWidth": "33", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [Create Sensitivity Labels](https://learn.microsoft.com/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide)
\r\nπŸ’‘ [Create and Publish Sensitivity Labels](https://learn.microsoft.com/microsoft-365/compliance/create-sensitivity-labels?view=o365-worldwide)Β 
\r\nπŸ’‘ [Deploy with Trainable Classifiers](https://learn.microsoft.com/microsoft-365/compliance/classifier-get-started-with?view=o365-worldwide)Β 
\r\nπŸ’‘ [Utilize Rights Management](https://learn.microsoft.com/azure/information-protection/what-is-azure-rms)
\r\nπŸ’‘ [Deploy Azure Information Protection](https://learn.microsoft.com/azure/information-protection/aip-classification-and-protection)
\r\nπŸ’‘ [Apply Sensitivity Labels Automatically](https://learn.microsoft.com/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide)
\r\nπŸ’‘ [Use the Service Catalog](https://learn.microsoft.com/system-center/scsm/service-catalog?view=sc-sm-2022)
\r\n" + }, + "customWidth": "33", + "name": "text - 2" + } + ] + }, + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let Logs = InformationProtectionLogs_CL | extend MachineName_s = columnifexists(\"MachineName_s\",\"\"), ObjectId_s = columnifexists(\"ObjectId_s\",\"\"), Activity_s = columnifexists(\"Activity_s\",\"\"), LabelId_g = columnifexists(\"LabelId_g\",\"\"), Protected_b = columnifexists(\"Protected_b\",false);\r\nlet minTime = toscalar(Logs | where isnotempty(MachineName_s) | summarize min(TimeGenerated));\r\nlet dates = range [\"date\"] from bin(minTime, {TimeRange:grain}) to now() step {TimeRange:grain};\r\nLogs\r\n| where isnotempty(MachineName_s)\r\n| summarize labels=countif(isnotempty(ObjectId_s) and Activity_s in (\"NewLabel\", \"UpgradeLabel\", \"DowngradeLabel\", \"RemoveProtection\", \"NewProtection\", \"ChangeProtection\") and isnotempty(LabelId_g)),\r\nprotected=countif(isnotempty(ObjectId_s) and Activity_s in (\"NewLabel\", \"UpgradeLabel\", \"DowngradeLabel\", \"RemoveProtection\", \"NewProtection\", \"ChangeProtection\") and Protected_b) by bin(TimeGenerated, {TimeRange:grain})\r\n| join kind= rightouter (\r\n dates\r\n)\r\non $left.TimeGenerated == $right.[\"date\"]\r\n| project [\"date\"], Labels = coalesce(labels, 0), [\"Protected Labels\"] = coalesce(protected, 0)", + "size": 0, + "title": "Label and protect activity", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "linechart" + }, + "customWidth": "50", + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let Logs = InformationProtectionLogs_CL | extend MachineName_s = columnifexists(\"MachineName_s\",\"\"), UserId_s = columnifexists(\"UserId_s\",\"\");\r\nlet minTime = toscalar(Logs | where isnotempty(MachineName_s) | summarize min(TimeGenerated));\r\nlet dates = range [\"date\"] from bin(minTime, {TimeRange:grain}) to now() step {TimeRange:grain};\r\nLogs\r\n| where isnotempty(MachineName_s)\r\n| summarize users=dcount(UserId_s), devices = dcount(MachineName_s) by bin(TimeGenerated, {TimeRange:grain})\r\n| join kind= rightouter\r\n(\r\n dates\r\n)\r\non $left.TimeGenerated == $right.[\"date\"]\r\n| project [\"date\"], users = coalesce(users, 0), devices = coalesce(devices, 0)\r\n\r\n", + "size": 0, + "title": "Users and devices", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "linechart" + }, + "customWidth": "50", + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let Logs = InformationProtectionLogs_CL | extend LabelName_s = columnifexists(\"LabelName_s\",\"\"), LabelId_g = columnifexists(\"LabelId_g\",\"\"), ObjectId_s = columnifexists(\"ObjectId_s\",\"\"), Activity_s = columnifexists(\"Activity_s\",\"\");\r\nLogs\r\n| where isnotempty(LabelId_g)\r\n| where isnotempty(ObjectId_s)\r\n| where Activity_s in (\"NewLabel\", \"UpgradeLabel\", \"DowngradeLabel\", \"RemoveProtection\", \"NewProtection\", \"ChangeProtection\")\r\n| summarize value=count() by LabelName_s\r\n| order by value\r\n", + "size": 0, + "title": "Labels", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "50", + "name": "query - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let Logs = InformationProtectionLogs_CL | extend ApplicationName_s = columnifexists(\"ApplicationName_s\",\"\"), LabelId_g = columnifexists(\"LabelId_g\",\"\"), ObjectId_s = columnifexists(\"ObjectId_s\",\"\"), Activity_s = columnifexists(\"Activity_s\",\"\");\r\nLogs\r\n| where isnotempty(LabelId_g)\r\n| where isnotempty(ObjectId_s)\r\n| where Activity_s in (\"NewLabel\", \"UpgradeLabel\", \"DowngradeLabel\", \"RemoveProtection\", \"NewProtection\", \"ChangeProtection\")\r\n| summarize value=count() by ApplicationName_s\r\n| order by value\r\n", + "size": 0, + "title": "Labels by application", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "50", + "name": "query - 5" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isDA43Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "4.3Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "4.4 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 4.4 Data Monitoring & Sensing \r\n\r\n## Microsoft Portals Department of Defense\r\n\r\nπŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
\r\nπŸ”€ [Microsoft Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/)
\r\nπŸ”€ [Azure Monitor Control Service](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/512ba5b8-8ced-42b9-8a94-c93befaf66a1/appId/e933bd07-d2ee-4f1d-933c-3752b819567b)" + }, + "customWidth": "33", + "name": "text - 0" + }, + { + "type": 1, + "content": { + "json": "

\r\n\r\n## Microsoft Portals Government\r\n\r\nπŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
\r\nπŸ”€ [Microsoft Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)
\r\nπŸ”€ [Azure Monitor Control Service](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/512ba5b8-8ced-42b9-8a94-c93befaf66a1/appId/e933bd07-d2ee-4f1d-933c-3752b819567b)
" + }, + "customWidth": "33", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [Leverage Data Monitoring & Self Healing](https://learn.microsoft.com/compliance/assurance/assurance-monitoring-and-self-healing)
\r\nπŸ’‘ [Deploy Microsoft 365 Monitorning](https://learn.microsoft.com/microsoft-365/enterprise/microsoft-365-monitoring?view=o365-worldwide)
\r\nπŸ’‘ [Senitnel Data Collection Best Practices](https://learn.microsoft.com/azure/sentinel/best-practices-data)Β 
\r\nπŸ’‘ [Deploy Microsoft Purview](https://learn.microsoft.com/purview/purview)Β 
\r\nπŸ’‘ [Utilze Azure Rights Management](https://learn.microsoft.com/azure/information-protection/what-is-azure-rms)
\r\nπŸ’‘ [Configure Azure Information Protection](https://learn.microsoft.com/azure/information-protection/aip-classification-and-protection)
\r\nπŸ’‘ [Configure Sentinel Data Connectors](https://learn.microsoft.com/azure/sentinel/connect-data-sources)
\r\nπŸ’‘ [Monitor Your SQL Deployments](https://learn.microsoft.com/azure/azure-sql/database/sql-insights-overview?view=azuresql)
\r\n\r\n" + }, + "customWidth": "33", + "name": "text - 2" + } + ] + }, + "customWidth": "100", + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 1, + "content": { + "json": "# ** Data Sources Available in Current Microsoft Sentinel **" + }, + "name": "text - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Usage \r\n| summarize SizeinMB = round(sum(Quantity),2) by DataType \r\n| sort by SizeinMB desc", + "size": 0, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar" + }, + "name": "query - 4" + }, + { + "type": 1, + "content": { + "json": "## Security Incidents: Sensitive Data" + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityIncident\r\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\r\n| where Title contains \"data\" or Title contains \"access\" or Title contains \"sensitive\" or Tactics == \"exfiltration\"\r\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\r\n| parse IncidentUrl with * 'https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\r\n| extend SeverityRank=iff(Severity == \"High\", 3, iff(Severity == \"Medium\", 2, iff(Severity == \"Low\", 1, iff(Severity == \"Informational\", 0, 0))))\r\n| sort by SeverityRank, TimeGenerated desc\r\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "noDataMessage": "No Incidents Observed For This Technique Within These Thresholds", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Incident Name", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "representation": "Alert", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "Sev0", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "Sev1", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "Sev2", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "Sev3", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "OpenBlade", + "linkLabel": "Incident >>", + "bladeOpenContext": { + "bladeName": "CaseBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "id", + "source": "column", + "value": "IncidentBlade" + } + ] + } + } + }, + { + "columnMatch": "IncidentBlade", + "formatter": 5 + } + ], + "filter": true + }, + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "Failed", + "color": "redBright" + }, + { + "seriesName": "Passed", + "color": "green" + } + ] + } + }, + "customWidth": "100", + "name": "query - 3" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isDA44Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "4.4Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "4.5 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 1, + "content": { + "json": "# 4.5 Data Encryption & Rights Management\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Azure Encryption](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/21426118-88fd-4b5e-b106-3bd5f098f31a/appId/dbc36ae1-c097-4df9-8d94-343c3d091a76)
\r\nπŸ”€ [Azure Rights Management Service](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/5f0c1df8-5bab-4fb3-b1a5-19bdba46c704/appId/00000012-0000-0000-c000-000000000000)
\r\nπŸ”€ [M365 Data At Rest Encryption](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/882ab41e-90f7-4f4e-8b24-3503495a83e6/appId/c066d759-24ae-40e7-a56f-027002b5d3e4)
\r\nπŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/)" + }, + "customWidth": "33", + "name": "text - 0" + }, + { + "type": 1, + "content": { + "json": "

\r\n\r\n## Microsoft Portals Government\r\n\r\nπŸ”€ [Azure Encryption](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/21426118-88fd-4b5e-b106-3bd5f098f31a/appId/dbc36ae1-c097-4df9-8d94-343c3d091a76)
\r\nπŸ”€ [Azure Rights Management Service](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/5f0c1df8-5bab-4fb3-b1a5-19bdba46c704/appId/00000012-0000-0000-c000-000000000000)
\r\nπŸ”€ [M365 Data At Rest Encryption](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/882ab41e-90f7-4f4e-8b24-3503495a83e6/appId/c066d759-24ae-40e7-a56f-027002b5d3e4)
\r\nπŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)
" + }, + "customWidth": "33", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\nπŸ’‘ [Utilize Azure Encrption](https://learn.microsoft.com/azure/security/fundamentals/encryption-overview)
\r\nπŸ’‘ [Deploy Azure Rights Management](https://learn.microsoft.com/azure/information-protection/what-is-azure-rms)
\r\nπŸ’‘ [Deploy Purview Information Protection](https://learn.microsoft.com/purview/information-protection)
\r\nπŸ’‘ [Configure Dynamic Key & Encrption Delivery](https://learn.microsoft.com/azure/media-services/latest/drm-content-protection-concept)Β 
\r\nπŸ’‘ [Deploy Azure Information Protection](https://learn.microsoft.com/azure/information-protection/aip-classification-and-protection)
\r\n\r\n\r\n" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Resources\r\n| where type == \"microsoft.compute/disks\"\r\n| project diskName=name, diskSizeGB=properties.diskSizeGB, diskSKU=sku.name, encryptionType=properties.encryption.type, diskState=properties.diskState\r\n| limit 250", + "size": 0, + "title": "Azure Data Disks (w/Encryption types)", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "100", + "name": "query - 5" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isDA45Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "4.5Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "4.6 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 1, + "content": { + "json": "# 4.6 Data Loss and Prevention (DLP)\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
\r\nπŸ”€ [Endpoint DLP](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/780e77f3-df11-4525-b201-973a1b691cab/appId/c98e5057-edde-4666-b301-186a01b4dc58)
\r\nπŸ”€ [Microsoft Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [Entra ID - Diagnostic Settings](https://portal.azure.us/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/DiagnosticSettings)
\r\nπŸ”€ [Conditional Access Policies](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/)" + }, + "customWidth": "33", + "name": "text - 0" + }, + { + "type": 1, + "content": { + "json": "

\r\n\r\n## Microsoft Portals Government\r\n\r\nπŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
\r\nπŸ”€ [Endpoint DLP](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/780e77f3-df11-4525-b201-973a1b691cab/appId/c98e5057-edde-4666-b301-186a01b4dc58)
\r\nπŸ”€ [Microsoft Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [Entra ID - Diagnostic Settings](https://portal.azure.us/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/DiagnosticSettings)
\r\nπŸ”€ [Conditional Access Policies](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)
" + }, + "customWidth": "33", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [Implement Data Loss & Prevention (DLP)](https://learn.microsoft.com/purview/dlp-learn-about-dlp)
\r\nπŸ’‘ [Informaiton Protection & Data Loss and Prevention- GITHUB LAB](https://microsoft.github.io/ComplianceCxE/dag/mip-dlp/)
\r\nπŸ’‘ [Deploy Adaptive Protection- Data Loss & Protections](https://learn.microsoft.com/purview/dlp-adaptive-protection-learn)
\r\nπŸ’‘ [Apply Rules for DLP Exchange Online](https://learn.microsoft.com/exchange/security-and-compliance/data-loss-prevention/dlp-rule-application)
\r\nπŸ’‘ [Utilize Trainable Classifiers](https://learn.microsoft.com/microsoft-365/compliance/classifier-get-started-with?view=o365-worldwide)Β 
\r\nπŸ’‘ [Deploy Azure Information Protection](https://learn.microsoft.com/azure/information-protection/aip-classification-and-protection)
\r\n\r\n" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityIncident\r\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\r\n| where Description contains \"data\" or Title contains \"data\" or Description contains \"loss\" or Title contains \"loss\" or Description contains \"exfil\" or Title contains \"exfil\" or Tactics contains \"exfil\"\r\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\r\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\r\n| extend SeverityRank=iff(Severity == \"High\", 3, iff(Severity == \"Medium\", 2, iff(Severity == \"Low\", 1, iff(Severity == \"Informational\", 0, 0))))\r\n| sort by SeverityRank, TimeGenerated desc\r\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Data Loss & Preventtion Security Incidents", + "noDataMessage": "No Incidents Observed For This Technique Within These Thresholds", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Incident Name", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "representation": "Alert", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "Sev0", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "Sev1", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "Sev2", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "Sev3", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "OpenBlade", + "linkLabel": "Incident >>", + "bladeOpenContext": { + "bladeName": "CaseBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "id", + "source": "column", + "value": "IncidentBlade" + } + ] + } + } + }, + { + "columnMatch": "IncidentBlade", + "formatter": 5 + } + ], + "filter": true + } + }, + "customWidth": "100", + "name": "query - 3" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isDA46Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "4.6Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "4.7 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 1, + "content": { + "json": "# 4.7 Data Access & Control\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
\r\nπŸ”€ [Entra ID Privileged Identity Management](https://portal.azure.us/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade)
\r\nπŸ”€ [Entra ID Conditional Access](https://portal.azure.us/#blade/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade)
\r\nπŸ”€ [Azure Internal Access Scope Portal](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/a0779651-4c07-4392-a11f-a1694cb497b1/appId/c29427db-9ecc-4750-ad93-d256863f2e37)
\r\nπŸ”€ [Virtual Network Terminal Access Points](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.network%2Fvirtualnetworktaps)
\r\nπŸ”€ [Microsoft Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [Entra ID - Diagnostic Settings](https://portal.azure.us/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/DiagnosticSettings)
\r\nπŸ”€ [Conditional Access Policies](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/)
\r\nπŸ”€ [Azure Data Explorer](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Kusto%2Fclusters)" + }, + "customWidth": "33", + "name": "text - 0" + }, + { + "type": 1, + "content": { + "json": "

\r\n\r\n## Microsoft Portals Government\r\n\r\nπŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
\r\nπŸ”€ [Entra ID Privileged Identity Management](https://portal.azure.us/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade)
\r\nπŸ”€ [Entra ID Conditional Access](https://portal.azure.us/#blade/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade)
\r\nπŸ”€ [Azure Internal Access Scope Portal](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/a0779651-4c07-4392-a11f-a1694cb497b1/appId/c29427db-9ecc-4750-ad93-d256863f2e37)
\r\nπŸ”€ [Virtual Network Terminal Access Points](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.network%2Fvirtualnetworktaps)
\r\nπŸ”€ [Microsoft Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)
\r\nπŸ”€ [Entra ID - Diagnostic Settings](https://portal.azure.us/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/DiagnosticSettings)
\r\nπŸ”€ [Conditional Access Policies](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)
\r\nπŸ”€ [Azure Data Explorer](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Kusto%2Fclusters)
" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [Configure Conditional Access in Azure Active Directory](https://learn.microsoft.com/azure/active-directory/conditional-access/overview)
\r\nπŸ’‘ [Use Conditional Access Microsoft Intune](https://learn.microsoft.com/mem/intune/protect/conditional-access)
\r\nπŸ’‘ [Use Conditional Access APIs](https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-apis)
\r\nπŸ’‘ [Deploy Conditional Access Policies](https://learn.microsoft.com/azure/active-directory/conditional-access/plan-conditional-access#deploy-conditional-access-policies)Β 
\r\nπŸ’‘ [Use Conditional Access With Data Explorer](https://learn.microsoft.com/azure/data-explorer/security-conditional-access)
\r\nπŸ’‘ [Deploy Common Conditional Access Policies](https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation)
\r\nπŸ’‘ [Build Conditional Access](https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policies)
\r\n\r\n" + }, + "customWidth": "33", + "name": "text - 4" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 3" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "d1983eba-6224-4c08-b792-4910eff535ad", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "description": "Select the time range that will be used for the query's", + "value": { + "durationMs": 604800000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| where ResultType == 0 and AppDisplayName != \"\"\r\n| summarize count() by AppDisplayName\r\n| join (\r\nSigninLogs\r\n| make-series TrendList = count() on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, 4h) by AppDisplayName \r\n) on AppDisplayName\r\n| top 10 by count_ desc", + "size": 4, + "title": "Successful Loggins By Application", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "AppDisplayName", + "formatter": 1, + "formatOptions": { + "showIcon": true + } + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto", + "showIcon": true + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "TrendList", + "formatter": 9, + "formatOptions": { + "showIcon": true + } + }, + "showBorder": false + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "AppDisplayName", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "count_", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "name": "query - 14" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\n| extend ResultText = case(isnotempty(ResultDescription), ResultDescription, ResultType == 0 and isempty(ResultDescription), \"successful login\", \"unknown\") // Create readable result text to include succesfull logins\n| summarize dcount(CorrelationId) by ResultText // Signin results by unique CorrelationId\n| render piechart", + "size": 0, + "title": "Login events by result", + "timeContextFromParameter": "TimeRange", + "exportFieldName": "ResultText", + "exportParameterName": "Selected_ResultText", + "exportDefaultValue": "", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "chartSettings": { + "group": "ResultText", + "createOtherGroup": null, + "seriesLabelSettings": [ + { + "seriesName": "successful login", + "color": "green" + } + ], + "ySettings": { + "unit": 17, + "min": null, + "max": null + } + } + }, + "customWidth": "33", + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\n| extend ResultText = case(isnotempty(ResultDescription), ResultDescription, ResultType == 0 and isempty(ResultDescription), \"successful login\", \"unknown\")\n| summarize dcount(CorrelationId) by ResultText, bin(TimeGenerated,4h) // summarize the total Signin events per Description per hour (by unique CorrelationId's)", + "size": 0, + "title": "Count of login types per 4 hours", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart", + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "ResultText", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "dcount_CorrelationId", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "33", + "name": "query - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\n| where isnotempty(LocationDetails['countryOrRegion']) and ResultType == 0// Where location details are available and login is successful\n| extend city = tostring(LocationDetails['city'])\n| summarize count() by city, Location // Summarize by city name\n| join (\nSigninLogs\n| extend city = tostring(LocationDetails['city'])\n| make-series TrendList = count() on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by city \n) on city\n| project Location, city, [\"Total events\"] = count_, TrendLine = TrendList\n| top 10 by [\"Total events\"] desc", + "size": 0, + "title": "successful login locations", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Total events", + "formatter": 4, + "formatOptions": { + "palette": "blue", + "showIcon": true + } + }, + { + "columnMatch": "TrendLine", + "formatter": 9, + "formatOptions": { + "palette": "greenRed", + "showIcon": true + } + }, + { + "columnMatch": "Events", + "formatter": 4, + "formatOptions": { + "palette": "blue", + "showIcon": true + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "id", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + } + ], + "hierarchySettings": { + "idColumn": "city", + "parentColumn": "Location", + "treeType": 0, + "expanderColumn": "city", + "expandTopLevel": false + } + }, + "sortBy": [], + "tileSettings": { + "titleContent": { + "columnMatch": "city", + "formatter": 1, + "formatOptions": { + "showIcon": true + } + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto", + "showIcon": true + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Events", + "formatter": 9, + "formatOptions": { + "showIcon": true + } + }, + "showBorder": false + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "LocationDetails", + "formatter": 1, + "formatOptions": { + "showIcon": true + } + }, + "centerContent": { + "columnMatch": "count_", + "formatter": 1, + "formatOptions": { + "showIcon": true + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "nodeIdField": "count_", + "sourceIdField": "Location", + "targetIdField": "city", + "nodeSize": null, + "staticNodeSize": 100, + "colorSettings": null, + "hivesMargin": 5 + }, + "mapSettings": { + "locInfo": "LatLong", + "locInfoColumn": "GeoSelection", + "latitude": "latitude", + "longitude": "longitude", + "sizeSettings": "count_", + "sizeAggregation": "Sum", + "defaultSize": 0, + "labelSettings": "locationInfo", + "legendMetric": "count_", + "legendAggregation": "Sum", + "itemColorSettings": { + "nodeColorField": "count_", + "colorAggregation": "Sum", + "type": "heatmap", + "heatmapPalette": "redGreen" + } + } + }, + "customWidth": "33", + "name": "query - 7" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isDA47Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "4.7Activities", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "pillar", + "comparison": "isEqualTo", + "value": "p4" + }, + "name": "P4Activities" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"[\\r\\n\\t\\t{ \\\"Select All (Network & Environment 5.x)\\\": \\\"5.1 Data Flow Mapping\\\", \\\"tab\\\": \\\"NE51\\\" },\\r\\n\\t\\t{ \\\"Select All (Network & Environment 5.x)\\\": \\\"5.2 Software Defined Networking (SDN)\\\", \\\"tab\\\": \\\"NE52\\\" },\\r\\n\\t\\t{ \\\"Select All (Network & Environment 5.x)\\\": \\\"5.3 Macro Segmentation\\\", \\\"tab\\\": \\\"NE53\\\" },\\r\\n\\t\\t{ \\\"Select All (Network & Environment 5.x)\\\": \\\"5.4 Micro Segmentation\\\", \\\"tab\\\": \\\"NE54\\\" }\\r\\n\\t\\t]\",\"transformers\":null}", + "size": 3, + "exportMultipleValues": true, + "exportedParameters": [ + { + "fieldName": "tab", + "parameterName": "Tab", + "parameterType": 1 + } + ], + "queryType": 8, + "gridSettings": { + "formatters": [ + { + "columnMatch": "Select All (Network & Environment 5.x)", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "75ch" + } + }, + { + "columnMatch": "tab", + "formatter": 5 + }, + { + "columnMatch": "Zero Trust", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "75ch" + } + } + ] + } + }, + "customWidth": "90", + "name": "NetworkZT", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "42fc8445-0772-439f-b490-461fb17e5d2f", + "version": "KqlParameterItem/1.0", + "name": "isNE51Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "NE51", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "6d0940d2-e259-49de-b490-75d026dd6ad3", + "version": "KqlParameterItem/1.0", + "name": "isNE52Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "NE52", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "f727f39d-ec12-43f9-a6ed-e44515f19b66", + "version": "KqlParameterItem/1.0", + "name": "isNE53Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "NE53", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "a354cdb5-4a2c-4d66-8cd9-30b0f23d8cef", + "version": "KqlParameterItem/1.0", + "name": "isNE54Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "NE54", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "5", + "name": "NetworkZTParameters" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "pillar", + "comparison": "isEqualTo", + "value": "p5" + }, + "customWidth": "50", + "name": "p5-1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR5.1", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 5.1\r\n| Descriptions | Outcomes | ZT Impact | \r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD organizations reconcile data flows by gathering, mapping, and visualizing network traffic data flows and patterns to ensure authorized access and protection for network and DAAS resources specifically tagging programmatic (e.g., API) access when possible. | DoD organizations reconcile data flows by gathering, mapping, and visualizing network traffic data flows and patterns to ensure authorized access and protection for network and DAAS resources. | Sets the foundation for network segmentation and tighter access control by understanding data traffic on the network. |" + }, + "name": "NeworkCR51" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusnet51", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDatenet51", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf", + "version": "KqlParameterItem/1.0", + "name": "Notesnet51", + "label": "Notes", + "type": 1, + "timeContext": { + "durationMs": 86400000 + }, + "value": "Enter Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Network51Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Azure Monitor Net Insights | \r\n| Network Watcher | \r\n| Microsoft Defender for Endpoint (MDE) |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isNE51Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "NetworkCR51Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR5.2", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 5.2\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|\r\n| DoD organizations define API decision points and implement SDN programmable infrastructure to separate the control and data planes and centrally manage and control the elements in the data plane. Integrations are conducted with decision points and segmentation gateway to accomplish the plane separation. Analytics are then integrated to real time decision making for access to resources. | DoD organizations define API decision points and implement SDN programmable infrastructure to separate the control and data planes and centrally manage and control the elements in the data plane. | Enables the control of packets to a centralized server, provides additional visibility into the network, and enables integration requirements. |" + }, + "name": "NetworkCR52" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "f28c401d-2da4-4960-8232-f659d30252d2", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusnet52", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "a4b5ef42-9775-433e-ac25-55cc0eabd5c0", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDatenet52", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesnet52", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "f06061bf-e951-4cc0-b335-c8eea6f55495", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Network52Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Secure Access Service Edge (SASE)| \r\n| Microsoft Network Secuirty Groups (NSG) | \r\n| Entra ID App Proxy |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isNE52Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "NetworkCR52Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR5.3", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 5.3\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD organizations establish network boundaries and provide security against networked assets located within an environment by validating the device, user, or NPE on each attempt of accessing a remote resource prior to connection. | DoD organizations establish network perimeters and provide security against devices located within an environment by validating the device, user, or NPE on each attempt of accessing a remote resource prior to connection. | Network segmentation is defined by a large perimeter to enable resource segmentation by function and user type. |" + }, + "name": "NetworkCR53" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "6d883c79-17bf-432a-8d50-cf2280380232", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusnet53", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "196b9437-34c4-4c58-9b54-81650c8e9cfa", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDatenet53", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesnet53", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "15d3be75-9b31-44c4-8108-42122f1c1883", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Network53Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Azure Subscription | \r\n| Azure VNet(s) | \r\n| Azure VNet Manager | \r\n| Network Security Groups (NSG) | \r\n| Azure Firewall | " + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isNE53Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "NetworkCR53Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR5.4", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 5.4\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD organizations define and document network segmentation based on identity and/or application access in their virtualized and/or cloud environments. Automation is used to apply policy changes through programmatic (e.g., API) approaches. Lastly where possible organizations will utilize host-level process micro segmentation. | DoD organizations define and document network segmentation based on identity and/or application access in their virtualized cloud environments. | Network segmentation enabled by narrower and specific segmentation in a virtualized environment via identity and / or application access, allowing for improved protection of data in transit as it crosses system boundaries (e.g., in a coalition environment, system high boundaries) and supported dynamic, real-time access decisions and policy changes. |" + }, + "name": "NetworkCR54" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusnet54", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDatenet54", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesnet54", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Network54Status" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isNE54Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "NetworkCR54Group" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Azure Security Groups (ASG) | \r\n| Entra ID App Proxy | \r\n| Microsoft Tunnel |" + }, + "conditionalVisibility": { + "parameterName": "isNE54Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "text - 4" + } + ], + "exportParameters": true + }, + "name": "NetworkCRGroup" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "pillar", + "comparison": "isEqualTo", + "value": "p5" + }, + "customWidth": "50", + "name": "p5-2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "5.1 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 5.1 Data Flow Mapping\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Network Security Perimeters](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FnetworkSecurityPerimeters)
\r\nπŸ”€ [Network Interfaces](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2Fnetworkinterfaces)
\r\nπŸ”€ [Azure Network Watcher](https://portal.azure.us/#view/Microsoft_Azure_Network/NetworkWatcherMenuBlade/~/overview)
\r\nπŸ”€ [Azure Firewall](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FazureFirewalls)
\r\nπŸ”€ [Web Application Firewall](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies)
\r\nπŸ”€ [DDoS Protection Plans](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FddosProtectionPlans)
\r\nπŸ”€ [Firewall Manager](https://portal.azure.us/#view/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/~/firewallManagerOverview)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/)\r\n" + }, + "customWidth": "33", + "name": "LT-1" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Microsoft Portals Government\r\nπŸ”€ [Network Security Perimeters](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FnetworkSecurityPerimeters)
\r\nπŸ”€ [Network Interfaces](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2Fnetworkinterfaces)
\r\nπŸ”€ [Azure Network Watcher](https://portal.azure.us/#view/Microsoft_Azure_Network/NetworkWatcherMenuBlade/~/overview)
\r\nπŸ”€ [Azure Firewall](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FazureFirewalls)
\r\nπŸ”€ [Web Application Firewall](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies)
\r\nπŸ”€ [DDoS Protection Plans](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FddosProtectionPlans)
\r\nπŸ”€ [Firewall Manager](https://portal.azure.us/#view/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/~/firewallManagerOverview)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/)\r\n\r\n\r\n" + }, + "customWidth": "33", + "name": "LT-1 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [Use Data Flow Mapping Power Platform](https://learn.microsoft.com/power-query/dataflows/create-use)
\r\nπŸ’‘ [User Azure Network Traffic Analytics](https://learn.microsoft.com/azure/network-watcher/traffic-analytics)
\r\nπŸ’‘ [Azure Blue Print ](https://learn.microsoft.com/azure/governance/blueprints/overview)
\r\nπŸ’‘ [Leverage Azure Data Visualization with Data Explorer](https://learn.microsoft.com/azure/data-explorer/viz-overview)
\r\nπŸ’‘ [Use Power Automate for Event Tagging](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/api-microsoft-flow?view=o365-worldwide)
\r\nπŸ’‘ [Secure & Govern Workloads with Network-level Segmentation](https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/network-level-segmentation)
\r\nπŸ’‘ [Deploy Software Defined Netoworking](https://learn.microsoft.com/azure-stack/hci/concepts/plan-software-defined-networking-infrastructure)
\r\nπŸ’‘ [Manage Software Defined Netoworking](https://learn.microsoft.com/windows-server/networking/sdn/manage/manage-sdn)
\r\nπŸ’‘ [Key Components of Software Defined Networking Data Sheet](https://learn.microsoft.com/windows-server/networking/sdn/technologies/Software-Defined-Networking-Technologies)
" + }, + "customWidth": "33", + "name": "LT-1 - Copy - Copy" + } + ] + }, + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "securityresources\r\n| where type =~ \"microsoft.security/assessments\" and properties.status.code =~ \"Unhealthy\"\r\n| extend firstEvaluationDate = todatetime(properties.status.firstEvaluationDate), statusChangeDate = todatetime(properties.status.statusChangeDate), severityFilter = tostring(\"high, medium, low\"), severity = tostring(properties.metadata.severity), environmentFilter = tostring(\"azure, aws, gcp\")\r\n| project subscriptionId, resourceGroup,\r\n resourceId = properties.resourceDetails.Id,\r\n source = tostring(properties.resourceDetails.Source),\r\n displayName = properties.displayName, \r\n statusCode = properties.status.code,\r\n severity, severityFilter, environmentFilter,\r\n statusChangeDate, firstEvaluationDate,\r\n overduePeriod = datetime_diff(\"day\", now(), statusChangeDate)\r\n| where severityFilter has severity and environmentFilter has source\r\n| where displayName contains 'network'", + "size": 0, + "showAnalytics": true, + "title": "Defender for Cloud Network Traffic Recommendations", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "value::all" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "subscriptionId", + "formatter": 15, + "formatOptions": { + "linkTarget": null, + "showIcon": true + } + }, + { + "columnMatch": "severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "gray", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "severityFilter", + "formatter": 5 + }, + { + "columnMatch": "environmentFilter", + "formatter": 5 + }, + { + "columnMatch": "firstEvaluationDate", + "formatter": 5 + } + ] + } + }, + "showPin": true, + "name": "Defender for Cloud Network Recommendations" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources\r\n| where type contains \"gate\" or type contains \"bastion\" or type contains \"route\" or type contains \"privateend\"\r\n| project id,type,location,resourceGroup\r\n| order by location asc", + "size": 0, + "showAnalytics": true, + "title": "VPN Assets", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "showExportToExcel": true, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "filter": true + } + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "isEnterpriseVisible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "query - 1" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isNE51Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "5.1Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "5.2 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 5.2 Software Defined Networking (SDN)\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Manage Virtual Network](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks)
\r\nπŸ”€ [Network Security Groups](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
\r\nπŸ”€ [Network Managers](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FnetworkManagers)
\r\nπŸ”€ [Network Watcher](https://portal.azure.us/#view/Microsoft_Azure_Network/NetworkWatcherMenuBlade/~/overview)
\r\nπŸ”€ [Network Security Perimeters](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FnetworkSecurityPerimeters)\r\n
πŸ”€ [Entra App Proxy](https://portal.azure.us/#view/Microsoft_AAD_IAM/AppProxyOverviewBlade)" + }, + "customWidth": "33", + "name": "LT-1" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Microsoft Portals Government\r\n\r\n\r\nπŸ”€ [Manage Virtual Network](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks)
\r\nπŸ”€ [Network Security Groups](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
\r\nπŸ”€ [Network Managers](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FnetworkManagers)
\r\nπŸ”€ [Network Watcher](https://portal.azure.us/#view/Microsoft_Azure_Network/NetworkWatcherMenuBlade/~/overview)
\r\nπŸ”€ [Network Security Perimeters](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FnetworkSecurityPerimeters)
\r\nπŸ”€ [Entra App Proxy](https://portal.azure.us/#view/Microsoft_AAD_IAM/AppProxyOverviewBlade)\r\n" + }, + "customWidth": "33", + "name": "LT-1 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [Use Secure Access Service Edge SASE - Software Defined Networking Zero Trust](https://www.microsoft.com/security/business/security-101/what-is-sase)
\r\nπŸ’‘ [Software Defined Network Monitoring using Sentinel](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/software-defined-monitoring-using-automated-notebooks-and-azure/ba-p/2587775)
\r\nπŸ’‘ [Plan Software Defined Netoworking](https://learn.microsoft.com/azure-stack/hci/concepts/plan-software-defined-networking-infrastructure)
\r\nπŸ’‘ [Implementing Software Defined Networking](https://learn.microsoft.com/windows-server/networking/sdn/)
\r\nπŸ’‘ [Manage Software Detined Netoworking](https://learn.microsoft.com/windows-server/networking/sdn/manage/manage-sdn)
\r\nπŸ’‘ [Deploy Software Defined Networking](https://learn.microsoft.com/windows-server/networking/sdn/deploy/deploy-a-software-defined-network-infrastructure-using-scripts)
\r\nπŸ’‘ [Secure the Network Controller](https://learn.microsoft.com/azure-stack/hci/manage/nc-security)
\r\nπŸ’‘ [SDN for Win Server 2019 and 2022](https://learn.microsoft.com/windows-server/networking/sdn/sdn-whats-new)
\r\nπŸ’‘ [Key Components of Software Defined Networking Data Sheet](https://learn.microsoft.com/windows-server/networking/sdn/technologies/Software-Defined-Networking-Technologies)
\r\nπŸ’‘ [IPV6 Config Interface](https://learn.microsoft.com/javascript/api/%40azure/arm-databoxedge-profile-2020-09-01-hybrid/ipv6config?view=azure-node-latest&wt.mc_id=searchAPI_azureportal_inproduct_rmskilling&sessionId=a3b01375fbf840fe9b8065377eabbd7d)
\r\nπŸ’‘ [Leverage IPV6 for Azure Virtual Networks](https://learn.microsoft.com/azure/virtual-network/ip-services/ipv6-overview?wt.mc_id=searchAPI_azureportal_inproduct_rmskilling&sessionId=a3b01375fbf840fe9b8065377eabbd7d)
\r\nπŸ’‘ [Segementation Security Strategies](https://learn.microsoft.com/azure/well-architected/security/design-segmentation)
\r\nπŸ’‘ [Implement Network Segmentation Paterns On Azure](https://learn.microsoft.com/azure/well-architected/security/design-network-segmentation)
\r\nπŸ’‘ [Utilize Microsoft Packet Monitor](https://learn.microsoft.com/windows-server/networking/technologies/pktmon/pktmon)
" + }, + "customWidth": "33", + "name": "LT-1 - Copy - Copy" + } + ] + }, + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources\r\n| where type contains \"logic\"\r\n| where id contains \"block\" or id contains \"isolate\" or id contains \"lock\" or id contains \"revoke\" or id contains \"quarantine\"\r\n| project id,type,location,resourceGroup\r\n| order by location asc", + "size": 0, + "showAnalytics": true, + "title": "Software Defined Network Containment Automations Configured", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "showExportToExcel": true, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "filter": true + } + }, + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AzureNetworkAnalytics_CL | where SubType_s == \"FlowLog\" | summarize TotalFlows = count() by TimeGenerated, VM_s\r\n| extend VM = strcat(split(VM_s, '/')[1], ' (', split(VM_s, '/')[0], ')')\r\n| project TimeGenerated, VM, TotalFlows", + "size": 0, + "title": "Flows on Network Interfaces and Virtual Machines", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 25, + "filter": true + } + }, + "customWidth": "50", + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AzureNetworkAnalytics_CL | where SubType_s == \"FlowLog\" | summarize count() by FlowType_s", + "size": 0, + "title": "Traffic flow types", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "30", + "name": "query - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AzureNetworkAnalytics_CL | where SubType_s == \"FlowLog\" | summarize TotalFlows = count() by TimeGenerated, VM_s\r\n| extend VM = strcat(split(VM_s, '/')[1], ' (', split(VM_s, '/')[0], ')')\r\n| project TimeGenerated, VM, TotalFlows", + "size": 0, + "title": "Traffic Flows Over Time", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "70", + "name": "query - 5" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isNE52Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "5.2Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "5.3 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 5.3 Macro Segmentation\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Impletment Network Segmentation](https://learn.microsoft.com/azure/well-architected/security/design-network-segmentation)
\r\nπŸ”€ [Azure Features for Segmentation](https://learn.microsoft.com/azure/well-architected/security/design-network-segmentation#azure-features-for-segmentation)
\r\nπŸ”€ [Network Service](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.HybridNetwork%2Fpublishers%2Fnetworkservicedesigngroups)
\r\nπŸ”€ [Network Watcher](https://portal.azure.us/#view/Microsoft_Azure_Network/NetworkWatcherMenuBlade/~/overview)" + }, + "customWidth": "33", + "name": "LT-1" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Microsoft Portals Government\r\nπŸ”€ [Impletment Network Segmentation](https://learn.microsoft.us/azure/well-architected/security/design-network-segmentation)
\r\nπŸ”€ [Segementation Security Strategies](https://learn.microsoft.us/azure/well-architected/security/design-segmentation)
\r\nπŸ”€ [Network Service](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.HybridNetwork%2Fpublishers%2Fnetworkservicedesigngroups)
\r\nπŸ”€ [Network Watcher](https://portal.azure.us/#view/Microsoft_Azure_Network/NetworkWatcherMenuBlade/~/overview)
\r\n" + }, + "customWidth": "33", + "name": "LT-1 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\n\r\nπŸ’‘ [Impletment Network Segmentation](https://learn.microsoft.com/azure/well-architected/security/design-network-segmentation)
\r\nπŸ’‘ [Azure Features for Segmentation](https://learn.microsoft.com/azure/well-architected/security/design-network-segmentation#azure-features-for-segmentation)
\r\nπŸ’‘ [Segementation Security Strategies](https://learn.microsoft.com/azure/well-architected/security/design-segmentation)
\r\nπŸ’‘ [Network Service Designs](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.HybridNetwork%2Fpublishers%2Fnetworkservicedesigngroups)
\r\nπŸ’‘ [Network Watcher](https://portal.azure.com/#view/Microsoft_Azure_Network/NetworkWatcherMenuBlade/~/overview)
" + }, + "customWidth": "33", + "name": "LT-1 - Copy - Copy" + } + ] + }, + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources\r\n| where type contains \"networksecuritygroups\" or type contains \"virtualnetworks\" or type contains \"tables\"\r\n| project id,type,location,resourceGroup\r\n| order by location asc\r\n", + "size": 0, + "showAnalytics": true, + "title": "Network Segmentation Assets", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "showExportToExcel": true, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "filter": true + } + }, + "customWidth": "100", + "conditionalVisibility": { + "parameterName": "isNetworkingVisible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "query - 3", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 1, + "content": { + "json": "## AWS network activities" + }, + "name": "text - 0" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "b9e68383-3369-42fc-b7e7-506fd187832d", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "isRequired": true, + "value": { + "durationMs": 1209600000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let data = AWSCloudTrail;\r\ndata\r\n| summarize Count = count() by AWSRegion\r\n| join kind = fullouter (datatable(AWSRegion:string)['OneDrive', 'SharePoint']) on AWSRegion\r\n| project AWSRegion = iff(AWSRegion == '', AWSRegion1, AWSRegion), Count = iff(AWSRegion == '', 0, Count)\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by AWSRegion)\r\n on AWSRegion\r\n| project-away AWSRegion1, TimeGenerated\r\n| extend AWSRegion = AWSRegion\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend AWSRegion = 'All', AWSRegions = '*' \r\n)\r\n| order by Count desc\r\n| take 10\r\n", + "size": 4, + "title": "Top 10 active regions - click to filter", + "timeContextFromParameter": "TimeRange", + "exportFieldName": "AWSRegion", + "exportParameterName": "AWSRegion", + "exportDefaultValue": "All", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "AWSRegion", + "formatter": 1, + "formatOptions": { + "showIcon": true + } + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto", + "showIcon": true + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "min": 0, + "palette": "blue", + "showIcon": true + } + }, + "showBorder": false + } + }, + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AWSCloudTrail\r\n//| where EventSource == \"ec2.amazonaws.com\" and (EventName startswith \"create\" or EventName startswith \"replace\" or EventName startswith \"delete\" or EventName startswith \"authorize\" or EventName startswith \"revoke\") and (EventName !contains \"Volume\" and EventName !contains \"KeyPair\" and EventName !contains \"Tags\" and EventName !contains \"Image\" and EventName !contains \"LaunchTemplate\")\r\n| where AWSRegion == '{AWSRegion}' or '{AWSRegion}' == \"All\"\r\n| summarize count() by AWSRegion, bin(TimeGenerated, {TimeRange:grain})", + "size": 0, + "title": "Network events, by region", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "customWidth": "50", + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AWSCloudTrail\r\n//| where EventSource == \"ec2.amazonaws.com\" and (EventName startswith \"create\" or EventName startswith \"replace\" or EventName startswith \"delete\" or EventName startswith \"authorize\" or EventName startswith \"revoke\") and (EventName !contains \"Volume\" and EventName !contains \"KeyPair\" and EventName !contains \"Tags\" and EventName !contains \"Image\" and EventName !contains \"LaunchTemplate\")\r\n| where AWSRegion == '{AWSRegion}' or '{AWSRegion}' == \"All\"\r\n| summarize count() by EventName, bin(TimeGenerated, {TimeRange:grain})", + "size": 0, + "title": "Network event types", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "areachart" + }, + "customWidth": "50", + "name": "query - 4" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isNE53Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "5.3Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "5.4 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 5.4 Micro Segmentation\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Virtual Networks Termal Access Points](https://portal.azure.us/#view/HubsExtension/BrowseResourceBlade/resourceType/microsoft.network%2Fvirtualnetworktaps)
\r\nπŸ”€ [Conditional Access](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Overview)
\r\nπŸ”€ [Cloud Access Routers](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Orbital%2FcloudAccessRouters)
\r\nπŸ”€ [Entra ID Conditional Access](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Overview)
\r\nπŸ”€ [Azure Monitor Networks](https://portal.azure.us/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/networkInsights)
\r\nπŸ”€ [Azure Connection Monitor](https://portal.azure.us/#view/Microsoft_Azure_FlowLog/ConnectionMonitorV2ViewModel)
\r\nπŸ”€ [Azure Network Watcher](https://portal.azure.us/#view/Microsoft_Azure_Network/NetworkWatcherMenuBlade/~/overview/menuId~/%7B%22target%22%3A%7B%7D%7D)" + }, + "customWidth": "33", + "name": "LT-1" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Microsoft Portals Government\r\nπŸ”€ [Virtual Networks Termal Access Points](https://portal.azure.com/#view/HubsExtension/BrowseResourceBlade/resourceType/microsoft.network%2Fvirtualnetworktaps)
\r\nπŸ”€ [Conditional Access](https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Overview)
\r\nπŸ”€ [Cloud Access Routers](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Orbital%2FcloudAccessRouters)
\r\nπŸ”€ [Entra ID Conditional Access](https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Overview)
\r\nπŸ”€ [Azure Monitor Networks](https://portal.azure.us/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/networkInsights)
\r\nπŸ”€ [Azure Connection Monitor](https://portal.azure.us/#view/Microsoft_Azure_FlowLog/ConnectionMonitorV2ViewModel)
\r\nπŸ”€ [Azure Network Watcher](https://portal.azure.us/#view/Microsoft_Azure_Network/NetworkWatcherMenuBlade/~/overview/menuId~/%7B%22target%22%3A%7B%7D%7D)\r\n" + }, + "customWidth": "33", + "name": "LT-1 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [Enabling JIT Access Controls](https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-usage?wt.mc_id=searchAPI_azureportal_inproduct_rmskilling&sessionId=a3b01375fbf840fe9b8065377eabbd7d)
\r\nπŸ’‘ [Conditional Access Block Access by Location](https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-location?wt.mc_id=searchAPI_azureportal_inproduct_rmskilling&sessionId=a3b01375fbf840fe9b8065377eabbd7d)
\r\nπŸ’‘ [Secure Networks with Zero Trust](https://learn.microsoft.com/security/zero-trust/deploy/networks)
\r\nπŸ’‘ [Implement Network Segmentation Paterns On Azure](https://learn.microsoft.com/azure/well-architected/security/design-network-segmentation?wtmc_id=searchAPI_azureportal_inproduct_rmskilling&sessionId=a3b01375fbf840fe9b8065377eabbd7d)
\r\nπŸ’‘ [Microsoft Packet Monitor](https://learn.microsoft.com/windows-server/networking/technologies/pktmon/pktmon)
" + }, + "customWidth": "33", + "name": "LT-1 - Copy - Copy" + } + ] + }, + "name": "group - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources\r\n| where type contains \"applicationgateway\" or type contains \"securitygroup\"\r\n| project id,type,location,resourceGroup\r\n| order by location asc\r\n", + "size": 0, + "showAnalytics": true, + "title": "Microsegementation Assets", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "showExportToExcel": true, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "filter": true + } + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "isNetworkingVisible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "query - 3", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "bullets", + "links": [] + }, + "name": "links - 3" + }, + { + "type": 1, + "content": { + "json": "## Azure AD audit logs" + }, + "name": "text - 1" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "bc372bf5-2dcd-4efa-aa85-94b6e6fafe14", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "isRequired": true, + "value": { + "durationMs": 7776000000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + } + }, + { + "id": "e032b9f7-5449-4180-9c20-75760afa96f6", + "version": "KqlParameterItem/1.0", + "name": "User", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "AuditLogs\r\n| where SourceSystem == \"Azure AD\"\r\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \"\", tostring(InitiatedBy.user.userPrincipalName), \"unknown\")\r\n//| where initiator!= \"\"\r\n| summarize Count = count() by initiator\r\n| order by Count desc, initiator asc\r\n| project Value = initiator, Label = strcat(initiator, ' - ', Count), Selected = false", + "value": [ + "value::all" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "All" + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "0a59a0b3-6d93-4fee-bdbe-147383c510c6", + "version": "KqlParameterItem/1.0", + "name": "Category", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "AuditLogs\r\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \"\", tostring(InitiatedBy.user.userPrincipalName), \"unknown\")\r\n| where \"{User:lable}\" == \"All\" or initiator in ({User})\r\n| summarize Count = count() by Category\r\n| order by Count desc, Category asc\r\n| project Value = Category, Label = strcat(Category, ' - ', Count)", + "value": [ + "value::all" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "All" + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "4d2b245b-5e59-4eb6-9f51-ba926581ab47", + "version": "KqlParameterItem/1.0", + "name": "Result", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "AuditLogs\r\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \"\", tostring(InitiatedBy.user.userPrincipalName), \"unknown\")\r\n| where \"{User:lable}\" == \"All\" or initiator in ({User})\r\n| summarize Count = count() by Result\r\n| order by Count desc, Result asc\r\n| project Value = Result, Label = strcat(Result, ' - ', Count, ' sign-ins')", + "value": [ + "value::all" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "All" + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let data = AuditLogs\r\n| where \"{Category:lable}\" == \"All\" or Category in ({Category})\r\n| where \"{Result:lable}\" == \"All\" or Result in ({Result})\r\n| extend initiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\r\n| where initiatingUserPrincipalName != \"\" \r\n| where \"{User:lable}\" == \"All\" or initiatingUserPrincipalName in ({User});\r\ndata\r\n| summarize Count = count() by Category\r\n| join kind = fullouter (datatable(Category:string)['Medium', 'high', 'low']) on Category\r\n| project Category = iff(Category == '', Category1, Category), Count = iff(Category == '', 0, Count)\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Category)\r\n on Category\r\n| project-away Category1, TimeGenerated\r\n| extend Category = Category\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend Category = 'All', Categorys = '*' \r\n)\r\n| order by Count desc\r\n| take 10", + "size": 4, + "title": "Access Categories ", + "timeContextFromParameter": "TimeRange", + "exportFieldName": "Category", + "exportParameterName": "CategoryFIlter", + "exportDefaultValue": "All", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "Category", + "formatter": 1, + "formatOptions": { + "showIcon": true + } + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto", + "showIcon": true + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 21, + "formatOptions": { + "palette": "purple", + "showIcon": true + } + }, + "showBorder": false + } + }, + "name": "query - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let data = AuditLogs\r\n| where \"{Result:lable}\" == \"All\" or Result in ({Result})\r\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \"\", tostring(InitiatedBy.user.userPrincipalName), \"unknown\")\r\n| where \"{User:lable}\" == \"All\" or initiator in ({User})\r\n| where \"{Category:lable}\" == \"All\" or Category in ({Category})\r\n| where Category == '{CategoryFIlter}' or '{CategoryFIlter}' == \"All\";\r\nlet appData = data\r\n| summarize TotalCount = count() by OperationName, Category\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName\r\n | project-away TimeGenerated) on OperationName\r\n| order by TotalCount desc, OperationName asc\r\n| project OperationName, TotalCount, Trend, Category\r\n| serialize Id = row_number();\r\ndata\r\n| summarize TotalCount = count() by initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \"\", tostring(InitiatedBy.user.userPrincipalName), \"unknown\"), Category, OperationName\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName, initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \"\", tostring(InitiatedBy.user.userPrincipalName), \"unknown\")\r\n | project-away TimeGenerated) on OperationName, initiator\r\n| order by TotalCount desc, OperationName asc\r\n| project OperationName, initiator, TotalCount, Category, Trend\r\n| serialize Id = row_number(1000000)\r\n| join kind=inner (appData) on OperationName\r\n| project Id, Name = initiator, Type = 'initiator', ['Operations Count'] = TotalCount, Trend, Category, ParentId = Id1\r\n| union (appData \r\n | project Id, Name = OperationName, Type = 'Operation', ['Operations Count'] = TotalCount, Category, Trend)\r\n| order by ['Operations Count'] desc, Name asc", + "size": 0, + "showAnalytics": true, + "title": "Conditional Acess & User activities", + "timeContextFromParameter": "TimeRange", + "exportParameterName": "UserInfo", + "exportDefaultValue": "{ \"Name\":\"\", \"Type\":\"*\"}", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Id", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "Type", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "Operations Count", + "formatter": 8, + "formatOptions": { + "min": 0, + "palette": "blue", + "showIcon": true + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "min": 0, + "palette": "turquoise", + "showIcon": true + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "ParentId", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + } + ], + "rowLimit": 1000, + "filter": true, + "hierarchySettings": { + "idColumn": "Id", + "parentColumn": "ParentId", + "treeType": 0, + "expanderColumn": "Name" + } + } + }, + "customWidth": "70", + "showPin": true, + "name": "query - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "80e332f7-8176-461f-b27a-0a52242fe6c9", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "isRequired": true, + "value": { + "durationMs": 86400000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + } + }, + { + "id": "5a93ede8-361d-4cc6-93f8-967dfc355143", + "version": "KqlParameterItem/1.0", + "name": "Activity", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "SecurityEvent\r\n| summarize Count = count() by Activity\r\n| order by Count desc, Activity asc\r\n| project Value = Activity, Label = strcat(Activity, ' - ', Count)", + "value": [ + "value::all" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "All" + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let data = SecurityEvent\r\n| where \"{Activity:lable}\" == \"All\" or Activity in ({Activity});\r\ndata\r\n| summarize Count = count() by Activity\r\n| join kind = fullouter (datatable(Activity:string)['Medium', 'high', 'low']) on Activity\r\n| project Activity = iff(Activity == '', Activity1, Activity), Count = iff(Activity == '', 0, Count)\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Activity)\r\n on Activity\r\n| project-away Activity1, TimeGenerated\r\n| extend Activitys = Activity\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend Activity = 'All', Activitys = '*' \r\n)\r\n| order by Count desc\r\n| take 10", + "size": 4, + "title": "Top 10 Identity & Access Activities - click to filter by activity", + "timeContextFromParameter": "TimeRange", + "exportFieldName": "Activity", + "exportParameterName": "ActivityPiker", + "exportDefaultValue": "All", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "Activity", + "formatter": 1, + "formatOptions": { + "showIcon": true + } + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto", + "showIcon": true + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "lightBlue", + "showIcon": true + } + }, + "showBorder": false + } + }, + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let data = SecurityEvent\r\n| where \"{Activity:lable}\" == \"All\" or Activity in ({Activity})\r\n| where Activity == '{ActivityPiker}' or '{ActivityPiker}' == \"All\" and AccountType == 'User'\r\n| extend Name = extract(@'^(.*\\\\)?([^@]*)(@.*)?$', 2, tolower(Account));\r\nlet appData = data\r\n| summarize TotalCount = count() by Name\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Name\r\n | project-away TimeGenerated) on Name\r\n| order by TotalCount desc, Name asc\r\n| project Name, TotalCount, Trend\r\n| serialize Id = row_number();\r\ndata\r\n| summarize TotalCount = count() by Activity , Name\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Name, Activity\r\n | project-away TimeGenerated) on Name, Activity\r\n| order by TotalCount desc, Name asc\r\n| project Name, Activity, TotalCount, Trend\r\n| serialize Id = row_number(1000000)\r\n| join kind=inner (appData) on Name\r\n| project Id, Name = Activity, Type = 'Activity', ['Activity Count'] = TotalCount, Trend, ParentId = Id1\r\n| union (appData \r\n | project Id, Name = Name, Type = 'Computer', ['Activity Count'] = TotalCount, Trend )\r\n| order by ['Activity Count'] desc, Name asc", + "size": 0, + "title": "User activities", + "timeContextFromParameter": "TimeRange", + "exportParameterName": "Userinfo", + "exportDefaultValue": "{ \"Name\":\"\", \"Type\":\"*\"}", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Id", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "Activity Count", + "formatter": 8, + "formatOptions": { + "min": 0, + "palette": "blueGreen", + "showIcon": true + } + }, + { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "greenDark", + "showIcon": true + } + }, + { + "columnMatch": "IpAddress", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "ParentId", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + } + ], + "filter": true, + "hierarchySettings": { + "idColumn": "Id", + "parentColumn": "ParentId", + "treeType": 0, + "expanderColumn": "Name" + } + } + }, + "customWidth": "50", + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//let Users = dynamic({Userinfo});\r\nlet data = SecurityEvent\r\n| where \"{Activity:lable}\" == \"All\" or Activity in ({Activity})\r\n| where Activity == '{ActivityPiker}' or '{ActivityPiker}' == \"All\" and AccountType == 'Machine'\r\n| extend user = extract(@'^(.*\\\\)?([^@]*)(@.*)?$', 2, tolower(Account))\r\n| where dynamic({Userinfo}).Type == '*' or (dynamic({Userinfo}).Type == 'Computer' and user == dynamic({Userinfo}).Name);\r\nlet appData = data\r\n| summarize TotalCount = count() by Computer\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Computer\r\n | project-away TimeGenerated) on Computer\r\n| order by TotalCount desc, Computer asc\r\n| project Computer, TotalCount, Trend\r\n| serialize Id = row_number();\r\ndata\r\n| summarize TotalCount = count() by Activity , Computer\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Computer, Activity\r\n | project-away TimeGenerated) on Computer, Activity\r\n| order by TotalCount desc, Computer asc\r\n| project Computer, Activity, TotalCount, Trend\r\n| serialize Id = row_number(1000000)\r\n| join kind=inner (appData) on Computer\r\n| project Id, Name = Activity, Type = 'Activity', ['Activity Count'] = TotalCount, Trend, ParentId = Id1\r\n| union (appData \r\n | project Id, Name = Computer, Type = 'Computer', ['Activity Count'] = TotalCount, Trend )\r\n| order by ['Activity Count'] desc, Name asc", + "size": 0, + "title": "Machine activities", + "timeContextFromParameter": "TimeRange", + "exportFieldName": "", + "exportParameterName": "MachineInfo", + "exportDefaultValue": "{ \"Name\":\"\", \"Type\":\"*\"}", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Id", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "Activity Count", + "formatter": 8, + "formatOptions": { + "min": 0, + "palette": "blue", + "showIcon": true + } + }, + { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "ParentId", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + } + ], + "filter": true, + "hierarchySettings": { + "idColumn": "Id", + "parentColumn": "ParentId", + "treeType": 0, + "expanderColumn": "Name" + } + } + }, + "customWidth": "50", + "name": "query - 4" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isNE54Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "5.4Activities", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "pillar", + "comparison": "isEqualTo", + "value": "p5" + }, + "name": "P5Activities" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"[\\r\\n\\t\\t{ \\\"Select All (Automation & Orchestration 6.x)\\\": \\\"6.1 Policy Decision Point (PD) & Policy Orchestration\\\", \\\"tab\\\": \\\"AO61\\\" },\\r\\n\\t\\t{ \\\"Select All (Automation & Orchestration 6.x)\\\": \\\"6.2 Critical Process Automation \\\", \\\"tab\\\": \\\"AO62\\\" },\\r\\n\\t\\t{ \\\"Select All (Automation & Orchestration 6.x)\\\": \\\"6.3 Machine Learning\\\", \\\"tab\\\": \\\"AO63\\\" },\\r\\n\\t\\t{ \\\"Select All (Automation & Orchestration 6.x)\\\": \\\"6.4 Artifical Learning\\\", \\\"tab\\\": \\\"AO64\\\" },\\r\\n\\t\\t{ \\\"Select All (Automation & Orchestration 6.x)\\\": \\\"6.5 Security Orchestration, Automation & Response (SOAR)\\\", \\\"tab\\\": \\\"AO65\\\" },\\r\\n\\t\\t{ \\\"Select All (Automation & Orchestration 6.x)\\\": \\\"6.6 API Standardization\\\", \\\"tab\\\": \\\"AO66\\\" },\\r\\n\\t\\t{ \\\"Select All (Automation & Orchestration 6.x)\\\": \\\"6.7 Security Operations Center (SOC) & Incident Response (IR)\\\", \\\"tab\\\": \\\"AO67\\\" }\\r\\n\\t\\t]\",\"transformers\":null}", + "size": 3, + "exportMultipleValues": true, + "exportedParameters": [ + { + "fieldName": "tab", + "parameterName": "Tab", + "parameterType": 1 + } + ], + "queryType": 8, + "gridSettings": { + "formatters": [ + { + "columnMatch": "Select All (Automation & Orchestration 6.x)", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "75ch" + } + }, + { + "columnMatch": "tab", + "formatter": 5 + }, + { + "columnMatch": "Zero Trust", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "75ch" + } + } + ] + } + }, + "customWidth": "90", + "name": "AutomationOrchZT", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "42fc8445-0772-439f-b490-461fb17e5d2f", + "version": "KqlParameterItem/1.0", + "name": "isAO61Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "AO61", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "6d0940d2-e259-49de-b490-75d026dd6ad3", + "version": "KqlParameterItem/1.0", + "name": "isAO62Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "AO62", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "f727f39d-ec12-43f9-a6ed-e44515f19b66", + "version": "KqlParameterItem/1.0", + "name": "isAO63Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "AO63", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "a354cdb5-4a2c-4d66-8cd9-30b0f23d8cef", + "version": "KqlParameterItem/1.0", + "name": "isAO64Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "AO64", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "isAO65Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "AO65", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + }, + "id": "3870cb3e-20be-4bdb-82be-24ec1523da05" + }, + { + "version": "KqlParameterItem/1.0", + "name": "isAO66Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "AO66", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + }, + "id": "d31d900a-f10c-4e34-b768-6e6370aceb3a" + }, + { + "version": "KqlParameterItem/1.0", + "name": "isAO67Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "AO67", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + }, + "id": "2a0825c4-878b-43c2-b858-6d09a82b4d12" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "5", + "name": "AutoOrchZTParameters" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "pillar", + "comparison": "isEqualTo", + "value": "p6" + }, + "customWidth": "50", + "name": "p6-1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR6.1", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 6.1\r\n| Descriptions | Outcomes | ZT Impact | \r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD organizations initially collect and document all rule-based policies to orchestrate across the security stack for effective automation; DAAS access procedures and policies will be defined, implemented, and updated. Organizations mature this capability by establishing PDPs and PEPs (including the Next Generation Firewall) to make DAAS resource determinations and enable,monitor, and terminate connections between a user/device and DAAS resources according to predefined policy. | DoD organizations initially collect and document all rule-based policies to orchestrate across the security stack for effective automation; DAAS access procedures and policies will be defined, implemented, and updated. Organizations mature this capability by establishing PDPs and PEPs(including the Next Generation Firewall) to make DAAS resource determinations and enable, monitor,and terminate connections between a user/device and DAAS resources according to predefined policy. | PDPs and PEPs ensure proper implementation of DAAS access policies to users or endpoints that are properly connected (or denied access) to requested resources. |" + }, + "name": "AutoOrchCR61" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusao61", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateao61", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesao61", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "AutoOrch61Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Entra ID Conditional Access (CA) | \r\n| Azure Policy |\r\n| Azure Automation |\r\n| Azure ML |\r\n| Azure Firewall |\r\n| Microsoft Sentinel |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isAO61Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "AutoOrchCR61Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR6.2", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 6.2\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|\r\n| DoD organizations employ automation methods, such as RPA, to address repetitive, predictable tasks for critical functions such as data enrichment, security controls, and incident response workflows according to system security engineering principles. | DoD organizations employ automation methods, such as RPA, to address repetitive, predictable tasks for critical functions such as data enrichment, security controls, and incident response workflows according to system security engineering principles. | Response time and capability is increased with orchestrated workflows and risk management processes. |" + }, + "name": "AutoOrchCR62" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "f28c401d-2da4-4960-8232-f659d30252d2", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusao62", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "a4b5ef42-9775-433e-ac25-55cc0eabd5c0", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateao62", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesao62", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "f06061bf-e951-4cc0-b335-c8eea6f55495", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "AutoOrch62Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Microsoft Power Automate | \r\n| Azure Logic Apps |\r\n| Microsoft Sentinel Playbooks |\r\n| Microsoft 365 Defender Automated Investigation & Response | " + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isAO62Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "AutoOrchCR62Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR6.3", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 6.3\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD organizations employ ML to execute (and enhance execution of) critical functions such as incident response, anomaly detection, user baselining, and data tagging. | DoD organizations employ ML to execute (and enhance execution of) critical functions such as incident response, anomaly detection, user baselining, and data tagging. | Response time and capability is increased with orchestrated workflows and risk management processes. |" + }, + "name": "AutoOrchCR63" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "6d883c79-17bf-432a-8d50-cf2280380232", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusao63", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "196b9437-34c4-4c58-9b54-81650c8e9cfa", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateao63", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesao63", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "15d3be75-9b31-44c4-8108-42122f1c1883", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "AutoOrch63Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Microsoft Sentinel Fusion ML | \r\n| Microsoft Sentinel Bring Your Own Machine Learning (BYOML) | \r\n| Microsoft Defender for Cloud (MDfC) |\r\n| Azure ML |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isAO63Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "AutoOrchCR63Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR6.4", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 6.4\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD organizations employ AI to execute (and enhance execution of) critical functions - particularly risk and access determinations and environmental analysis. | DoD organizations employ AI to execute (and enhance execution of) critical functions - particularly risk and access determinations and environmental analysis. | Response time and capability is increased with orchestrated workflows and risk management processes. |" + }, + "name": "AutoOrchCR64" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusao64", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateao64", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesao64", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "AutoOrch64Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Microsoft Sentinel Fusion ML | \r\n| Microsoft Sentinel Tailored AI | \r\n| Azure ML |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isAO64Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "AutoOrchCR64Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR6.5", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 6.5\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD organizations achieve initial operational capability of security technologies to orchestrate and automate policies (e.g., PEPs and PDPs) and rulesets to improve security operations, threat and vulnerability management, and security incident response by ingesting alert data, triggering playbooks for automated response and remediation. | DoD organizations achieve IOC of security technologies to orchestrate and automate policies (e.g., PEPs and PDPs) and rulesets to improve security operations, threat and vulnerability management, and security incident response by ingesting alert data, triggering playbooks for automated response and remediation. | Pre-defined playbooks from collection to incident response and triage enables initial process automation that accelerates a security team's decision and response speed. |" + }, + "name": "AutoOrchCR65" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusao65", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateao65", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesao65", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "AutoOrch65Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Microsoft 365 Defender Automated investigation and response |\r\n| Microsoft Sentinel Playbooks |\r\n| Microsoft Defender for Cloud (MDfC) |\r\n| Azure Logic Apps |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isAO65Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "AutoOrchCR65Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR6.6", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 6.6\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD establishes and enforces enterprise-wide programmatic interface (e.g., API ) standards; all non-compliant APIs are identified and replaced. | DoD establishes and enforces enterprise-wide API standards; all non-compliant APIs are identified and replaced. | Standardizing APIs across the department improves application interfaces, enabling orchestration, and enhancing interoperability. |" + }, + "name": "AutoOrchCR66" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusao66", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateao66", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesao66", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "AutoOrch66Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Azure API Management | \r\n| Azure Monitor Log Analytics |\r\n| Azure Logic Apps | \r\n| Azure Policy |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isAO66Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "AutoOrchCR66Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR6.7", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 6.7\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|:-:|\r\n| In the event a computer network defense service provider (CNDSP) does not exist, DoD organizations define and stand up security operations centers (SOC) to deploy, operate, and maintain security monitoring, protections and response for DAAS; SOCs provide security management visibility for status (upward visibility) and tactical implementation (downward visibility). Workflows within the SOC are automated using automation tooling and enrichment occurs between service providers and technologies. | In the event a CNDSP does not exist, DoD organizations define and stand up SOCs to deploy, operate, and maintain security monitoring, protections and response for DAAS; SOCs provide security management visibility for status (upward visibility) and tactical implementation (downward visibility). | Standardized, coordinated, and accelerated incident response and investigative efforts. |" + }, + "name": "AutoOrchCR67" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusao67", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateao67", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesao67", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "AutoOrch67Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Microsoft Sentinel |\r\n| Microsoft 365 Defender |\r\n|Microsoft Defender for Cloud (MDfC)|" + }, + "conditionalVisibility": { + "parameterName": "isAO67Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isAO67Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "AutoOrchCR67Group" + } + ], + "exportParameters": true + }, + "name": "AutoOrchCRGroup" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "pillar", + "comparison": "isEqualTo", + "value": "p6" + }, + "customWidth": "50", + "name": "p6-2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "6.1 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 6.1 Policy Decision Point (PD) & Policy Orchestration\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Azure Automation](https://portal.azure.us/#view/Microsoft_AAD_IAM/ManagedAppMenuBlade/~/Overview/objectId/d2175af3-6958-4008-83ac-ac2b81eafac7/appId/fc75330b-179d-49af-87dd-3b1acf6827fa)
\r\nπŸ”€ [Azure Machine Learning](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.MachineLearningServices%2Fworkspaces)
\r\nπŸ”€ [Azure Policy](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyMenuBlade)
\r\nπŸ”€ [Azure Virtual Desktop](https://portal.azure.us/#view/Microsoft_Azure_WVD/WvdManagerMenuBlade/~/overview)
\r\nπŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)" + }, + "customWidth": "33", + "name": "LT-1" + }, + { + "type": 1, + "content": { + "json": "


\r\n## Microsoft Portals Government\r\n\r\nπŸ”€ [Azure Automation](https://portal.azure.us/#view/Microsoft_AAD_IAM/ManagedAppMenuBlade/~/Overview/objectId/d2175af3-6958-4008-83ac-ac2b81eafac7/appId/fc75330b-179d-49af-87dd-3b1acf6827fa)
\r\nπŸ”€ [Azure Machine Learning](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.MachineLearningServices%2Fworkspaces)
\r\nπŸ”€ [Azure Policy](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyMenuBlade)
\r\nπŸ”€ [Azure Virtual Desktop](https://portal.azure.us/#view/Microsoft_Azure_WVD/WvdManagerMenuBlade/~/overview)
\r\nπŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
\r\n" + }, + "customWidth": "33", + "name": "LT-1 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [Visibility,Automation and Orchestration with Zero Trust](https://learn.microsoft.com/)
\r\nπŸ’‘ [Azure Orchestration for Azure Security Policy](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-policy-security-baseline)
\r\nπŸ’‘ [Configuration Analyzer for Security Policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies?view=o365-worldwide)
\r\nπŸ’‘ [Azure Automation Overview](https://learn.microsoft.com/azure/automation/overview)
\r\nπŸ’‘ [Azure Security Baseline for Automation](https://learn.microsoft.com/security/benchmark/azure/baselines/automation-security-baseline)
\r\nπŸ’‘ [Azure Policy](https://learn.microsoft.com/azure/governance/policy/overview)
\r\nπŸ’‘ [What is Azure Firewall?](https://learn.microsoft.com/azure/firewall/overview)
\r\nπŸ’‘ [Apply Zero Trust principles to a hub virtual network in Azure](https://learn.microsoft.com/security/zero-trust/azure-infrastructure-networking)
\r\nπŸ’‘ [Management of Role Permissions and Automation](https://learn.microsoft.com/azure/automation/automation-role-based-access-control)
\r\nπŸ’‘ [Using Azure Machine Learning to assign roles](https://learn.microsoft.com/azure/machine-learning/how-to-assign-roles?view=azureml-api-2&tabs=labeler)
\r\nπŸ’‘ [Azure AD Seccurity Groups ML](https://learn.microsoft.com/azure/machine-learning/how-to-assign-roles?view=azureml-api-2&tabs=labeler#use-azure-ad-security-groups-to-manage-workspace-access)
" + }, + "customWidth": "33", + "name": "LT-1 - Copy - Copy" + } + ] + }, + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations \r\n" + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| mv-expand ConditionalAccessPolicies\r\n| extend CAResult = tostring(ConditionalAccessPolicies.result)\r\n| where RiskLevelDuringSignIn <> \"none\"\r\n| summarize count() by RiskLevelDuringSignIn\r\n| render piechart \r\n", + "size": 2, + "showAnalytics": true, + "title": "ConditionalAccessPolicies SignIn Risk", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "30", + "showPin": true, + "name": "ConditionalAccessPolicies SignIn Risk" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| mv-expand ConditionalAccessPolicies\r\n| extend CAResult = tostring(ConditionalAccessPolicies.result)\r\n| where CAResult <> \"success\"\r\n| summarize count() by AppDisplayName, CAResult\r\n", + "size": 0, + "showAnalytics": true, + "title": "Non-Success ConditionalAccess by App ", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Group", + "formatter": 1 + }, + { + "columnMatch": "AppDisplayName", + "formatter": 5, + "formatOptions": { + "customColumnWidthSetting": "10%" + } + } + ], + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "AppDisplayName" + ] + }, + "labelSettings": [ + { + "columnId": "CAResult", + "label": "Result" + }, + { + "columnId": "count_", + "label": "Count" + } + ] + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "AccountObjectId", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "InvestigationPriority", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "50", + "showPin": true, + "name": "Non-Success ConditionalAccess by App " + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| mv-expand ConditionalAccessPolicies\r\n| extend CAResult = tostring(ConditionalAccessPolicies.result)\r\n| project CAResult\r\n| summarize count() by CAResult", + "size": 2, + "showAnalytics": true, + "title": "Conditional Access 'SignIn' Summaries", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "CAResult", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "none" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": false, + "sortOrderField": 1, + "size": "full" + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "CAResult", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "count_", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "40", + "showPin": true, + "name": "Conditional Access 'SignIn' Summaries" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isAO61Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "6.1Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "6.2 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 6.2 Critical Process Automation\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Azure Automation](https://portal.azure.us/#view/Microsoft_AAD_IAM/ManagedAppMenuBlade/~/Overview/objectId/d2175af3-6958-4008-83ac-ac2b81eafac7/appId/fc75330b-179d-49af-87dd-3b1acf6827fa)
\r\nπŸ”€ [Microsoft Sentinel Automation Blade](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_Azure_Security_Insights/MainMenuBlade/~/Automationl)
\r\nπŸ”€ [Azure Logic Apps Blade](https://portal.azure.us/?feature.msaljs=true#view/HubsExtension/BrowseResource/resourceType/Microsoft.Logic%2Fworkflows)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/)" + }, + "customWidth": "33", + "name": "LT-1" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Microsoft Portals Government\r\nπŸ”€ [Azure Automation](https://portal.azure.us/#view/Microsoft_AAD_IAM/ManagedAppMenuBlade/~/Overview/objectId/d2175af3-6958-4008-83ac-ac2b81eafac7/appId/fc75330b-179d-49af-87dd-3b1acf6827fa)
\r\nπŸ”€ [Microsoft Sentinel Automation Blade](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_Azure_Security_Insights/MainMenuBlade/~/Automationl)
\r\nπŸ”€ [Azure Logic Apps Blade](https://portal.azure.us/?feature.msaljs=true#view/HubsExtension/BrowseResource/resourceType/Microsoft.Logic%2Fworkflows)
\r\nπŸ”€ [M365 Defender](https://security.microsoft.us)
\r\n\r\n" + }, + "customWidth": "33", + "name": "LT-1 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [Azure Automation Overview](https://learn.microsoft.com/azure/automation/overview)
\r\nπŸ’‘ [Azure Security Baseline for Automation](https://learn.microsoft.com/security/benchmark/azure/baselines/automation-security-baseline)
\r\nπŸ’‘ [Visibility, Automation, and Orchestration with Zero Trust](https://learn.microsoft.com/)
\r\nπŸ’‘ [Automation in Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/automation)
\r\nπŸ’‘ [Automate Threat Response with Playbooks](https://learn.microsoft.com/azure/sentinel/automate-responses-with-playbooks)
\r\nπŸ’‘ [Automated Investigation & Response M365 Defender](https://learn.microsoft.com/microsoft-365/security/defender/m365d-autoir?view=o365-worldwide)
\r\nπŸ’‘ [Power Automate U.S Government](https://learn.microsoft.com/power-automate/us-govt)
" + }, + "customWidth": "33", + "name": "LT-1 - Copy - Copy" + } + ] + }, + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let FailedAssets=SecurityBaseline\r\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\r\n| where Description contains \"authentication\" or Description contains \"password\"\r\n| where AnalyzeResult == \"Failed\"\r\n| summarize FailedAssets = makelist(Computer) by Description;\r\nlet PassedAssets=SecurityBaseline\r\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\r\n| where Description contains \"authentication\" or Description contains \"password\"\r\n| where AnalyzeResult == \"Passed\"\r\n| summarize PassedAssets = makelist(Computer) by Description;\r\nSecurityBaseline\r\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\r\n| where Description contains \"authentication\" or Description contains \"password\"\r\n| summarize\r\n Failedβ€―=β€―countif(AnalyzeResult == \"Failed\"),\r\n Passedβ€―=β€―countif(AnalyzeResult == \"Passed\"),\r\n Totalβ€―=β€―countif(AnalyzeResult == \"Failed\" or AnalyzeResult == \"Passed\")\r\n by Description\r\n| extend PassedControlsβ€―= (Passed / todouble(Total)) * 100\r\n| join kind=fullouter(FailedAssets) on Description\r\n| join kind=fullouter(PassedAssets) on Description\r\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\r\n| sort by Total, Passed desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Automated Security Baselines", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "name": "query - 3" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isAO62Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "6.2Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "6.3 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 6.3 Machine Learning\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Azure Machine Learning](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.MachineLearningServices%2Fworkspaces)
\r\nπŸ”€ [Power Automate](https://make.gov.powerautomate.us/)
\r\nπŸ”€ [Power Platform Admin Center](https://admin.appsplatform.us/)
\r\nπŸ”€ [Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [Defender for Cloud](https://portal.azure.us/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0)" + }, + "customWidth": "33", + "name": "LT-1" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Microsoft Portals Government\r\nπŸ”€ [Azure Machine Learning](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.MachineLearningServices%2Fworkspaces)
\r\nπŸ”€ [Power Automate](https://make.gov.powerautomate.us/)
\r\nπŸ”€ [Power Platform Admin Center](https://gcc.admin.powerplatform.microsoft.us/environments)
\r\nπŸ”€ [Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [Defender for Cloud](https://portal.azure.us/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0)
\r\n\r\n\r\n" + }, + "customWidth": "33", + "name": "LT-1 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [Advanced multistage attack detection in Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/fusion)
\r\nπŸ’‘ [Bring your own Machine Learning (ML) into Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/bring-your-own-ml)
\r\nπŸ’‘ [Azure Machine Learning](https://learn.microsoft.com/azure/machine-learning/?view=azureml-api-2)
\r\nπŸ’‘ [Enterprise Security & Governance w. Machine Learning](https://learn.microsoft.com/azure/machine-learning/concept-enterprise-security?view=azureml-api-2)
\r\nπŸ’‘ [Azure Government Isolaiton Guidelines using AI & ML](https://learn.microsoft.com/azure/azure-government/documentation-government-impact-level-5)
\r\nπŸ’‘ [Quick Start Azure Machine Learning](https://learn.microsoft.com/azure/machine-learning/tutorial-azure-ml-in-a-day?view=azureml-api-2)
\r\nπŸ’‘ [Azure security baseline for Azure Machine Learning](https://learn.microsoft.com/security/benchmark/azure/baselines/machine-learning-security-baseline)
" + }, + "customWidth": "33", + "name": "LT-1 - Copy - Copy" + } + ] + }, + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "08f97f34-6264-4fa3-90b5-16b89422d285", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "isRequired": true, + "value": { + "durationMs": 2592000000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + } + }, + { + "id": "cd98a9c7-5dbd-4f92-a967-7ed1c781132a", + "version": "KqlParameterItem/1.0", + "name": "AlertSeverity", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "SecurityAlert\r\n| summarize Count = count() by AlertSeverity\r\n| order by Count desc, AlertSeverity asc\r\n| project Value = AlertSeverity, Label = strcat(AlertSeverity, ' - ', Count)", + "value": [ + "value::all" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ] + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "df0fbc31-ade1-4488-9109-a4f647ad8fe2", + "version": "KqlParameterItem/1.0", + "name": "ProductName", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "SecurityAlert\r\n| summarize Count = count() by ProductName\r\n| order by Count desc, ProductName asc\r\n| project Value = ProductName, Label = strcat(ProductName, ' - ', Count)", + "value": [ + "value::all" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ] + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let data = SecurityAlert\n| where \"{AlertSeverity:lable}\" == \"All\" or AlertSeverity in ({AlertSeverity})\n| where \"{ProductName:lable}\" == \"All\" or ProductName in ({ProductName});\ndata\n| summarize Count = count() by AlertSeverity\n| join kind = inner (data\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by AlertSeverity)\n on AlertSeverity\n | project-away TimeGenerated\n| extend AlertSeveritys = AlertSeverity\n| union (\n data \n | summarize Count = count() \n | extend jkey = 1\n | join kind=inner (data\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\n | extend jkey = 1) on jkey\n | extend AlertSeverity = 'All', AlertSeveritys = '*' \n)\n| extend Severity = iif(AlertSeverity == \"All\", 0,iif(AlertSeverity == \"High\", 1, iif(AlertSeverity == \"Medium\", 2, iif(AlertSeverity == \"Low\", 3, 4))))\n| order by Severity asc\n", + "size": 3, + "title": "Machine Learning Security Alerts by Severity", + "timeContextFromParameter": "TimeRange", + "exportFieldName": "AlertSeverity", + "exportParameterName": "AlertSeverityPicker", + "exportDefaultValue": "All", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "AlertSeverity", + "formatter": 1, + "formatOptions": { + "showIcon": true + } + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "showIcon": true + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "showIcon": true + } + }, + "showBorder": false, + "sortOrderField": 1 + } + }, + "name": "SecurityAlertsbySeverity" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isAO63Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "6.3Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "6.4 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 6.4 Artifical Learning\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Azure AI Services](https://portal.azure.us/#blade/Microsoft_Azure_ProjectOxford/CognitiveServicesHub)
\r\nπŸ”€ [Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [Defender for Cloud](https://portal.azure.us/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0)" + }, + "customWidth": "33", + "name": "LT-1" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Microsoft Portals Government\r\n\r\nπŸ”€ [Azure Automation](https://portal.azure.us/#blade/Microsoft_Azure_ProjectOxford/CognitiveServicesHub)
\r\nπŸ”€ [Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [Defender for Cloud](https://portal.azure.us/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0)
\r\n" + }, + "customWidth": "33", + "name": "LT-1 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [AI Security Services](https://learn.microsoft.com/azure/ai-services/security-features)
\r\nπŸ’‘ [Senintel Automation](https://learn.microsoft.com/azure/sentinel/automation)
\r\nπŸ’‘ [AI ID & Access Risk Based Controls](https://azure.microsoft.com/products/category/identity/)
\r\nπŸ’‘ [Implement Sentinel & M365 Defender for XDR - AI Driven Zero Trust ](https://learn.microsoft.com/security/operations/siem-xdr-overview)
\r\nπŸ’‘ [Become a Sentinel Automation Ninja](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/become-a-microsoft-sentinel-automation-ninja/ba-p/3563377)
" + }, + "customWidth": "33", + "name": "LT-1 - Copy - Copy" + } + ] + }, + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 1, + "content": { + "json": "### Artificial Inelligence Detected Anomalies " + }, + "name": "text - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Anomalies\r\n| extend AnomalyType = AnomalyTemplateName\r\n| summarize count() by AnomalyType\r\n| sort by count_ desc", + "size": 0, + "timeContext": { + "durationMs": 2592000000 + }, + "exportFieldName": "AnomalyType", + "exportParameterName": "AnomalyType", + "exportDefaultValue": "*", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "filter": true + } + }, + "customWidth": "50", + "name": "query - 0" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isAO64Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "6.4Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "6.5 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 6.5 Security Orchestration, Automation & Response (SOAR)\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Sentinel SIEM-SOAR](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [Logic Apps](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Logic%2Fworkflows)
\r\nπŸ”€ [Microsoft Defender for Cloud](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade)
\r\nπŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)" + }, + "customWidth": "33", + "name": "LT-1" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Microsoft Portals Government\r\n\r\nπŸ”€ [Sentinel SIEM-SOAR](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [Logic Apps](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Logic%2Fworkflows)
\r\nπŸ”€ [Microsoft Defender for Cloud](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade)
\r\nπŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
\r\n" + }, + "customWidth": "33", + "name": "LT-1 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [Security Ochestration, Automation & Response (SOAR) In Sentinel](https://learn.microsoft.com/azure/sentinel/automation)
\r\nπŸ’‘ [Sentinel SOAR](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/how-to-use-azure-sentinel-for-incident-response-orchestration/ba-p/2242397)
\r\nπŸ’‘ [Microsoft Sentinel SOAR Content Catalog](https://learn.microsoft.com/azure/sentinel/sentinel-soar-content)
\r\nπŸ’‘ [Automate Threat Response with Playbooks in Sentinel](https://learn.microsoft.com/azure/sentinel/automate-responses-with-playbooks)
\r\nπŸ’‘ [Automated investigation and response in Microsoft 365 Defender](https://learn.microsoft.com/microsoft-365/security/defender/m365d-autoir?view=o365-worldwide)
\r\nπŸ’‘ [Workflow Automation in Microsoft Defender for Cloud](https://learn.microsoft.com/azure/defender-for-cloud/workflow-automation)
\r\nπŸ’‘ [SOAR Best Practices](https://www.microsoft.com/security/business/security-101/what-is-soar#SOARbestpractices)
\r\nπŸ’‘ [Become a Sentinel Automation Ninja](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/become-a-microsoft-sentinel-automation-ninja/ba-p/3563377)
" + }, + "customWidth": "33", + "name": "LT-1 - Copy - Copy" + } + ] + }, + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| where ResultType == 0\r\n| summarize Count=count() by AppDisplayName\r\n| render piechart ", + "size": 0, + "title": "Security Orchestration Integrated Platforms Example ", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "query - 2" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isAO65Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "6.5Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "6.6 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 6.6 API Standardization\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [API Management Services](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.ApiManagement%2Fservice)
\r\nπŸ”€ [API Connections](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fconnections)
\r\nπŸ”€ [API Playground](https://portal.azure.us/#blade/Microsoft_Azure_Resources/ArmPlayground)
\r\nπŸ”€ [Azure Logic Apps](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Logic%2Fworkflows)" + }, + "customWidth": "33", + "name": "LT-1" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Microsoft Portals Government\r\nπŸ”€ [API Management Services](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.ApiManagement%2Fservice)
\r\nπŸ”€ [API Connections](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fconnections)
\r\nπŸ”€ [API Playground](https://portal.azure.us/#blade/Microsoft_Azure_Resources/ArmPlayground)
\r\nπŸ”€ [Azure Logic Apps](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Logic%2Fworkflows)\r\n" + }, + "customWidth": "33", + "name": "LT-1 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [Microsft API Management & Security](https://azure.microsoft.com/products/api-management/)
\r\nπŸ’‘ [Mitigate OWASP Top 10 Security Threats Using Microsoft API Management](https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats)
\r\nπŸ’‘ [Security Baselines for API Management](https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline)
\r\nπŸ’‘ [Secure and Compliant APIs for a Hybrid and Multi Cloud World](https://azure.microsoft.com/blog/secure-and-compliant-apis-for-a-hybrid-and-multi-cloud-world/)
\r\nπŸ’‘ [Web API Design Best Practice](https://learn.microsoft.com/azure/architecture/best-practices/api-design)
\r\nπŸ’‘ [Monitor & Protect Your APIs](https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor)
" + }, + "customWidth": "33", + "name": "LT-1 - Copy - Copy" + } + ] + }, + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "d0637751-acaa-4443-91d1-7f00f29ce09f", + "cellValue": "https://dod.defense.gov/Resources/Developer-Info/", + "linkTarget": "Url", + "linkLabel": "DoD API Standardization", + "preText": "Please see the following link for DoD-specific API standardization guidance, as API's are unique to each agency/MILDEP: ", + "style": "link", + "icon": "1" + } + ] + }, + "name": "links - 2" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isAO66Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "6.6Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "6.7 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 6.7 Security Operations Center (SOC) & Incident Response (IR)\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Sentinel SIEM-SOAR](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [Logic Apps](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Logic%2Fworkflows)
\r\nπŸ”€ [Microsoft Defender for Cloud](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade)
\r\nπŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/)" + }, + "customWidth": "33", + "name": "LT-1" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Microsoft Portals Government\r\nπŸ”€ [Sentinel SIEM-SOAR](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [Logic Apps](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Logic%2Fworkflows)
\r\nπŸ”€ [Microsoft Defender for Cloud](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade)
\r\nπŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/)\r\n" + }, + "customWidth": "33", + "name": "LT-1 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [Security Operations In Azure](https://learn.microsoft.com/azure/well-architected/security/monitor-security-operations)
\r\nπŸ’‘ [Microsoft SOC Best Practices Landing Page](https://www.microsoft.com/security/business/security-101/what-is-a-security-operations-center-soc?ef_id=_k_ce7dcd6e8f2d1919667ca9a72f733870_k_&OCID=AIDcmmdamuj0pc_SEM__k_ce7dcd6e8f2d1919667ca9a72f733870_k_&msclkid=ce7dcd6e8f2d1919667ca9a72f733870)
\r\nπŸ’‘ [Playbook for Modernizing Security Operations Centers](https://www.microsoft.com/security/blog/2021/02/11/a-playbook-for-modernizing-security-operations/)
\r\nπŸ’‘ [CISO Series Lessons Learned from Microsoft's SOC](https://www.microsoft.com/security/blog/2019/10/07/ciso-series-lessons-learned-from-the-microsoft-soc-part-3a-choosing-soc-tools/)
\r\nπŸ’‘ [Integrating Microsoft 365 Defender into your security operations](https://learn.microsoft.com/microsoft-365/security/defender/integrate-microsoft-365-defender-secops?view=o365-worldwide)
" + }, + "customWidth": "33", + "name": "LT-1 - Copy - Copy" + } + ] + }, + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations " + }, + "name": "text - 5" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "a30180d1-89c7-4205-87c4-e882224065d8", + "version": "KqlParameterItem/1.0", + "name": "SelectType", + "label": "Show Type", + "type": 10, + "isRequired": true, + "query": "_GetWatchlist('SOCMA')\r\n| project a = pack_array(Type, \"1 : Show All\")\r\n| summarize a = make_set(a)\r\n| mv-expand a\r\n| order by tostring(a) asc", + "value": "Vulnerability Management", + "typeSettings": { + "showDefault": false + }, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "_GetWatchlist('SOCMA')\r\n| where Type = iif('{SelectType}' ==\"1 : Show All\",true,Type in ('{SelectType}') )\r\n| project Number, Title, Type, Question, SOCMAScore, SOCMAWeight, SOCMA, Answer, Examples, Notes, _DTItemId", + "size": 1, + "exportedParameters": [ + { + "fieldName": "_DTItemId", + "parameterName": "_DTItemId", + "parameterType": 1 + }, + { + "fieldName": "Number", + "parameterName": "Number", + "parameterType": 1 + }, + { + "fieldName": "Type", + "parameterName": "Type", + "parameterType": 1 + }, + { + "fieldName": "Title", + "parameterName": "Title", + "parameterType": 1 + }, + { + "fieldName": "Question", + "parameterName": "Question", + "parameterType": 1 + }, + { + "fieldName": "Answer", + "parameterName": "Answer", + "parameterType": 1 + }, + { + "fieldName": "SOCMA", + "parameterName": "SOCMA", + "parameterType": 1 + }, + { + "fieldName": "SOCMAScore", + "parameterName": "SOCMAScore", + "parameterType": 1 + }, + { + "fieldName": "SOCMAWeight", + "parameterName": "SOCMAWeight", + "parameterType": 1 + }, + { + "fieldName": "Examples", + "parameterName": "Examples", + "parameterType": 1 + }, + { + "fieldName": "Notes", + "parameterName": "Notes", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 800, + "filter": true + } + }, + "name": "query - 2" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isAO67Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "6.7Activities", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "pillar", + "comparison": "isEqualTo", + "value": "p6" + }, + "name": "P6Activities" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"[\\r\\n\\t\\t{ \\\"Select All (Visibility & Analytics 7.x)\\\": \\\"7.1 Log All Traffic (Network, Data, Apps, Users)\\\", \\\"tab\\\": \\\"VA71\\\" },\\r\\n\\t\\t{ \\\"Select All (Visibility & Analytics 7.x)\\\": \\\"7.2 Security Information and Event Management (SIEM) \\\", \\\"tab\\\": \\\"VA72\\\" },\\r\\n\\t\\t{ \\\"Select All (Visibility & Analytics 7.x)\\\": \\\"7.3 Common Security and Risk Analytics\\\", \\\"tab\\\": \\\"VA73\\\" },\\r\\n\\t\\t{ \\\"Select All (Visibility & Analytics 7.x)\\\": \\\"7.4 User and Entity Behavior Analytics\\\", \\\"tab\\\": \\\"VA74\\\" },\\r\\n\\t\\t{ \\\"Select All (Visibility & Analytics 7.x)\\\": \\\"7.5 Threat Intelligence Integration\\\", \\\"tab\\\": \\\"VA75\\\" },\\r\\n\\t\\t{ \\\"Select All (Visibility & Analytics 7.x)\\\": \\\"7.6 Automated Dynamic Policies\\\", \\\"tab\\\": \\\"VA76\\\" }\\r\\n\\t\\t]\",\"transformers\":null}", + "size": 3, + "exportMultipleValues": true, + "exportedParameters": [ + { + "fieldName": "tab", + "parameterName": "Tab", + "parameterType": 1 + } + ], + "queryType": 8, + "gridSettings": { + "formatters": [ + { + "columnMatch": "Select All (Visibility & Analytics 7.x)", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "75ch" + } + }, + { + "columnMatch": "tab", + "formatter": 5 + }, + { + "columnMatch": "Zero Trust", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "75ch" + } + } + ] + }, + "sortBy": [] + }, + "customWidth": "90", + "name": "VisandAnalyticsZT", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "42fc8445-0772-439f-b490-461fb17e5d2f", + "version": "KqlParameterItem/1.0", + "name": "isVA71Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "VA71", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "6d0940d2-e259-49de-b490-75d026dd6ad3", + "version": "KqlParameterItem/1.0", + "name": "isVA72Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "VA72", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "f727f39d-ec12-43f9-a6ed-e44515f19b66", + "version": "KqlParameterItem/1.0", + "name": "isVA73Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "VA73", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "a354cdb5-4a2c-4d66-8cd9-30b0f23d8cef", + "version": "KqlParameterItem/1.0", + "name": "isVA74Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "VA74", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "3870cb3e-20be-4bdb-82be-24ec1523da05", + "version": "KqlParameterItem/1.0", + "name": "isVA75Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "VA75", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "d31d900a-f10c-4e34-b768-6e6370aceb3a", + "version": "KqlParameterItem/1.0", + "name": "isVA76Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "VA76", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "5", + "name": "AutoOrchZTParameters" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "pillar", + "comparison": "isEqualTo", + "value": "p7" + }, + "customWidth": "50", + "name": "p7-1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR7.1", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 7.1\r\n| Descriptions | Outcomes | ZT Impact | \r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD organizations collect and process all logs including network, data, application, device, and user logs and make those logs available to the appropriate Computer Network Defense Service Provider (CNDSP) or security operations center (SOC). Logs and events follow a standardized format and rules/analytics are developed as needed. | DoD organizations collect and process all logs including network, data, application, device, and user logs and make those logs available to the appropriate Computer Network Defense Service Provider (CNDSP) or SOC. | Foundational to the development of automated hunt and incident response playbooks. |" + }, + "name": "VisAnalyticsCR71" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusva71", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateva71", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesva71", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "VisAnalytics71Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Azure Monitor Log Analytics |\r\n| Microsoft Sentinel |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isVA71Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "VisAnalyticsCR71Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR7.2", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 7.2\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|\r\n| Computer Network Defense Service Provider (CNDSP) or security operations centers (SOC) monitor, detect, and analyze data logged into a security information and event management (SIEM) tool. User and device baselines are created using security controls and integrated with the SIEM. Alerting within the SIEM is matured over the phases to support more advanced data points (e.g., Cyber Threat Intel, Baselines, etc.) | CNDSPs/SOCs monitor, detect, and analyze data logged into a security information and event management (SIEM) tool. | Processing and exploiting data in the SIEM enables effective security analysis of anomalous user behavior, alerting, and automation of relevant incident response to common threat events. |" + }, + "name": "VisAnalyticsCR72" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "f28c401d-2da4-4960-8232-f659d30252d2", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusva72", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "a4b5ef42-9775-433e-ac25-55cc0eabd5c0", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateva72", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesva72", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "f06061bf-e951-4cc0-b335-c8eea6f55495", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "VisAnalytics72Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Microsoft Sentinel |\r\n| Microsoft Defender for Cloud (MDfC) |\r\n| Microsoft 365 Defender |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isVA72Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "VisAnalyticsCR72Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR7.3", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 7.3\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|:-:|\r\n| Computer Network Defense Service Provider (CNDSP) or security operations centers (SOC) employ data tools across their enterprises for multiple data types to unify data collection and examine events, activities, and behaviors. | CNDSPs/SOCs employ big data tools across their enterprises for multiple data types to unify data collection and examine events, activities, and behaviors. | Analysis integrated across multiple data types to examine event, activities, and behaviors. |" + }, + "name": "VisAnalyticsCR73" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "6d883c79-17bf-432a-8d50-cf2280380232", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusva73", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "196b9437-34c4-4c58-9b54-81650c8e9cfa", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateva73", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesva73", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "15d3be75-9b31-44c4-8108-42122f1c1883", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "VisAnalytics73Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Microsoft Sentinel |\r\n| Microsoft Defender for Cloud (MDfC) |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isVA73Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "VisAnalyticsCR73Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR7.4", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 7.4\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD organizations initially employ analytics to profile and baseline activity of users and entities and to correlate user activities and behaviors and detect anomalies. Computer Network Defense Service Provider (CNDSP) or security operations centers (SOC) mature this capability through the employment of advanced analytics to profile and baseline activity of users and entities and to correlate user activities and behaviors, and detect anomalies. | DoD organizations initially employ analytics to profile and baseline activity of users and entities and to correlate user activities and behaviors and detect anomalies. CNDSPs/SOCs mature this capability through the employment of advanced analytics to profile and baseline activity of users and entities and to correlate user activities and behaviors, and detect anomalies. | Advanced analytics support detection of anomalous users, devices, and NPE actions and advanced threats. |" + }, + "name": "VisAnalyticsCR74" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusva74", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateva74", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesva74", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "VisAnalytics74Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Microsoft Sentinel UEBA |\r\n| Microsoft Defender for Cloud Apps (MDA) |\r\n| Microsoft Defender for Identity (MDI) |\r\n| Entra ID Conditional Access (CA) |\r\n| Purview Insider Risk Management |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isVA74Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "VisAnalyticsCR74Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR7.5", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 7.5\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|:-:|\r\n| Computer Network Defense Service Provider (CNDSP) or security operations centers (SOC) integrate threat intelligence information and streams about identities, motivations, characteristics, and tactics, techniques and procedures (TTPs) with data collected in the SIEM. | CNDSPs/SOCs integrate threat intelligence information and streams about identities, motivations, characteristics, and tactics, techniques and procedures (TTPs) with data collected in the SIEM. | Integrating threat intelligence into other SIEM data enhances monitoring efforts and incident response. |" + }, + "name": "VisAnalyticsCR75" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusva75", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateva75", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesva75", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "VisAnalytics75Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Microsoft Sentinel Threat Intelligence (TI) | \r\n| Microsoft Graph Security Indicators | \r\n| Microsoft Defender Threat Intelligence (MDTI) |" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isVA75Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "VisAnalyticsCR75Group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "CR7.6", + "expandable": true, + "expanded": true, + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Capability Requirements 7.6\r\n| Descriptions | Outcomes | ZT Impact |\r\n|-|:--|:--|:--|:--|:-:|\r\n| DoD Organization ML & AI solutions dynamically and automatically update security profiles and device configuration through continuous security posture monitoring, risk and confidence scoring, and automated patch management. | CNDSPs/SOCs dynamically and automatically update security profiles and device configuration through continuous security posture monitoring, risk and confidence scoring, and automated patch management. | Users and NPEs are denied access based on automated, real-time security profiles based on external conditions and evolving risk and confidence scores. |" + }, + "name": "VisAnalyticsCR76" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "056c30de-eb39-4c29-bdbb-3335fc29e542", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusva76", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented (0%)\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented (100%)\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation (100%)\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned (50%)\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope (0%)\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e95c3294-7b0b-478f-8455-4c0f77ada61c", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateva76", + "label": "Implementation Date", + "type": 1, + "value": "DueDate=2027", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesva76", + "type": 1, + "value": "Enter Notes", + "timeContext": { + "durationMs": 86400000 + }, + "id": "0ef48265-3bb2-4d75-9bc6-9840f6255f54", + "label": "Notes" + } + ], + "style": "formHorizontal", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "VisAnalytics76Status" + }, + { + "type": 1, + "content": { + "json": "| Recommended Microsoft Solution(s) | \r\n|-----------------------------------|\r\n| Entra ID Protection |\r\n| Microsoft Defender for Endpoint (MDE) |\r\n| Microsoft Defender for Cloud (MDfC) |\r\n| Microsoft Sentinel Fusion ML |\r\n| Microsoft Sentinel Bring Your Own Machine Learning (BYOML) | \r\n| Microsoft Sentinel Playbooks |\r\n| Microsoft Intune |\r\n| Azure Automation |\r\n| Purview Insider Risk Management |" + }, + "conditionalVisibility": { + "parameterName": "isVA76Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "text - 2" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "isVA76Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "VisAnalyticsCR76Group" + } + ], + "exportParameters": true + }, + "name": "VisAnalyticsCRGroup" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "pillar", + "comparison": "isEqualTo", + "value": "p7" + }, + "customWidth": "50", + "name": "p7-2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "7.1 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 7.1 Log All Traffic (Network, Data, Apps, Users)\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Log Analytics Workspace](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.OperationalInsights%2Fworkspaces)
\r\nπŸ”€ [Log Query Packs](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.OperationalInsights%2Fquerypacks)
\r\nπŸ”€ [Sign-in Activity Logs](https://portal.azure.us/#blade/Microsoft_AAD_IAM/SignInEventsV3Blade)
\r\nπŸ”€ [Activity Logs](https://portal.azure.us/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/activityLog)
\r\nπŸ”€ [Audit Log](https://portal.azure.us/#blade/Microsoft_AAD_IAM/AuditEventsV2PillsBlade)
\r\nπŸ”€ [Operation Log](https://portal.azure.us/#blade/Microsoft_Azure_Resources/OperationLogsBlade)
\r\nπŸ”€ [Microsoft Azure Log Search Alerts](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/c134d63b-957f-4cf7-8a34-d744aa8804df/appId/f6b60513-f290-450e-a2f3-9930de61c5e7)" + }, + "customWidth": "33", + "name": "LT-1" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Microsoft Portals Government\r\nπŸ”€ [Log Analytics Workspace](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.OperationalInsights%2Fworkspaces)
\r\nπŸ”€ [Log Query Packs](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.OperationalInsights%2Fquerypacks)
\r\nπŸ”€ [Sign-in Activity Logs](https://portal.azure.us/#blade/Microsoft_AAD_IAM/SignInEventsV3Blade)
\r\nπŸ”€ [Activity Logs](https://portal.azure.us/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/activityLog)
\r\nπŸ”€ [Audit Log](https://portal.azure.us/#blade/Microsoft_AAD_IAM/AuditEventsV2PillsBlade)
\r\nπŸ”€ [Operation Log](https://portal.azure.us/#blade/Microsoft_Azure_Resources/OperationLogsBlade)
\r\nπŸ”€ [Microsoft Azure Log Search Alerts](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/c134d63b-957f-4cf7-8a34-d744aa8804df/appId/f6b60513-f290-450e-a2f3-9930de61c5e7)
" + }, + "customWidth": "33", + "name": "LT-1 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [Azure Log Analytics](https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-overview)
\r\nπŸ’‘ [Azure Monitor](https://learn.microsoft.com/azure/azure-monitor/overview)
\r\nπŸ’‘ [Audit Logging and Monitoring](https://learn.microsoft.com/compliance/assurance/assurance-audit-logging)
\r\nπŸ’‘ [Maturity Model for Log Management M2131](https://techcommunity.microsoft.com/t5/public-sector-blog/microsoft-sentinel-maturity-model-for-event-log-management-m-21/ba-p/3074336)
\r\nπŸ’‘ [Device Log Capture - Intune](https://learn.microsoft.com/mem/intune/remote-actions/collect-diagnostics)
\r\nπŸ’‘ [Application Logging](https://learn.microsoft.com/sql/relational-databases/performance/view-the-windows-application-log-windows-10?view=sql-server-ver16)
\r\nπŸ’‘ [User Access Logging](https://learn.microsoft.com/windows-server/administration/user-access-logging/get-started-with-user-access-logging)
\r\nπŸ’‘ [Azure Infrastructure Logs](https://learn.microsoft.com/azure/well-architected/scalability/monitor-infrastructure)
\r\nπŸ’‘ [Network Logging](https://learn.microsoft.com/azure/azure-web-pubsub/howto-troubleshoot-network-trace)
\r\nπŸ’‘ [Supported Logs for Network](https://learn.microsoft.com/azure/azure-monitor/reference/supported-logs/microsoft-network-networkmanagers-logs)
" + }, + "customWidth": "33", + "name": "LT-1 - Copy - Copy" + } + ] + }, + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations \r\n" + }, + "name": "text - 5" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "d1983eba-6224-4c08-b792-4910eff535ad", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "description": "Select the time range that will be used for the query's", + "value": { + "durationMs": 604800000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\n| extend ResultText = case(isnotempty(ResultDescription), ResultDescription, ResultType == 0 and isempty(ResultDescription), \"successful login\", \"unknown\") // Create readable result text to include succesfull logins\n| summarize dcount(CorrelationId) by ResultText // Signin results by unique CorrelationId\n| render piechart", + "size": 0, + "title": "Login events by result", + "timeContextFromParameter": "TimeRange", + "exportFieldName": "ResultText", + "exportParameterName": "Selected_ResultText", + "exportDefaultValue": "", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "chartSettings": { + "group": "ResultText", + "createOtherGroup": null, + "seriesLabelSettings": [ + { + "seriesName": "successful login", + "color": "green" + } + ], + "ySettings": { + "unit": 17, + "min": null, + "max": null + } + } + }, + "customWidth": "33", + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\n| extend ResultText = case(isnotempty(ResultDescription), ResultDescription, ResultType == 0 and isempty(ResultDescription), \"successful login\", \"unknown\")\n| summarize dcount(CorrelationId) by ResultText, bin(TimeGenerated,4h) // summarize the total Signin events per Description per hour (by unique CorrelationId's)", + "size": 0, + "title": "Count of login types per 4 hours", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart", + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "ResultText", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "dcount_CorrelationId", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "33", + "name": "query - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\n| where isnotempty(LocationDetails['countryOrRegion']) and ResultType == 0// Where location details are available and login is successful\n| extend city = tostring(LocationDetails['city'])\n| summarize count() by city, Location // Summarize by city name\n| join (\nSigninLogs\n| extend city = tostring(LocationDetails['city'])\n| make-series TrendList = count() on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by city \n) on city\n| project Location, city, [\"Total events\"] = count_, TrendLine = TrendList\n| top 10 by [\"Total events\"] desc", + "size": 0, + "title": "successful login locations", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Total events", + "formatter": 4, + "formatOptions": { + "palette": "blue", + "showIcon": true + } + }, + { + "columnMatch": "TrendLine", + "formatter": 9, + "formatOptions": { + "palette": "greenRed", + "showIcon": true + } + }, + { + "columnMatch": "Events", + "formatter": 4, + "formatOptions": { + "palette": "blue", + "showIcon": true + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "id", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + } + ], + "hierarchySettings": { + "idColumn": "city", + "parentColumn": "Location", + "treeType": 0, + "expanderColumn": "city", + "expandTopLevel": false + } + }, + "sortBy": [], + "tileSettings": { + "titleContent": { + "columnMatch": "city", + "formatter": 1, + "formatOptions": { + "showIcon": true + } + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto", + "showIcon": true + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Events", + "formatter": 9, + "formatOptions": { + "showIcon": true + } + }, + "showBorder": false + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "LocationDetails", + "formatter": 1, + "formatOptions": { + "showIcon": true + } + }, + "centerContent": { + "columnMatch": "count_", + "formatter": 1, + "formatOptions": { + "showIcon": true + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "nodeIdField": "count_", + "sourceIdField": "Location", + "targetIdField": "city", + "nodeSize": null, + "staticNodeSize": 100, + "colorSettings": null, + "hivesMargin": 5 + }, + "mapSettings": { + "locInfo": "LatLong", + "locInfoColumn": "GeoSelection", + "latitude": "latitude", + "longitude": "longitude", + "sizeSettings": "count_", + "sizeAggregation": "Sum", + "defaultSize": 0, + "labelSettings": "locationInfo", + "legendMetric": "count_", + "legendAggregation": "Sum", + "itemColorSettings": { + "nodeColorField": "count_", + "colorAggregation": "Sum", + "type": "heatmap", + "heatmapPalette": "redGreen" + } + } + }, + "customWidth": "33", + "name": "query - 7" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| where ResultType == 0 and AppDisplayName != \"\"\r\n| summarize count() by AppDisplayName\r\n| join (\r\nSigninLogs\r\n| make-series TrendList = count() on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, 4h) by AppDisplayName \r\n) on AppDisplayName\r\n| top 10 by count_ desc", + "size": 4, + "title": "successful logins by application", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "AppDisplayName", + "formatter": 1, + "formatOptions": { + "showIcon": true + } + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto", + "showIcon": true + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "TrendList", + "formatter": 9, + "formatOptions": { + "showIcon": true + } + }, + "showBorder": false + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "AppDisplayName", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "count_", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "name": "query - 14" + }, + { + "type": 1, + "content": { + "json": "----\n## AuditLogs\n\nThese tables are an example Azure Security Administrators and Zero Trust Implementtors can use so to make sure that the Zero Trust Logging activties of user operations are successfully executed.
\nIt also benefits the security operator by seeing which operations are perfomed by which users or services. Therefore he or she can act quickly on a suspicious operation." + }, + "name": "text - 9" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "\nAuditLogs\n| summarize Runs = count(), Success = countif(Result == 'success'), Fails = countif(Result != 'success') by OperationName // Summarize the total, successful and failed operations by name\n| extend SuccessRate = (Success * 100 / Runs) // Calculate the percentage of succesful operations against the total\n| join (\nAuditLogs\n| where Result == 'success'\n| make-series TrendList = count() on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName \n) on OperationName\n| project OperationName, Runs, SuccessRate, TrendList\n| top 10 by Runs desc // Show the top 10 of most run operations", + "size": 0, + "title": "Top 10 operation by successrate", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Runs", + "formatter": 4, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "SuccessRate", + "formatter": 8, + "formatOptions": { + "min": 0, + "max": 100, + "palette": "redGreen", + "showIcon": true + } + }, + { + "columnMatch": "TrendList", + "formatter": 9, + "formatOptions": { + "showIcon": true + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "\nAuditLogs\n| summarize Runs = count(), Success = countif(Result == 'success'), Fails = countif(Result != 'success') by OperationName // Summarize the total, successful and failed operations by name\n| extend SuccessRate = (Success * 100 / Runs) // Calculate the percentage of succesful operations against the total\n| project OperationName, Runs, SuccessRate, Fails\n| top 10 by SuccessRate asc // Show the 10 Operation by least SuccessRate", + "size": 0, + "title": "Top 10 most failed operations", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Runs", + "formatter": 4, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "SuccessRate", + "formatter": 8, + "formatOptions": { + "min": 0, + "max": 100, + "palette": "redGreen", + "showIcon": true + } + }, + { + "columnMatch": "Fails", + "formatter": 8, + "formatOptions": { + "palette": "redBright", + "showIcon": true + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 5 - Copy" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isVA71Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "7.1Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "7.2 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 7.2 Security Information & Event Management (SIEM)\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/)
\r\nπŸ”€ [Microsoft Defender for Cloud](https://portal.azure.us/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0)
\r\n" + }, + "customWidth": "33", + "name": "LT-1" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Microsoft Portals Government\r\nπŸ”€ [Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/)
\r\nπŸ”€ [Microsoft Defender for Cloud](https://portal.azure.us/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0)
\r\n" + }, + "customWidth": "33", + "name": "LT-1 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\nπŸ’‘ [Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/overview)
\r\nπŸ’‘ [Implement Sentinel & M365](https://learn.microsoft.com/security/operations/siem-xdr-overview)
\r\nπŸ’‘ [Unified SIEM & XDR](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-unified-microsoft-siem-and-xdr-github-community/ba-p/3249533)
\r\nπŸ’‘ [Stream Alerts Defender for Cloud to SIEM](https://learn.microsoft.com/azure/defender-for-cloud/export-to-siem#stream-alerts-to-azure-sentinel)
\r\nπŸ’‘ [Azure Sentinel Github Repo](https://github.com/Azure/Azure-Sentinel)
\r\nπŸ’‘ [Sentinel & SOC Analysis Process](https://learn.microsoft.com/azure/sentinel/migration-security-operations-center-processes)
\r\nπŸ’‘ [Microsoft Sentinel Skill Up Training](https://learn.microsoft.com/azure/sentinel/skill-up-resources)
" + }, + "customWidth": "33", + "name": "LT-1 - Copy - Copy" + } + ] + }, + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations \r\n" + }, + "name": "text - 5" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "d1983eba-6224-4c08-b792-4910eff535ad", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "description": "Select the time range that will be used for the query's", + "value": { + "durationMs": 604800000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters" + }, + { + "type": 1, + "content": { + "json": "## One of countless SIEM Analytics examples of delivering Context, Correlation & Aggrgation of Security Incidents. " + }, + "name": "text - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "\nAuditLogs\n| summarize Runs = count(), Success = countif(Result == 'success'), Fails = countif(Result != 'success') by OperationName // Summarize the total, successful and failed operations by name\n| extend SuccessRate = (Success * 100 / Runs) // Calculate the percentage of succesful operations against the total\n| join (\nAuditLogs\n| where Result == 'success'\n| make-series TrendList = count() on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName \n) on OperationName\n| project OperationName, Runs, SuccessRate, TrendList\n| top 10 by Runs desc // Show the top 10 of most run operations", + "size": 0, + "title": "Top 10 Information & Events by Successrate", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Runs", + "formatter": 4, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "SuccessRate", + "formatter": 8, + "formatOptions": { + "min": 0, + "max": 100, + "palette": "redGreen", + "showIcon": true + } + }, + { + "columnMatch": "TrendList", + "formatter": 9, + "formatOptions": { + "showIcon": true + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 5" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isVA72Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "7.2Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "7.3 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 7.3 Common Security and Risk Analytics\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinell)
\r\nπŸ”€ [Defender For Cloud](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade)
\r\nπŸ”€ [Security Baselines](https://endpoint.microsoft.us/#home)" + }, + "customWidth": "33", + "name": "LT-1" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Microsoft Portals Government\r\nπŸ”€ [Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinell)
\r\nπŸ”€ [Defender For Cloud](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade)
\r\nπŸ”€ [Security Baselines](https://endpoint.microsoft.us/#home)
\r\n" + }, + "customWidth": "33", + "name": "LT-1 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [Microsoft Security Response Center Security Updates Guide](https://msrc.microsoft.com/update-guide)
\r\nπŸ’‘ [Explore Risks to Sensitive Data Microsoft Defender for Cloud](https://learn.microsoft.com/azure/defender-for-cloud/data-security-review-risks)
\r\nπŸ’‘ [Identify & Analyze Risks Across Your Environment](https://learn.microsoft.com/azure/defender-for-cloud/concept-attack-path)
\r\nπŸ’‘ [Cloud Security Posture Management](https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management)
\r\nπŸ’‘ [Microsoft Cloud Security Benchmark](https://learn.microsoft.com/azure/defender-for-cloud/concept-regulatory-compliance)
" + }, + "customWidth": "33", + "name": "LT-1 - Copy - Copy" + } + ] + }, + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations \r\n" + }, + "name": "text - 5" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "befbf593-c171-4129-b890-7e642265ed0c", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "isRequired": true, + "value": { + "durationMs": 7776000000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "parameters - 8" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "value::selected" + ], + "parameters": [ + { + "id": "3218e2b0-1bcc-46d4-affa-d298e0cf90f6", + "version": "KqlParameterItem/1.0", + "name": "DefaultSubscription_Internal", + "type": 1, + "isRequired": true, + "query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId", + "crossComponentResources": [ + "value::selected" + ], + "isHiddenWhenLocked": true, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "e6ded9a1-a83c-4762-938d-5bf8ff3d3d38", + "version": "KqlParameterItem/1.0", + "name": "Subscription", + "type": 6, + "isRequired": true, + "query": "summarize by subscriptionId\r\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)", + "crossComponentResources": [ + "value::selected" + ], + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + } + ], + "style": "pills", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + "customWidth": "33", + "name": "parameters - 10" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "tabs", + "links": [ + { + "id": "d4aa2831-0ab8-4977-a80e-359420e7d5f7", + "cellValue": "Tab", + "linkTarget": "parameter", + "linkLabel": "Azure Security Center", + "subTarget": "ASC", + "style": "link" + } + ] + }, + "name": "links - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityResources \r\n| where type == 'microsoft.security/securescores/securescorecontrols'\r\n| extend SecureControl = properties.displayName, unhealthy = properties.unhealthyResourceCount, currentscore = properties.score.current, maxscore = properties.score.max\r\n| where maxscore != 0\r\n| project SecureControl , unhealthy, currentscore, maxscore", + "size": 0, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "SecureControl", + "formatter": 1 + }, + { + "columnMatch": "unhealthy", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "0", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "greenDark", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "currentscore", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "0", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "greenDark", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "maxscore", + "formatter": 1 + } + ] + } + }, + "name": "query - 1" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isVA73Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "7.3Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "7.4 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 7.4 User and Entity Behavior Analytics\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
\r\nπŸ”€ [Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinell)
\r\nπŸ”€ [Defender For Cloud](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade)
\r\nπŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/)" + }, + "customWidth": "33", + "name": "LT-1" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Microsoft Portals Government\r\nπŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
\r\nπŸ”€ [Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinell)
\r\nπŸ”€ [Defender For Cloud](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade)
\r\nπŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
\r\nπŸ”€ [M365 Defender Portal](https://security.microsoft.us/)\r\n" + }, + "customWidth": "33", + "name": "LT-1 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\nπŸ’‘ [ID Threats with User and Entity Behavior Analytics](https://learn.microsoft.com/azure/sentinel/identify-threats-with-entity-behavior-analytics)
\r\nπŸ’‘ [Enable Entity Behavior Analytics to Detect Threats](https://learn.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)
\r\nπŸ’‘ [Microsoft Sentinel UEBA Reference](https://learn.microsoft.com/azure/sentinel/ueba-reference)
\r\nπŸ’‘ [Investigate Incidents with UEBA](https://learn.microsoft.com/azure/sentinel/investigate-with-ueba)
\r\nπŸ’‘ [Discover and Protect Sensitive Information in your Organization](https://learn.microsoft.com/defender-cloud-apps/tutorial-dlp)
\r\nπŸ’‘ [Purview Insider Risk Management](https://learn.microsoft.com/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/plan-for-microsoft-purview-dod-deployments)
" + }, + "customWidth": "33", + "name": "LT-1 - Copy - Copy" + } + ] + }, + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations \r\n" + }, + "name": "text - 5" + }, + { + "type": 1, + "content": { + "json": "# User and Entity Behavior Analytics\n---\n\nDepicted below is one of many examples of UEBA- open incidents, alerts and anomalies identified by Sentinel UEBA engine. " + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "36cdaf52-4303-405d-ac9c-de2037db99c3", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "label": "Time Range", + "type": 4, + "value": { + "durationMs": 2419200000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let AnomalousSigninActivity = BehaviorAnalytics\n| where TimeGenerated {TimeRange:query}\n| where ActionType == \"Sign-in\"\n| where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\n ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\nor ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\n| join (\nSigninLogs | where TimeGenerated {TimeRange:query} | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \"none\"\n) on $left.SourceRecordId == $right._ItemId\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\n| extend AnomalyName = \"Anomalous Successful Logon\",\n Tactic = \"Persistence\",\n Technique = \"Valid Accounts\",\n SubTechnique = \"\",\n Description = \"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indicaiton from AAD\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\nlet AnomalousRoleAssignment = AuditLogs\n| where TimeGenerated {TimeRange:query}\n| where OperationName == \"Add member to role\"\n| mv-expand TargetResources\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\n| where isnotempty(RoleId) and RoleId in (critical,high)\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\n| where isnotempty(RoleName)\n| extend TargetId = tostring(TargetResources.id)\n| extend Target = tostring(TargetResources.userPrincipalName)\n| join kind=inner ( BehaviorAnalytics\n | where TimeGenerated {TimeRange:query}\n | where ActionType == \"Add member to role\"\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\n) on $left._ItemId == $right.SourceRecordId\n| extend AnomalyName = \"Anomalous Role Assignemt\",\n Tactic = \"Persistence\",\n Technique = \"Account Manipulation\",\n SubTechnique = \"\",\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing Add member to priveleged role, or ones that add users for the first time.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority;let LogOns=materialize(\nBehaviorAnalytics\n| where TimeGenerated {TimeRange:query}\n| where ActivityType == \"LogOn\");\nlet AnomalousResourceAccess = LogOns\n| where ActionType == \"ResourceAccess\"\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\n| extend AnomalyName = \"Anomalous Resource Access\",\n Tactic = \"Lateral Movement\",\n Technique = \"\",\n SubTechnique = \"\",\n Description = \"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \nlet AnomalousRDPActivity = LogOns\n| where ActionType == \"RemoteInteractiveLogon\"\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\n| extend AnomalyName = \"Anomalous RDP Activity\",\n Tactic = \"Lateral Movement\",\n Technique = \"\",\n SubTechnique = \"\",\n Description = \"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \nlet AnomalousLogintoDevices = LogOns\n| where ActionType == \"InteractiveLogon\"\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\n| where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\n| extend AnomalyName = \"Anomalous Login To Devices\",\n Tactic = \"Privilege Escalation\",\n Technique = \"Valid Accounts\",\n SubTechnique = \"\",\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administator users performing an interactive logon (4624:2) to a device for the first time.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \nlet AnomalousPasswordReset = BehaviorAnalytics\n| where TimeGenerated {TimeRange:query}\n| where ActionType == \"Reset user password\"\n| where ActivityInsights.FirstTimeUserPerformedAction == \"True\"\n| join (\nAuditLogs\n | where TimeGenerated {TimeRange:query}\n | where OperationName == \"Reset user password\"\n) on $left.SourceRecordId == $right._ItemId\n| mv-expand TargetResources\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\n| extend AnomalyName = \"Anomalous Password Reset\",\n Tactic = \"Impact\",\n Technique = \"Account Access Removal\",\n SubTechnique = \"\",\n Description = \"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority\n| sort by TimeGenerated desc;\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\n| where TimeGenerated {TimeRange:query}\n| where ActionType == \"Sign-in\"\n| where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\n| join (\nSigninLogs\n | where TimeGenerated {TimeRange:query}\n) on $left.SourceRecordId == $right._ItemId\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\n| extend AnomalyName = \"Anomalous Successful Logon\",\n Tactic = \"Initial Access\",\n Technique = \"Valid Accounts\",\n SubTechnique = \"\",\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \nlet AnomalousFailedLogon = BehaviorAnalytics\n| where TimeGenerated {TimeRange:query}\n| where ActivityType == \"LogOn\"\n| where UsersInsights.BlastRadius == \"High\"\n| join (\n SigninLogs \n | where TimeGenerated {TimeRange:query}\n | where Status.errorCode == 50126\n) on $left.SourceRecordId == $right._ItemId\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\n| extend AnomalyName = \"Anomalous Failed Logon\",\n Tactic = \"Credential Access\",\n Technique = \"Brute Force\",\n SubTechnique = \"Password Guessing\",\n Description = \"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \nlet AnomalousAADAccountManipulation = AuditLogs\n| where TimeGenerated {TimeRange:query}\n| where OperationName == \"Update user\"\n| mv-expand AdditionalDetails\n| where AdditionalDetails.key == \"UserPrincipalName\"\n| mv-expand TargetResources\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\n| where isnotempty(RoleId) and RoleId in (critical,high)\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\n| where isnotempty(RoleName)\n| extend TargetId = tostring(TargetResources.id)\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\n| join kind=inner ( \n BehaviorAnalytics\n | where TimeGenerated {TimeRange:query}\n | where ActionType == \"Update user\"\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\n) on $left._ItemId == $right.SourceRecordId\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName) \n| extend AnomalyName = \"Anomalous Account Manipulation\",\n Tactic = \"Persistence\",\n Technique = \"Account Manipulation\",\n SubTechnique = \"\",\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to priveleged role, or ones that changed users for the first time.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\n| where TimeGenerated {TimeRange:query}\n| where ActionType == \"Add user\"\n| where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\n| join(\nAuditLogs\n | where TimeGenerated {TimeRange:query} \n | where OperationName == \"Add user\"\n) on $left.SourceRecordId == $right._ItemId\n| mv-expand TargetResources\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\n| extend DisplayName = tostring(UsersInsights.AccountDisplayName),\nUserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\n| extend AnomalyName = \"Anomalous Account Creation\",\n Tactic = \"Persistence\",\n Technique = \"Create Account\",\n SubTechnique = \"Cloud Account\",\n Description = \"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\"\t\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority\n| sort by TimeGenerated desc;\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\nlet TopUsersByAnomalies = AnomalyTable\n| summarize hint.strategy = shuffle AnomalyCount=count() by UserName, UserPrincipalName, tostring(UsersInsights.OnPremSid), tostring(UsersInsights.AccountObjectId)\n| project Name=tolower(UserName),UPN=tolower(UserPrincipalName), AadUserId=UsersInsights_AccountObjectId, Sid=UsersInsights_OnPremSid, AnomalyCount\n| sort by AnomalyCount desc;\nlet TopUsersByIncidents = SecurityIncident\n| where TimeGenerated {TimeRange:query} \n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\n| where Status == \"New\" or Status == \"Active\"\n| mv-expand AlertIds\n| extend AlertId = tostring(AlertIds)\n| join kind= innerunique ( \nSecurityAlert | where TimeGenerated {TimeRange:query} \n) on $left.AlertId == $right.SystemAlertId\n| summarize hint.strategy = shuffle arg_max(TimeGenerated,*), NumberOfUpdates = count() by SystemAlertId\n| mv-expand todynamic(Entities)\n| where Entities[\"Type\"] =~ \"account\"\n| extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]) , Host = tostring(Entities[\"Host\"])\n| extend UPN = iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\")\n| union TopUsersByAnomalies\n| extend \n AadPivot = iff(isempty(AadUserId),iff(isempty(Sid),Name,Sid),AadUserId),\n SidPivot = iff(isempty(Sid),iff(isempty(AadUserId),Name,AadUserId),Sid),\n UPNExists = iff(isempty(UPN), false,true),\n NameExists = iff(isempty(Name), false,true),\n SidExists = iff(isempty(Sid), false,true),\n AADExists = iff(isempty(AadUserId), false,true)\n| summarize hint.strategy = shuffle IncidentCount=dcount(IncidentNumber,4),AlertCount=dcountif(AlertId,isnotempty(AlertId),4),AnomalyCount=sum(AnomalyCount),any(Title, Severity, Status, StartTime, IncidentNumber, IncidentUrl, Owner), UPNAnchor=anyif(UPN, UPNExists == true),NameAnchor=anyif(Name, NameExists == true),AadAnchor=anyif(AadUserId, AADExists == true), SidAnchor=anyif(Sid, SidExists == true) , any(SidPivot) by AadPivot\n| summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount),AlertCount=sum(AlertCount),AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false),NameAnchor=anyif(NameAnchor, isempty(NameAnchor) == false),AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_Title,any_Severity,any_StartTime, any_IncidentNumber, any_IncidentUrl) by any_SidPivot\n| summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount),AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false),AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_any_Title, any_any_Severity,any_any_StartTime, any_any_IncidentNumber, any_any_IncidentUrl) by NameAnchor\n| project [\"UserName\"]=NameAnchor,IncidentCount, AlertCount,AnomalyCount, [\"AadUserId\"]=AadAnchor,[\"OnPremSid\"]=SidAnchor , [\"UserPrincipalName\"]=UPNAnchor;\nTopUsersByIncidents\n| sort by IncidentCount, AlertCount, AnomalyCount desc\n", + "size": 1, + "showAnalytics": true, + "timeContextFromParameter": "TimeRange", + "exportedParameters": [ + { + "fieldName": "UserPrincipalName", + "parameterName": "SelectedUser", + "parameterType": 1 + }, + { + "fieldName": "UserName", + "parameterName": "UserName", + "parameterType": 1, + "defaultValue": "None" + }, + { + "fieldName": "AadUserId", + "parameterName": "UserObjectId", + "parameterType": 1 + }, + { + "fieldName": "OnPremSid", + "parameterName": "UserSid", + "parameterType": 1 + }, + { + "fieldName": "AnomalyCount", + "parameterName": "AnomalyCount", + "parameterType": 1, + "defaultValue": "0" + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "IncidentCount", + "formatter": 8, + "formatOptions": { + "palette": "redDark" + } + } + ], + "filter": true, + "sortBy": [ + { + "itemKey": "AnomalyCount", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "AnomalyCount", + "sortOrder": 2 + } + ] + }, + "name": "query - 2" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isVA74Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "7.4Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "7.5 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 7.5 Threat Intelligence Integration\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinell)
\r\nπŸ”€ [Defender For Cloud](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade)
\r\nπŸ”€ [Microsoft Threat Intelligence Portal](https://ti.defender.microsoft.com/)" + }, + "customWidth": "33", + "name": "LT-1" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Microsoft Portals Government\r\nπŸ”€ [Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinell)
\r\nπŸ”€ [Defender For Cloud](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade)
\r\nπŸ”€ [Microsoft Threat Intelligence Portal](https://ti.defender.microsoft.com/)
\r\n" + }, + "customWidth": "33", + "name": "LT-1 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\n\r\nπŸ’‘ [Microsoft Threat Intelligence](https://learn.microsoft.com/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti)
\r\nπŸ’‘ [Microsoft Security Graph API](https://learn.microsoft.com/graph/api/resources/security-api-overview?view=graph-rest-beta)
\r\nπŸ’‘ [Create Threat Intelligence Indicators](https://learn.microsoft.com/graph/api/tiindicators-post?view=graph-rest-beta&tabs=http)
\r\nπŸ’‘ [Threat intelligence integration in Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/threat-intelligence-integration)
\r\nπŸ’‘ [Bring Your Own Threat Intelligence Feeds](https://learn.microsoft.com/defender-cloud-apps/additional-integrations)
\r\nπŸ’‘ [Accessing the Threat Intelligence Portal](https://learn.microsoft.com/defender/threat-intelligence/learn-how-to-access-microsoft-defender-threat-intelligence-and-make-customizations-in-your-portal)
" + }, + "customWidth": "33", + "name": "LT-1 - Copy - Copy" + } + ] + }, + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations \r\n" + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(\r\n isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock),\r\n \"IP\",\r\n iff(\r\n isnotempty(Url),\r\n \"URL\",\r\n iff(\r\n isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress),\r\n \"Email\",\r\n iff(\r\n isnotempty(FileHashValue),\r\n \"File\",\r\n iff(\r\n isnotempty(DomainName) or isnotempty(EmailSourceDomain),\r\n \"Domain\",\r\n \"Other\"\r\n)\r\n)\r\n)\r\n)\r\n )\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h)\r\n| order by CountOfIndicators desc \r\n| render barchart kind=stacked", + "size": 0, + "title": "Indicators Imported into Sentinel by Indicator Type and Date", + "timeContext": { + "durationMs": 2592000000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "75query1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\r\n| render barchart kind=stacked", + "size": 0, + "title": "Indicators Imported into Sentinel by Indicator Provider and Date", + "timeContext": { + "durationMs": 2592000000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "75query2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n| where TimeGenerated < now()\r\n // Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n // Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(\r\n isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock),\r\n \"IP\",\r\n iff(\r\n isnotempty(Url),\r\n \"URL\",\r\n iff(\r\n isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress),\r\n \"Email\",\r\n iff(\r\n isnotempty(FileHashValue),\r\n \"File\",\r\n iff(\r\n isnotempty(DomainName) or isnotempty(EmailSourceDomain),\r\n \"Domain\",\r\n \"Other\"\r\n)\r\n)\r\n)\r\n)\r\n )\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked", + "size": 0, + "title": "Active Indicators by Indicator Type", + "timeContext": { + "durationMs": 2592000000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "75query3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n| where TimeGenerated < now()\r\n // Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n // Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked", + "size": 0, + "title": "Active Indicators by Indicator Source", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "75query4" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isVA75Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "7.5Activities", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "7.6 Activities", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# 7.6 Automated Dynamic Policies\r\n\r\n## Microsoft Portals Department of Defense\r\nπŸ”€ [Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinell)
\r\nπŸ”€ [Defender For Cloud](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade)
\r\nπŸ”€ [Logic Apps](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Logic%2Fworkflows)
\r\nπŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
\r\nπŸ”€ [Azure Automation](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/d2175af3-6958-4008-83ac-ac2b81eafac7/appId/fc75330b-179d-49af-87dd-3b1acf6827fa)
\r\nπŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
\r\nπŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/#view/Microsoft_Intune_Enrollment/ReportingMenu/~/deviceCompliance)
" + }, + "customWidth": "33", + "name": "LT-1" + }, + { + "type": 1, + "content": { + "json": "

\r\n## Microsoft Portals Government\r\nπŸ”€ [Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinell)
\r\nπŸ”€ [Defender For Cloud](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade)
\r\nπŸ”€ [Logic Apps](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Logic%2Fworkflows)
\r\nπŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
\r\nπŸ”€ [Azure Automation](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/d2175af3-6958-4008-83ac-ac2b81eafac7/appId/fc75330b-179d-49af-87dd-3b1acf6827fa)
\r\nπŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
\r\nπŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/#view/Microsoft_Intune_Enrollment/ReportingMenu/~/deviceCompliance)
\r\n" + }, + "customWidth": "33", + "name": "LT-1 - Copy" + }, + { + "type": 1, + "content": { + "json": "
\r\n
\r\n## Resources\r\nπŸ’‘ [Automate Threat Response with Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/automate-responses-with-playbooks)
\r\nπŸ’‘ [Adaptive Protection - Microsoft Purview](https://www.microsoft.com/security/blog/2023/02/06/introducing-adaptive-protection-in-microsoft-purview-people-centric-data-protection-for-a-multiplatform-world/#:~:text=With%20Adaptive%20Protection%2C%20DLP%20policies%20become%20dynamic%2C%20ensuring,efficient%20and%20empowered%20to%20do%20more%20with%20less.)
\r\nπŸ’‘ [Adaptive Policy Scopes M365](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/using-adaptive-policy-scopes-to-apply-m365-retention-to-shared/ba-p/3053641#:~:text=Back%20in%20October,in%20Microsoft%20365.)
\r\nπŸ’‘ [Adaptive Application Controls](https://learn.microsoft.com/azure/defender-for-cloud/adaptive-application-controls)
\r\nπŸ’‘ [AI-Driven Adaptive Device Controls Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/ai-driven-adaptive-protection-in-microsoft-defender-for-endpoint/ba-p/2966491)
\r\nπŸ’‘ [AI-Driven Adaptive Protection Against Human Operated Ransomeware](https://www.microsoft.com/security/blog/2021/11/15/ai-driven-adaptive-protection-against-human-operated-ransomware/)
\r\nπŸ’‘ [Microsoft Defender for Cloud Automated Security Posture Management](https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management)
\r\nπŸ’‘ [Improve your network security posture with adaptive network hardening](https://learn.microsoft.com/azure/defender-for-cloud/adaptive-network-hardening)
\r\nπŸ’‘ [What is Microsoft Entra ID Protection?](https://learn.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection)
\r\nπŸ’‘ [Azure Automation update management](https://learn.microsoft.com/azure/architecture/hybrid/azure-update-mgmt)
\r\nπŸ’‘ [Manage Windows 10 and Windows 11 software updates in Intune](https://learn.microsoft.com/mem/intune/protect/windows-update-for-business-configure)
" + }, + "customWidth": "33", + "name": "LT-1 - Copy - Copy" + } + ] + }, + "name": "group - 6" + }, + { + "type": 1, + "content": { + "json": "## Example Visual Representations \r\n" + }, + "name": "text - 5" + }, + { + "type": 1, + "content": { + "json": "## Microsoft Defender for Cloud Security Continuous Posture Monitoring & Manangement " + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "befbf593-c171-4129-b890-7e642265ed0c", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "isRequired": true, + "value": { + "durationMs": 7776000000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "parameters - 8" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "value::selected" + ], + "parameters": [ + { + "id": "3218e2b0-1bcc-46d4-affa-d298e0cf90f6", + "version": "KqlParameterItem/1.0", + "name": "DefaultSubscription_Internal", + "type": 1, + "isRequired": true, + "query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId", + "crossComponentResources": [ + "value::selected" + ], + "isHiddenWhenLocked": true, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "e6ded9a1-a83c-4762-938d-5bf8ff3d3d38", + "version": "KqlParameterItem/1.0", + "name": "Subscription", + "type": 6, + "isRequired": true, + "query": "summarize by subscriptionId\r\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)", + "crossComponentResources": [ + "value::selected" + ], + "typeSettings": { + "additionalResourceOptions": [] + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + } + ], + "style": "pills", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + "customWidth": "33", + "name": "parameters - 10" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "tabs", + "links": [ + { + "id": "d4aa2831-0ab8-4977-a80e-359420e7d5f7", + "cellValue": "Tab", + "linkTarget": "parameter", + "linkLabel": "Azure Security Center", + "subTarget": "ASC", + "style": "link" + } + ] + }, + "name": "links - 6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityResources \r\n| where type == 'microsoft.security/securescores/securescorecontrols'\r\n| extend SecureControl = properties.displayName, unhealthy = properties.unhealthyResourceCount, currentscore = properties.score.current, maxscore = properties.score.max\r\n| where maxscore != 0\r\n| project SecureControl , unhealthy, currentscore, maxscore", + "size": 0, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "SecureControl", + "formatter": 1 + }, + { + "columnMatch": "unhealthy", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "0", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "greenDark", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "currentscore", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "0", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "greenDark", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "maxscore", + "formatter": 1 + } + ], + "filter": true + } + }, + "name": "query - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "securityresources\r\n| where type == \"microsoft.security/regulatorycompliancestandards\"\r\n| extend \r\n\tpassedControls = trim (' ', tostring(properties.passedControls)), \r\n\tfailedControls = trim(' ',tostring(properties.failedControls)), \r\n\tstate \t\t = trim(' ', tostring(properties.state)), \r\n\tunsupportedControls = trim(' ', tostring(properties.unsupportedControls)), \r\n\tskippedControls = trim(' ', tostring(properties.skippedControls))\r\n| project name, passedControls, failedControls, unsupportedControls, skippedControls , subscriptionId\r\n| order by passedControls desc", + "size": 1, + "title": "Regulatory compliance", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "passedControls", + "formatter": 3, + "formatOptions": { + "palette": "greenDark" + } + }, + { + "columnMatch": "failedControls", + "formatter": 3, + "formatOptions": { + "palette": "redBright" + } + }, + { + "columnMatch": "unsupportedControls", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ], + "compositeBarSettings": { + "labelText": "", + "columnSettings": [] + } + } + }, + { + "columnMatch": "skippedControls", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "gray", + "text": "{0}{1}" + } + ] + } + } + ], + "filter": true + } + }, + "name": "query - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Subscription}" + ], + "parameters": [ + { + "id": "bc9db514-ebcc-4e47-bf23-a0dfe8cb1594", + "version": "KqlParameterItem/1.0", + "name": "SelectCompliance", + "label": "Control", + "type": 2, + "isRequired": true, + "query": "securityresources\r\n| where type == \"microsoft.security/regulatorycompliancestandards\"\r\n| project name\r\n", + "crossComponentResources": [ + "{Subscription}" + ], + "value": "DOD-IL5", + "typeSettings": { + "additionalResourceOptions": [ + "value::1" + ], + "showDefault": false + }, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "385b8e2e-be15-416d-8ed0-730f6dd34737", + "version": "KqlParameterItem/1.0", + "name": "selectState", + "label": "State", + "type": 2, + "isRequired": true, + "query": "securityresources\r\n| where type == \"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\"\r\n | extend state \t\t = trim(' ', tostring(properties.state))\r\n| summarize by state", + "crossComponentResources": [ + "{Subscription}" + ], + "value": "Failed", + "typeSettings": { + "additionalResourceOptions": [ + "value::1" + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + } + ], + "style": "pills", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + "name": "parameters - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "securityresources\r\n| where type == \"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\"\r\n| parse id with *\"/regulatoryComplianceStandards/\" strControlName \"/regulatory\"*\r\n | extend \r\n\t state \t\t = trim(' ', tostring(properties.state))\r\n\t,description = trim(' ', tostring(properties.description))\r\n| where strControlName startswith '{SelectCompliance}'\r\n| extend isState = iif(isempty('{selectState}'),\"All states\",'{selectState}')\r\n//| where isSstate == '{selectState}'\r\n| summarize by ControlName = strControlName, name, Status = isState, description", + "size": 0, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Status", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Passed", + "representation": "greenDark", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Failed", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Skipped", + "representation": "gray", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Unsupported", + "representation": "blue", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + } + ], + "rowLimit": 1000, + "filter": true + } + }, + "name": "query - 3" + } + ] + }, + "conditionalVisibility": { + "parameterName": "Tab", + "comparison": "isEqualTo", + "value": "ASC" + }, + "name": "ASC" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isVA76Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "7.6Activities", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "pillar", + "comparison": "isEqualTo", + "value": "p7" + }, + "name": "P7Activities" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"[\\r\\n\\t{ \\\"Select All (Zero Trust Essentials)\\\": \\\"DoD Zero Trust Assessment Tracker\\\", \\\"tab\\\": \\\"ess2\\\" },\\r\\n\\t{ \\\"Select All (Zero Trust Essentials)\\\": \\\"Microsoft Zero Trust Capability Alignment\\\", \\\"tab\\\": \\\"ess3\\\" },\\r\\n\\t{ \\\"Select All (Zero Trust Essentials)\\\": \\\"Workbook FAQ\\\", \\\"tab\\\":\\\"ess4\\\"}\\r\\n]\",\"transformers\":null}", + "size": 3, + "exportMultipleValues": true, + "exportedParameters": [ + { + "fieldName": "tab", + "parameterName": "Tab", + "parameterType": 1 + } + ], + "queryType": 8, + "gridSettings": { + "formatters": [ + { + "columnMatch": "Select All (Zero Trust Essentials)", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "75ch" + }, + "tooltipFormat": { + "tooltip": "DoD CIO Zero Trust Assessment Tracker (Track overall ZT Progress) | Microsoft to DoD CIO Zero Trust Capability Alignment (Overview of Microsoft-specific solution alignment with each ZT Capability) | Workbook FAQ (Provides answers to common questions)" + } + }, + { + "columnMatch": "tab", + "formatter": 5 + }, + { + "columnMatch": "Zero Trust", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "75ch" + }, + "tooltipFormat": { + "tooltip": "DoD CIO Zero Trust Assessment Tracker (Track overall ZT Progress) | Microsoft to DoD CIO Zero Trust Capability Alignment (Overview of Microsoft-specific solution alignment with each ZT Capability) | Workbook FAQ (Provides answers to common questions)" + } + } + ] + }, + "sortBy": [] + }, + "customWidth": "90", + "name": "ESSZT", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "8f836776-6a60-46a6-8d25-be73bf045494", + "version": "KqlParameterItem/1.0", + "name": "isess1Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "ess1", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "3758b348-e74f-437f-abd4-4e6e66b1be7e", + "version": "KqlParameterItem/1.0", + "name": "isess2Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "ess2", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "isess3Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "ess3", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + }, + "id": "5312c92d-0157-44c6-8ed2-47c309dcfa20" + }, + { + "version": "KqlParameterItem/1.0", + "name": "isess4Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "ess4", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + }, + "id": "763cd0cc-cf61-490c-8aeb-52293e95ca3b" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "5", + "name": "essparam" + } + ], + "exportParameters": true + }, + "customWidth": "50", + "name": "ZTChoices", + "styleSettings": { + "margin": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "PARAMS", + "loadType": "always", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "UserParams", + "loadType": "always", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusu11", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusu11}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "badea796-b8d1-48c5-aa6a-e79a03652f08", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusu12", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusu12}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusu13", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusu13}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "94b092f5-0d45-44b0-94d6-c970f028a29f" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusu14", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusu14}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "31635e0f-6c62-4ea6-93c7-af3e1bcb0f2e" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusu15", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusu15}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "b180aee1-d461-4a1d-8293-7d9530504632" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusu16", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusu16}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "324f7aca-5759-4d71-884a-cdfc9aff7792" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusu17", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusu17}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "e9e76dfd-46f6-4151-a9bd-4e41ed1e8746" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusu18", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusu18}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "481e4a5e-3be0-4b83-a874-bbd50ecd60d6" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusu19", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusu19}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "3aeac3e1-b0de-4409-85cc-1130aea247fb" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationScore", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusu11}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"25\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"50\",\r\n\"unknown\" )Β \r\n| project status", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "d54e9908-cd65-4b81-8005-c3ceb2532796" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "UserStatus" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "b094bf32-2b67-496a-86a7-e11eccbc6b7a", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateu11", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateu11}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "1ba98d1d-be68-407e-89a8-0e4138c311a8", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateu12", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateu12}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateu13", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateu13}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "8de9cdfd-84b6-4e2b-9d8c-f3c1d4b51a26" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateu14", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateu14}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "f62f8dca-356e-4701-8396-0c1f1f85eb52" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateu15", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateu15}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "99bf95cd-f14b-4f56-b249-bc93435e657e" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateu16", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateu16}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "c8d5f1b1-fe4d-45bb-8020-b2d22c1ab13f" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateu17", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateu17}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "5b95c4e4-c07a-48b2-a22a-8ec50bac5861" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateu18", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateu18}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "f1c8b9db-458c-42c4-a020-b779ff7e93e9" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateu19", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateu19}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "fcdc75b4-c2e8-4f40-b326-bbc8a5034b40" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "UserDate" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "31bd34c3-f085-4ca1-9a2c-957fd15e505d", + "version": "KqlParameterItem/1.0", + "name": "Notesu11", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesu11}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "13a7ebf5-c3d3-4b72-91c0-e75e929e546a", + "version": "KqlParameterItem/1.0", + "name": "Notesu12", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesu12}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesu13", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesu13}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "f8ff740f-78ad-4d9f-bb7d-e5621fb14e2e" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesu14", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesu14}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "c02945c1-f063-4813-a43b-8df6fd3e1a66" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesu17", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesu17}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "9533f837-2472-4502-9dd7-35bcd23a40c3" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesu18", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesu18}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "271fe247-07d0-4fa5-b5ac-ad3e66110c47" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesu19", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesu19}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "85bcaf17-2c8a-4847-9927-ea69fb21a985" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "UserNotes" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "3ba3eb47-bc14-4627-8cce-9e6d3a33a034", + "version": "KqlParameterItem/1.0", + "name": "score11", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusu11}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "982c6aeb-a486-4012-a74a-de4c1324e7cc", + "version": "KqlParameterItem/1.0", + "name": "score12", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusu12}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "a20f0792-9fba-43c0-af20-9d512e969530", + "version": "KqlParameterItem/1.0", + "name": "score13", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusu13}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "44a313aa-bb56-46ac-b7dc-c41ef8644df6", + "version": "KqlParameterItem/1.0", + "name": "score14", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusu14}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "3aa98425-bc75-45cb-96cc-b973289e428a", + "version": "KqlParameterItem/1.0", + "name": "score15", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusu15}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "04c8aa32-6673-46b6-a137-34dd6c004fd6", + "version": "KqlParameterItem/1.0", + "name": "score16", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusu16}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "d5f4d78a-7ce4-42fa-b584-d571f2d16694", + "version": "KqlParameterItem/1.0", + "name": "score17", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusu17}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "e124180b-6a70-4fe5-860f-6031e6deafaf", + "version": "KqlParameterItem/1.0", + "name": "score18", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusu18}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "55ce6b37-4c38-4b31-9e64-01ef8985c1f5", + "version": "KqlParameterItem/1.0", + "name": "score19", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusu19}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "UserScore" + } + ], + "exportParameters": true + }, + "name": "UserParams" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "DeviceParams", + "loadType": "always", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusD21", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusd21}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusD22", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusd22}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "f9007218-a886-4d5d-94e1-a09802dbe316" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusD23", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusd23}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "0c6cf716-0fae-4f81-a6db-db334859f28a" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusD24", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusd24}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "7d660dcb-a4ad-4a4f-ab6a-17203ee1099c" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusD25", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusd25}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "66450c23-bbdb-4381-a91c-ce7fa2c7930e" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusD26", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusd26}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "e22f8757-fc18-4d7e-8c38-d9537e647326" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusD27", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusd27}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "8b572798-a8ce-4073-84fa-a6490a2b3c6f" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "DeviceStatus" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "ae898bdf-6ee0-4b27-8ce7-02d5b0c5e0dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDated21", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDated21}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDated22", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDated22}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "db3aaf6a-8436-4df3-a995-4be019793b0b" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDated23", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDated23}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "300d2772-d125-44eb-a3cc-3d05865c9c40" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDated24", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDated24}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "4b280d05-6fba-4cfa-8965-a78721450f90" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDated25", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDated25}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "1355144d-b9d9-4d02-a052-26d251373ddd" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDated26", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDated26}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "743bd94e-eecc-42d0-91c1-40cb580856b6" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDated27", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDated27}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "78eea3ef-a01e-47dd-bba1-504148d066e6" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "DeviceDate" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "c91625f3-a095-4547-b674-adcd6f254fc9", + "version": "KqlParameterItem/1.0", + "name": "Notesd21", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesd21}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesd22", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesd22}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "bae7ec76-710f-4c87-ac06-a65e2f231222" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesd23", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesd23}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "ef575479-773d-4fd9-bb73-388b021ee38d" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesd24", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesd24}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "4c2b3043-4da5-4da6-a98a-4af75a6603e0" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesd25", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesd25}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "7322dae3-efbf-4dc8-bf5b-9271f0912c8e" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesd26", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesd26}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "40088436-58d7-44b9-be43-5d8413caff74" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesd27", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesd27}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "68c5b46a-92f4-4ea7-9765-3577596d3508" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "DeviceNotes" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "3ba3eb47-bc14-4627-8cce-9e6d3a33a034", + "version": "KqlParameterItem/1.0", + "name": "score21", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusd21}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "982c6aeb-a486-4012-a74a-de4c1324e7cc", + "version": "KqlParameterItem/1.0", + "name": "score22", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusd22}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "a20f0792-9fba-43c0-af20-9d512e969530", + "version": "KqlParameterItem/1.0", + "name": "score23", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusd23}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "44a313aa-bb56-46ac-b7dc-c41ef8644df6", + "version": "KqlParameterItem/1.0", + "name": "score24", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusu14}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "3aa98425-bc75-45cb-96cc-b973289e428a", + "version": "KqlParameterItem/1.0", + "name": "score25", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusd25}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "04c8aa32-6673-46b6-a137-34dd6c004fd6", + "version": "KqlParameterItem/1.0", + "name": "score26", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusd26}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "d5f4d78a-7ce4-42fa-b584-d571f2d16694", + "version": "KqlParameterItem/1.0", + "name": "score27", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusd27}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "DeviceScore" + } + ], + "exportParameters": true + }, + "name": "DeviceParams" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "AppParams", + "loadType": "always", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusapp31", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusapp31}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusapp32", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusapp32}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "2a82cdf4-b526-438c-b0fd-ada58084d8d8" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusapp33", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusapp33}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "7085d4e0-5f24-45b5-94f9-0de34cb4d626" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusapp34", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusapp34}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "564c0ea5-0278-4d95-86a2-caf0dde441e9" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusapp35", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusapp35}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "cfa0ce01-a0dc-4306-92d9-6aa39f6819ff" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "AppStatus" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "fec47f95-98b7-43a6-ae69-e3f1491b3119", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateapp31", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateapp31}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateapp32", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateapp32}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "40c60c9e-811e-43d4-a949-2a00fc391356" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateapp33", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateapp33}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "555fc62e-fd5f-4943-8939-ce2f2dca25c1" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateapp34", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateapp34}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "e97c49a6-cc50-466e-8a8f-1e0b9cef59a0" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateapp35", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateapp35}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "f9ac66d3-d366-4242-9de2-91c0a92fff39" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "AppDate" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "f7ce32fa-3a15-4ddb-aa8d-d01f7e4a0476", + "version": "KqlParameterItem/1.0", + "name": "Notesapp31", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesapp31}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesapp32", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesapp32}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "0d947a49-242a-429e-85c2-fc7733755f14" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesapp33", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesapp33}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "33085ab1-3f14-4742-8047-1fc67305aab6" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesapp34", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesapp34}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "2bbe2e60-d446-45ac-b2e0-df5583653047" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesapp35", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesapp35}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "36e71504-3c2b-4696-b48d-b0db5cc1584c" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "AppNotes" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "3ba3eb47-bc14-4627-8cce-9e6d3a33a034", + "version": "KqlParameterItem/1.0", + "name": "score31", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusapp31}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "982c6aeb-a486-4012-a74a-de4c1324e7cc", + "version": "KqlParameterItem/1.0", + "name": "score32", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusapp32}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "a20f0792-9fba-43c0-af20-9d512e969530", + "version": "KqlParameterItem/1.0", + "name": "score33", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusapp33}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "44a313aa-bb56-46ac-b7dc-c41ef8644df6", + "version": "KqlParameterItem/1.0", + "name": "score34", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusapp34}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "3aa98425-bc75-45cb-96cc-b973289e428a", + "version": "KqlParameterItem/1.0", + "name": "score35", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusapp35}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "AppScore" + } + ], + "exportParameters": true + }, + "name": "AppParams" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "DataParams", + "loadType": "always", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusdata41", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusdata41}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusdata42", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusdata42}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "00823f86-5cdc-43c6-9586-728f96c3b591" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusdata43", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusdata43}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "fb502a89-c3d0-49b8-960a-7a8d7e21c4af" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusdata44", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusdata44}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "b1357567-29dc-45ae-bcab-10991e4cf4c1" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusdata45", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusdata45}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "fda1e209-84a9-48ed-8e45-7ee0224d6b42" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusdata46", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusdata46}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "23369183-5c70-4abe-b30d-97965f89b07e" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusdata47", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusdata47}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "90254164-366b-4746-9073-3cb247122fbc" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "DataStatus" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "3cf48b00-7b35-46bd-b522-5286b7c0a94d", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDatedata41", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDatedata41}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDatedata42", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDatedata42}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "877c6bf4-6186-4597-a34a-3cbbf58cdf0a" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDatedata43", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDatedata43}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "414f4fcc-5b3e-4321-b4e5-81f724090101" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDatedata44", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDatedata44}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "523555fc-1c13-4ec8-9abf-7fb1552a7447" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDatedata45", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDatedata45}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "e6cfb43f-aa1e-4893-9dda-883cd09761ca" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDatedata46", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDatedata46}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "16ad5330-5574-462f-9ba3-f9caebbba7be" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDatedata47", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDatedata47}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "d4ec41c0-9ce4-4c23-8b6f-00cb818ee171" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "DataDate" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "2fd04610-cc1a-418f-a2d4-f45bdc4e78ab", + "version": "KqlParameterItem/1.0", + "name": "Notesdata41", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesdata41}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesdata42", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesdata42}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "6de67e44-264f-4d01-b928-cff147cb78f6" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesdata43", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesdata43}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "7f01ecde-9bce-479d-a52a-a0f1600850e1" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesdata44", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesdata44}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "44a366b9-341c-44b1-8a9a-e803ea2d94cc" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesdata45", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesdata45}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "16a89f30-6551-4553-b41b-9d2472bd8dce" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesdata46", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesdata46}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "502e6804-88cb-40c6-bae3-99a697cdcc4d" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesdata47", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesdata47}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "a5640f0a-39f5-467e-a399-f11f0d09a9a6" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "DataNotes" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "3ba3eb47-bc14-4627-8cce-9e6d3a33a034", + "version": "KqlParameterItem/1.0", + "name": "score41", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusdata41}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "982c6aeb-a486-4012-a74a-de4c1324e7cc", + "version": "KqlParameterItem/1.0", + "name": "score42", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusdata42}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "a20f0792-9fba-43c0-af20-9d512e969530", + "version": "KqlParameterItem/1.0", + "name": "score43", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusdata43}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "44a313aa-bb56-46ac-b7dc-c41ef8644df6", + "version": "KqlParameterItem/1.0", + "name": "score44", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusdata44}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "3aa98425-bc75-45cb-96cc-b973289e428a", + "version": "KqlParameterItem/1.0", + "name": "score45", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusdata45}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "04c8aa32-6673-46b6-a137-34dd6c004fd6", + "version": "KqlParameterItem/1.0", + "name": "score46", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusdata46}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "d5f4d78a-7ce4-42fa-b584-d571f2d16694", + "version": "KqlParameterItem/1.0", + "name": "score47", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusdata47}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "DataScore" + } + ], + "exportParameters": true + }, + "name": "DataParms" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "NetParams", + "loadType": "always", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusnet51", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusnet51}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusnet52", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusnet52}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "745e60c4-e263-4819-8d3a-7a0f470fe636" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusnet53", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusnet53}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "5d370c7d-0064-4712-9d93-8ecdafebc5e3" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusnet54", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusnet54}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "bc969a7b-fb5e-4ee9-b48c-03462d94f153" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "NetStatus" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "3cf48b00-7b35-46bd-b522-5286b7c0a94d", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDatenet51", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDatenet51}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDatenet52", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDatenet52}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "2ec28a2b-2eff-4f1c-9f33-002e90c49d9a" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDatenet53", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDatenet53}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "f68a1f9b-c282-474a-8234-f9c0e8966b13" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDatenet54", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDatenet54}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "71737e40-2bd5-4af8-9708-d5d941f17382" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "NetDate" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "2fd04610-cc1a-418f-a2d4-f45bdc4e78ab", + "version": "KqlParameterItem/1.0", + "name": "Notesnet51", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesnet51}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesnet52", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesnet52}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "243699b1-5955-41fc-bbe3-d3d945098008" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesnet53", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesnet53}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "322f64b5-d08e-476b-9e93-577e7738356f" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesnet54", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesnet54}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "fab751c5-67e8-4e7b-ab8a-4e2a88e94b89" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "NetNotes" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "3ba3eb47-bc14-4627-8cce-9e6d3a33a034", + "version": "KqlParameterItem/1.0", + "name": "score51", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusnet51}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "982c6aeb-a486-4012-a74a-de4c1324e7cc", + "version": "KqlParameterItem/1.0", + "name": "score52", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusnet52}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "a20f0792-9fba-43c0-af20-9d512e969530", + "version": "KqlParameterItem/1.0", + "name": "score53", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusnet53}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "44a313aa-bb56-46ac-b7dc-c41ef8644df6", + "version": "KqlParameterItem/1.0", + "name": "score54", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusnet54}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "NetScore" + } + ], + "exportParameters": true + }, + "name": "NetParams" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "AOParams", + "loadType": "always", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusao61", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusao61}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusao62", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusao62}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "d58485bd-726b-4075-988f-07851e1f7950" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusao63", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusao63}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "caf254a3-ad5e-4b7e-9746-4c3aa8eea931" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusao64", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusao64}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "7d86a027-4fa9-46e1-aefe-9827d9bf0b2c" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusao65", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusao65}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "e51f607b-3f2f-4079-ae6e-910f7c40226b" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusao66", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusao66}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "8fd71dd3-48e5-4c59-a5f1-6dedfca9d748" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusao67", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusao67}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "eaa17365-a020-46a0-8bfc-61ce866048dd" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "AOStatus" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "3cf48b00-7b35-46bd-b522-5286b7c0a94d", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateao61", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateao61}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateao62", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateao62}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "f57d5bb6-7aef-4847-b01d-e95f3572292f" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateao63", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateao63}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "84b63819-9ecc-4144-9fcb-98d06d2f5b53" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateao64", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateao64}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "7ae6ecf8-1c6f-4d12-86ea-e807a76a582e" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateao65", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateao65}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "9ffc3be7-f2d1-4149-9272-3b52c2087c19" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateao66", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateao66}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "e78f640c-7091-435d-bb0a-210097de7cf9" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateao67", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateao67}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "1fdecc20-4578-45a1-9525-959e4e01e1fa" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "AODate" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "2fd04610-cc1a-418f-a2d4-f45bdc4e78ab", + "version": "KqlParameterItem/1.0", + "name": "Notesao61", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesao61}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesao62", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesao62}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "ec9bbc12-4923-4f4e-a205-b3ad7558310c" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesao63", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesao63}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "27cb90e8-3f85-4aaf-84a4-eb4135e9b3f0" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesao64", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesao64}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "3b9be10e-8152-4556-a226-cab26e6fd75a" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesao65", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesao65}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "ca545b3c-2671-4b59-af3a-bac9d9ad1765" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesao66", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesao66}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "9b289b10-dcd8-4f90-b9f0-fb477014eebf" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesao67", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesao67}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "ab988391-a89e-4a35-be79-2fb88b40613d" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "AONotes" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "3ba3eb47-bc14-4627-8cce-9e6d3a33a034", + "version": "KqlParameterItem/1.0", + "name": "score61", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusao61}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "982c6aeb-a486-4012-a74a-de4c1324e7cc", + "version": "KqlParameterItem/1.0", + "name": "score62", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusao62}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "a20f0792-9fba-43c0-af20-9d512e969530", + "version": "KqlParameterItem/1.0", + "name": "score63", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusao63}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "44a313aa-bb56-46ac-b7dc-c41ef8644df6", + "version": "KqlParameterItem/1.0", + "name": "score64", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusao64}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "version": "KqlParameterItem/1.0", + "name": "score65", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusao65}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "482c3094-9716-4c0e-a6dd-6af3947b280b" + }, + { + "version": "KqlParameterItem/1.0", + "name": "score66", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusao66}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "7c8b65ae-f0c7-4662-9bbb-a5e3195733e3" + }, + { + "version": "KqlParameterItem/1.0", + "name": "score67", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusao67}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "0734c0df-caf6-433e-acd2-c9fb2073e5da" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "AOScore" + } + ], + "exportParameters": true + }, + "name": "AOParams" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "VAParams", + "loadType": "always", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusva71", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusva71}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusva72", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusva72}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "962d8dea-252d-4a21-acb4-dbaed9413642" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusva73", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusva73}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "532c6fdc-e6cf-4d83-a0d1-8184464f67e9" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusva74", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusva74}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "01b4280a-d381-41b0-9728-b7f4693fc966" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusva75", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusva75}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "86b1ddc8-34af-4338-abca-bdfc1895b8d2" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusva76", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusva76}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "ff0a4bed-4ca1-49e6-a0cb-034ca959a0fc" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatusva77", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusva77}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "2810671c-6771-4d05-a3ea-cd9e531a053d" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "VAStatus" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "3cf48b00-7b35-46bd-b522-5286b7c0a94d", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateva71", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateva71}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateva72", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateva72}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "30ab513b-560b-4e70-8eeb-8ce913b6f289" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateva73", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateva73}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "7d7dd2e9-b450-4c24-a5d5-9f451b20f9fe" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateva74", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateva73}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "f38bf834-56a7-4b44-bbfc-37760222aade" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateva75", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateva75}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "e43030d8-c2da-4f15-ab98-76846ae8913c" + }, + { + "version": "KqlParameterItem/1.0", + "name": "ImplementationDateva76", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationDateva76}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "2af70cce-6251-48ef-86a6-636b697a8bb1" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "VADate" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "2fd04610-cc1a-418f-a2d4-f45bdc4e78ab", + "version": "KqlParameterItem/1.0", + "name": "Notesva71", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesva71}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesva72", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesva72}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "70642ca9-542f-4ebb-a3be-459edca7dda5" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesva73", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesva73}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "268b3128-73b4-4531-992c-a7fdc90cb282" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesva74", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesva74}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "52a8e544-88ef-4b20-aca2-84f10d175379" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesva75", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesva75}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "64c1e85d-3c8d-48d9-bb10-f084e26a62f1" + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notesva76", + "type": 1, + "query": "let VARIABLE = dynamic('{Notesva76}');\r\nprint VARIABLE", + "timeContext": { + "durationMs": 5184000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "54284111-4654-4187-aa66-1c77450b2a87" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "VANotes" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "3ba3eb47-bc14-4627-8cce-9e6d3a33a034", + "version": "KqlParameterItem/1.0", + "name": "score71", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusva71}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "982c6aeb-a486-4012-a74a-de4c1324e7cc", + "version": "KqlParameterItem/1.0", + "name": "score72", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusva72}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "a20f0792-9fba-43c0-af20-9d512e969530", + "version": "KqlParameterItem/1.0", + "name": "score73", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusva73}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "44a313aa-bb56-46ac-b7dc-c41ef8644df6", + "version": "KqlParameterItem/1.0", + "name": "score74", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusva74}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "a4522f96-52de-4868-a568-ffda45685607", + "version": "KqlParameterItem/1.0", + "name": "score75", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusva75}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "8e39d231-83be-4cef-829d-2dc4c4172755", + "version": "KqlParameterItem/1.0", + "name": "score76", + "type": 1, + "query": "let VARIABLE = dynamic('{ImplementationStatusva76}'); print VARIABLEΒ \r\n| extend status = case(VARIABLE == \"Implemented\", \"100\",Β \r\nVARIABLE == \"Not Implemented\", \"0\",Β \r\nVARIABLE == \"Planned\", \"50\",Β \r\nVARIABLE == \"Out of Scope\", \"0\",Β \r\nVARIABLE == \"Alternate Implementation\", \"100\",\r\n\"unknown\" )Β \r\n| project status", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "VAScore" + } + ], + "exportParameters": true + }, + "name": "VAParams" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "1", + "comparison": "isEqualTo", + "value": "1" + }, + "name": "PARAMS" + }, + { + "type": 1, + "content": { + "json": "## Zero Trust Maturity (Percentage)" + }, + "name": "text - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let score = dynamic([\"{score11}\",\"{score12}\",\"{score13}\",\"{score14}\",\"{score15}\",\"{score16}\",\"{score17}\",\"{score18}\",\"{score19}\",\"{score21}\",\"{score22}\",\"{score23}\",\"{score24}\",\"{score25}\",\"{score26}\",\"{score27}\",\"{score31}\",\"{score32}\",\"{score33}\",\"{score34}\",\"{score35}\",\"{score41}\",\"{score42}\",\"{score43}\",\"{score44}\",\"{score45}\",\"{score46}\",\"{score47}\",\"{score51}\",\"{score52}\",\"{score53}\",\"{score54}\",\"{score61}\",\"{score62}\",\"{score63}\",\"{score64}\",\"{score65}\",\"{score66}\",\"{score67}\",\"{score71}\",\"{score72}\",\"{score73}\",\"{score74}\",\"{score75}\",\"{score76}\"]); print score\r\n | extend total = score\r\n | mvexpand total\r\n | extend Result = toint(total)\r\n| summarize avg(Result)\r\n", + "size": 1, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Result", + "formatter": 4, + "formatOptions": { + "min": 0, + "max": 100, + "palette": "redGreen", + "compositeBarSettings": { + "labelText": "", + "columnSettings": [] + } + }, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + }, + "tooltipFormat": { + "tooltip": "This value represents the collective percentage of statuses of each of the corresponding 45 capabilities." + } + } + ], + "sortBy": [ + { + "itemKey": "$gen_bar_Result_0", + "sortOrder": 1 + } + ], + "labelSettings": [ + { + "columnId": "avg_Result", + "label": "Current Score" + } + ] + }, + "sortBy": [ + { + "itemKey": "$gen_bar_Result_0", + "sortOrder": 1 + } + ], + "tileSettings": { + "showBorder": false + }, + "mapSettings": { + "locInfo": "LatLong", + "sizeSettings": "avg_Result", + "sizeAggregation": "Sum", + "legendMetric": "avg_Result", + "legendAggregation": "Sum", + "itemColorSettings": { + "type": "heatmap", + "colorAggregation": "Sum", + "nodeColorField": "avg_Result", + "heatmapPalette": "greenRed" + } + } + }, + "conditionalVisibility": { + "parameterName": "isess2Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "total" + } + ], + "exportParameters": true + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "isess2Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "paratest" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\r\\n\\t\\t\\t\\t\\t\\t\\\"columns\\\":[\\r\\n\\t\\t{\\\"name\\\":\\\"Pillar\\\", \\\"type\\\":\\\"string\\\"},\\r\\n\\t\\t{\\\"name\\\":\\\"Capability Requirement\\\", \\\"type\\\":\\\"string\\\"},\\r\\n\\t\\t{\\\"name\\\":\\\"Implementation Status\\\", \\\"type\\\":\\\"string\\\"},\\r\\n\\t\\t{\\\"name\\\":\\\"Implemented Date\\\", \\\"type\\\":\\\"string\\\"},\\r\\n\\t\\t{\\\"name\\\":\\\"Notes\\\", \\\"type\\\":\\\"string\\\"},\\r\\n\\t\\t{\\\"name\\\":\\\"Score\\\", \\\"type\\\": \\\"string\\\"}],\\r\\n\\t\\t\\t\\\"rows\\\":[\\r\\n[\\\"1. User\\\",\\\"1.1 User Inventory\\\",\\\"{ImplementationStatusu11}\\\",\\\"{ImplementationDateu11}\\\",\\\"{Notesu11}\\\",\\\"{score11}\\\"],\\r\\n[\\\"1. User\\\",\\\"1.2 Conditional User Access\\\",\\\"{ImplementationStatusu12}\\\",\\\"{ImplementationDateu12}\\\",\\\"{Notesu12}\\\",\\\"{score12}\\\"],\\r\\n[\\\"1. User\\\",\\\"1.3 Multi-Factor Authentication\\\",\\\"{ImplementationStatusu13}\\\",\\\"{ImplementationDateu13}\\\",\\\"{Notesu13}\\\",\\\"{score13}\\\"],\\r\\n[\\\"1. User\\\",\\\"1.4 Privileged Access Management\\\",\\\"{ImplementationStatusu14}\\\",\\\"{ImplementationDateu14}\\\",\\\"{Notesu14}\\\",\\\"{score14}\\\"],\\r\\n[\\\"1. User\\\",\\\"1.5 Identity Federation & User Credentialing\\\",\\\"{ImplementationStatusu15}\\\",\\\"{ImplementationDateu15}\\\",\\\"{Notesu15}\\\",\\\"{score15}\\\"],\\r\\n[\\\"1. User\\\",\\\"1.6 Behavorial, Contextual ID & Biometrics\\\",\\\"{ImplementationStatusu16}\\\",\\\"{ImplementationDateu16}\\\",\\\"{Notesu16}\\\",\\\"{score16}\\\"],\\r\\n[\\\"1. User\\\",\\\"1.7 Least Privileged Access\\\",\\\"{ImplementationStatusu17}\\\",\\\"{ImplementationDateu17}\\\",\\\"{Notesu17}\\\",\\\"{score17}\\\"],\\r\\n[\\\"1. User\\\",\\\"1.8 Continuous Authentication\\\",\\\"{ImplementationStatusu18}\\\",\\\"{ImplementationDateu18}\\\",\\\"{Notesu18}\\\",\\\"{score18}\\\"],\\r\\n[\\\"1. User\\\",\\\"1.9 Integrated ICAM Platform\\\",\\\"{ImplementationStatusu19}\\\",\\\"{ImplementationDateu18}\\\",\\\"{Notesu19}\\\",\\\"{score19}\\\"],\\r\\n[\\\"2. Device\\\",\\\"2.1 Device Inventory\\\",\\\"{ImplementationStatusd21}\\\",\\\"{ImplementationDated21}\\\",\\\"{Notesd21}\\\",\\\"{score21}\\\"],\\r\\n[\\\"2. Device\\\",\\\"2.2 Device Detection & Compliance\\\",\\\"{ImplementationStatusd22}\\\",\\\"{ImplementationDated22}\\\",\\\"{Notesd22}\\\",\\\"{score22}\\\"],\\r\\n[\\\"2. Device\\\",\\\"2.3 Device Authorization with Real Time Inspection\\\",\\\"{ImplementationStatusd23}\\\",\\\"{ImplementationDated23}\\\",\\\"{Notesd23}\\\",\\\"{score23}\\\"],\\r\\n[\\\"2. Device\\\",\\\"2.4 Remote Access\\\",\\\"{ImplementationStatusd24}\\\",\\\"{ImplementationDated24}\\\",\\\"{Notesd24}\\\",\\\"{score24}\\\"],\\r\\n[\\\"2. Device\\\",\\\"2.5 Partially & Fully Automated Asset, Vulnerability & Patch Management\\\",\\\"{ImplementationStatusd25}\\\",\\\"{ImplementationDated25}\\\",\\\"{Notesd25}\\\",\\\"{score25}\\\"],\\r\\n[\\\"2. Device\\\",\\\"2.6 Unified Endpoint Management & Mobile Device Management\\\",\\\"{ImplementationStatusd26}\\\",\\\"{ImplementationDated26}\\\",\\\"{Notesd26}\\\",\\\"{score26}\\\"],\\r\\n[\\\"2. Device\\\",\\\"2.7 Endpoint & Extended Detection & Response (EDR & XDR)\\\",\\\"{ImplementationStatusd27}\\\",\\\"{ImplementationDated27}\\\",\\\"{Notesd27}\\\",\\\"{score27}\\\"],\\r\\n[\\\"3. Application & Workload\\\",\\\"3.1 Application Inventory\\\",\\\"{ImplementationStatusapp31}\\\",\\\"{ImplementationDateapp31}\\\",\\\"{Notesapp31}\\\",\\\"{score31}\\\"],\\r\\n[\\\"3. Application & Workload\\\",\\\"3.2 Secure Software Development & Integration\\\",\\\"{ImplementationStatusapp32}\\\",\\\"{ImplementationDateapp32}\\\",\\\"{Notesapp32}\\\",\\\"{score32}\\\"],\\r\\n[\\\"3. Application & Workload\\\",\\\"3.3 Software Risk Management\\\",\\\"{ImplementationStatusapp33}\\\",\\\"{ImplementationDateapp33}\\\",\\\"{Notesapp33}\\\",\\\"{score33}\\\"],\\r\\n[\\\"3. Application & Workload\\\",\\\"3.4 Resource Authorization & Integration\\\",\\\"{ImplementationStatusapp34}\\\",\\\"{ImplementationDateapp34}\\\",\\\"{Notesapp34}\\\",\\\"{score34}\\\"],\\r\\n[\\\"3. Application & Workload\\\",\\\"3.5 Continuous Monitoring & Ongoing Authorizations\\\",\\\"{ImplementationStatusapp35}\\\",\\\"{ImplementationDateapp35}\\\",\\\"{Notesapp35}\\\",\\\"{score35}\\\"],\\r\\n[\\\"4. Data\\\",\\\"4.1 Data Catalog Risk Alignment\\\",\\\"{ImplementationStatusdata41}\\\",\\\"{ImplementationDatedata41}\\\",\\\"{Notesdata41}\\\",\\\"{score41}\\\"],\\r\\n[\\\"4. Data\\\",\\\"4.2 DoD Enterprise Data Governance\\\",\\\"{ImplementationStatusdata42}\\\",\\\"{ImplementationDatedata42}\\\",\\\"{Notesdata42}\\\",\\\"{score42}\\\"],\\r\\n[\\\"4. Data\\\",\\\"4.3 Data Labeling & Tagging\\\",\\\"{ImplementationStatusdata43}\\\",\\\"{ImplementationDatedata43}\\\",\\\"{Notesdata43}\\\",\\\"{score43}\\\"],\\r\\n[\\\"4. Data\\\",\\\"4.4 Data Monitoring & Sensing\\\",\\\"{ImplementationStatusdata44}\\\",\\\"{ImplementationDatedata44}\\\",\\\"{Notesdata44}\\\",\\\"{score44}\\\"],\\r\\n[\\\"4. Data\\\",\\\"4.5 Data Encryption & Rights Management\\\",\\\"{ImplementationStatusdata45}\\\",\\\"{ImplementationDatedata45}\\\",\\\"{Notesdata45}\\\",\\\"{score45}\\\"],\\r\\n[\\\"4. Data\\\",\\\"4.6 Data Loss Prevention (DLP)\\\",\\\"{ImplementationStatusdata46}\\\",\\\"{ImplementationDatedata46}\\\",\\\"{Notesdata46}\\\",\\\"{score46}\\\"],\\r\\n[\\\"4. Data\\\",\\\"4.7 Data Access Control\\\",\\\"{ImplementationStatusdata47}\\\",\\\"{ImplementationDatedata47}\\\",\\\"{Notesdata47}\\\",\\\"{score47}\\\"],\\r\\n[\\\"5. Network & Environment\\\",\\\"5.1 Data Flow Mapping\\\",\\\"{ImplementationStatusnet51}\\\",\\\"{ImplementationDatenet51}\\\",\\\"{Notesnet51}\\\",\\\"{score51}\\\"],\\r\\n[\\\"5. Network & Environment\\\",\\\"5.2 Software Defined Networking (SDN)\\\",\\\"{ImplementationStatusnet52}\\\",\\\"{ImplementationDatenet52}\\\",\\\"{Notesnet52}\\\",\\\"{score52}\\\"],\\r\\n[\\\"5. Network & Environment\\\",\\\"5.3 Macro Segmentation\\\",\\\"{ImplementationStatusnet53}\\\",\\\"{ImplementationDatenet53}\\\",\\\"{Notesnet53}\\\",\\\"{score53}\\\"],\\r\\n[\\\"5. Network & Environment\\\",\\\"5.4 Micro Segmenatation\\\",\\\"{ImplementationStatusnet54}\\\",\\\"{ImplementationDatenet54}\\\",\\\"{Notesnet54}\\\",\\\"{score54}\\\"],\\r\\n[\\\"6. Automation & Orchestration\\\",\\\"6.1 Policy Decision Point (PD) & Policy Orchestration\\\",\\\"{ImplementationStatusao61}\\\",\\\"{ImplementationDateao61}\\\",\\\"{Notesao61}\\\",\\\"{score61}\\\"],\\r\\n[\\\"6. Automation & Orchestration\\\",\\\"6.2 Critical Process Automation\\\",\\\"{ImplementationStatusao62}\\\",\\\"{ImplementationDateao62}\\\",\\\"{Notesao62}\\\",\\\"{score62}\\\"],\\r\\n[\\\"6. Automation & Orchestration\\\",\\\"6.3 Machine Learning\\\",\\\"{ImplementationStatusao63}\\\",\\\"{ImplementationDateao63}\\\",\\\"{Notesao63}\\\",\\\"{score63}\\\"],\\r\\n[\\\"6. Automation & Orchestration\\\",\\\"6.4 Artificial Learning\\\",\\\"{ImplementationStatusao64}\\\",\\\"{ImplementationDateao64}\\\",\\\"{Notesao64}\\\",\\\"{score64}\\\"],\\r\\n[\\\"6. Automation & Orchestration\\\",\\\"6.5 Security Orchestration, Automation & Response (SOAR)\\\",\\\"{ImplementationStatusao65}\\\",\\\"{ImplementationDateao65}\\\",\\\"{Notesao65}\\\",\\\"{score65}\\\"],\\r\\n[\\\"6. Automation & Orchestration\\\",\\\"6.6 API Standardization\\\",\\\"{ImplementationStatusao66}\\\",\\\"{ImplementationDateao66}\\\",\\\"{Notesao66}\\\",\\\"{score66}\\\"],\\r\\n[\\\"6. Automation & Orchestration\\\",\\\"6.7 Security Operations Center (SOC) & Incident Response (IR)\\\",\\\"{ImplementationStatusao67}\\\",\\\"{ImplementationDateao67}\\\",\\\"{Notesao67}\\\",\\\"{score67}\\\"],\\r\\n[\\\"7. Visibility & Analytics\\\",\\\"7.1 Log All Traffic (Network, Data, Apps, Users)\\\",\\\"{ImplementationStatusva71}\\\",\\\"{ImplementationDateva71}\\\",\\\"{Notesva71}\\\",\\\"{score71}\\\"],\\r\\n[\\\"7. Visibility & Analytics\\\",\\\"7.2 Security Information & Event Management (SIEM)\\\",\\\"{ImplementationStatusva72}\\\",\\\"{ImplementationDateva72}\\\",\\\"{Notesva72}\\\",\\\"{score72}\\\"],\\r\\n[\\\"7. Visibility & Analytics\\\",\\\"7.3 Common Security & Risk Analytics\\\",\\\"{ImplementationStatusva73}\\\",\\\"{ImplementationDateva73}\\\",\\\"{Notesva73}\\\",\\\"{score73}\\\"],\\r\\n[\\\"7. Visibility & Analytics\\\",\\\"7.4 User Entity & Behavorial Analytics\\\",\\\"{ImplementationStatusva74}\\\",\\\"{ImplementationDateva74}\\\",\\\"{Notesva74}\\\",\\\"{score74}\\\"],\\r\\n[\\\"7. Visibility & Analytics\\\",\\\"7.5 Threat Intelligence Platfrom\\\",\\\"{ImplementationStatusva75}\\\",\\\"{ImplementationDateva75}\\\",\\\"{Notesva75}\\\",\\\"{score75}\\\"],\\r\\n[\\\"7. Visibility & Analytics\\\",\\\"7.6 Automated Dynamic Policies\\\",\\\"{ImplementationStatusva76}\\\",\\\"{ImplementationDateva76}\\\",\\\"{Notesva76}\\\",\\\"{score76}\\\"]\\r\\n\\t\\t\\t]\\r\\n}\\r\\n\\r\\n\",\"transformers\":null}", + "size": 3, + "title": "Zero Trust Assessment Tracker", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 8, + "gridSettings": { + "formatters": [ + { + "columnMatch": "$gen_group", + "formatter": 0, + "tooltipFormat": { + "tooltip": "Expand to see the statuses of individual capabilities" + } + }, + { + "columnMatch": "Group", + "formatter": 1 + }, + { + "columnMatch": "Pillar", + "formatter": 1 + }, + { + "columnMatch": "Score", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "25", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "100", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "50", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": null, + "text": "{0}{1}" + } + ] + } + } + ], + "filter": true, + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "Pillar" + ] + } + }, + "sortBy": [] + }, + "conditionalVisibility": { + "parameterName": "isess2Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "thetracker", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "## DoD Zero Trust Strategy Workbook Workbook FAQ \r\n\r\n
\r\n### What will this workbook do for my organization? \r\n\r\nThis workbook provides structure, guidance, and simplification of the DoD Zero Trust Strategy to make it easier to track, prioritize, and improve Zero Trust Target (and Advanced) level Capabilities/Activities that are required to be implemented by 2027. \r\n\r\n
\r\n### Does this workbook only pertain to Microsoft-specific capabiltiies?\r\n\r\nNo, the out-of-the-box content of this Sentinel workbook includes references to Microsoft-specific capabilities/solutions. However, the workbook has been designed to account for \"Alternate Implementations\" (non-Microsoft), which may also meet the Target (and Advanced)-level Zero Trust Capabilities and Activities. In addition, Microsoft Sentinel supports custom log formats and multiple third-party [data connectors](\"https://learn.microsoft.com/azure/sentinel/data-connectors-reference\") that can provide visibility for non-Microsoft solutions. \r\n\r\n
\r\n### How will this workbook help with deployment and maturity of the DoD Zero Trust Strategy Capabilities & Activities? \r\n\r\n* Provides Zero Trust roll-up of organizational maturity and situational awareness as it relates directly to the 2027 Zero Trust Target-level deadline. \r\n\r\n* Provides DoD Zero Trust Activity simplification and improved awareness, allowing responsible parties for each pillar(s) to report which capabilities are planned, implemented, or not applicable. \r\n\r\n* Provides guidance and recommendations to meet the 45 capabilities (and supporting 152 activities) \r\n\r\n* Provides a working (and evolving) organized method of orchestrating and managing/tracking efforts around the Zero Trust Capabilities and Activities covered in the DoD Zero Trust Strategy. \r\n\r\n
\r\n### Why are some of the visualizations not working in my workbook? \r\n\r\nThe visualizations within this workbook are simply examples and rely on specific logs to populate accordingly. We realize that not every organization leverages the same solution logs used to build/populate this workbook. In addition, we also realize that many customers leverage third-party solutions for their needs. Every implementation of this workbook is unique to the respective environment in which it is installed. It is intended to be a starting point and can be further customized to better meet the needs of each customer. Please contact your Account Representative if your team requires further assistance and/or customizations. \r\n\r\nVisualizations can be used to show examples of the DoD Zero Trust Activities in use/or configurations themselves. They can also be used to further develop automations related to improving cyber hygiene through deploying Zero Trust principals. \r\n\r\n
\r\n### Who should use this workbook? \r\n\r\nThis workbook is designed for both executives and individuals who are directly responsible for implementing the respective Capabilities/Activities due by 2027 outlined in the DoD Zero Trust Strategy. \r\n\r\nThis workbook derives language and terminology specific to the DoD Zero Trust Strategy. However, many non-DoD organizations can also leverage this guidance for their needs. \r\n\r\n
\r\n### Where does the Zero Trust Maturity (Percentage) score come from? \r\n\r\nThe Zero Trust Maturity score is calculated based on the interactive capabilities sections contained within each of the pillars. When updated, the drop-down boxes labeled, β€œImplementation Status” directly contribute to the overall level of maturity reported under the β€œZero Trust Essentials” → \"DoD Zero Trust Assessment Tracker\". \r\n\r\n
\r\n### How can I make recommendations to improve this workbook? \r\n\r\nPlease utilize the link in the opening screen labeled, β€œPlease take some time to take a quick survey”. Our team values these responses and takes them very seriously. Any feedback that you can provide is greatly appreciated. \r\n\r\n
\r\n### Can this workbook be customized? \r\n\r\nYes! This workbook has been created with additional customization in mind. Please contact your Account Representative if you would to like to inquire about any additional assistance with customizing this workbook to suit your organizational goals related to DoD Zero Trust Strategy maturity. \r\n\r\n
\r\n### Do other customers outside the DoD utilize this workbook? \r\n\r\nYes, many customers outside the DoD have also gravitated toward the DoD Zero Trust Strategy because it focuses on an outcomes-focused methodology and includes specific \"Capabilities and Activities\" that apply to core Zero Trust principals. \r\n\r\n
\r\n### Who created this workbook? \r\n\r\nThis workbook was created by a collaboration of Microsoft teams and subject matter experts along with our pilot customers. \r\n\r\n
\r\n### Does this workbook cover all 152 β€œActivities” defined in the Strategy? \r\n\r\nYes, the recommendations, visualizations, and guidance, while centered around the 45 capabilities, will still apply to all 152 activities. This workbook aims to simplify the Target (and Advanced)-level Zero Trust Capabilities and Activities. Based on prior feedback, this workbook may be updated in the future to include further guidance, reporting, and relevant information. ", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "isess4Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "FAQ" + }, + { + "type": 1, + "content": { + "json": "| DoD Zero Trust Pillar | DoD Zero Trust Capability | Recommended Microsoft Solution(s) | Recommended DoD Portal(s) | Recommended Resources |\r\n|--------------------------------|------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\r\n| User 1.x | | | | |\r\n| | 1.1 User Inventory | Entra ID
Microsoft Sentinel UEBA
Microsoft Defender for Cloud (MDfC) | πŸ”€ [Entra ID](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
πŸ”€ [Microsoft Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
πŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5) | πŸ’‘ [Microsoft Identity Platform Entra (formerly AAD)](https://learn.microsoft.com/azure/active-directory/develop/v2-overview)
πŸ’‘ [Microsoft Hybrid Identity with Entra/AAD/AD](https://learn.microsoft.com/azure/active-directory/hybrid/)
πŸ’‘ [Using the Inventory in Secure Score - Microsoft Defender for Cloud](https://learn.microsoft.com/azure/defender-for-cloud/asset-inventory)
πŸ’‘ [Identity Decision Guide](https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/identity/)
πŸ’‘ [Microsoft Cloud Identity for Enterprise Architects](https://www.microsoft.com/download/details.aspx?id=54431)
πŸ’‘ [Identity Security Monitoring](https://github.com/Cloud-Architekt/AzureAD-Attack-Defense/blob/main/IdentitySecurityMonitoring.md#identity-security-monitoring-in-a-hybrid-environment)
πŸ’‘ [Collect Azure Active Directory (Azure AD) Logs](https://learn.microsoft.com/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics#send-logs-to-azure-monitor)
πŸ’‘ [Enable User Entity Behavorial Analytics](https://learn.microsoft.com/azure/sentinel/enable-entity-behavior-analytics#how-to-enable-user-and-entity-behavior-analytics)
πŸ’‘ [Deploy Microsoft Defender for Identity](https://learn.microsoft.com/defender-for-identity/deploy-defender-identity)
πŸ’‘ [Secure with Azure Active Directory](https://learn.microsoft.com/azure/active-directory/fundamentals/secure-with-azure-ad-introduction)
πŸ’‘ [AAD Hybrid Identity](https://learn.microsoft.com/azure/active-directory/hybrid/connect/plan-hybrid-identity-design-considerations-overview?WT.mc_id=DT-MVP-5001664)
πŸ’‘ [Azure AD Reports](https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports?WT.mc_id=DT-MVP-5001664)
πŸ’‘ [B2B Collaboration](https://learn.microsoft.com/azure/active-directory/external-identities/what-is-b2b?WT.mc_id=DT-MVP-5001664) |\r\n| | 1.2 Conditional User Access | Entra ID Conditional Access (CA)
Microsoft Defender for Cloud (MDfC)
Microsoft Sentinel
Microsoft 365 Defender
Microsoft Intune | πŸ”€ [Entra ID - Diagnostic Settings](https://portal.azure.us/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/DiagnosticSettings)
πŸ”€ [Conditional Access Policies](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies)
πŸ”€ [Conditional Access Policy Templates](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/CaTemplates.ReactView)
πŸ”€ [Entra ID](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
πŸ”€ [Microsoft Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
πŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5) | πŸ’‘ [What is Conditional Access](https://learn.microsoft.com/azure/active-directory/conditional-access/overview)
πŸ’‘ [Conditional Access Learning Path](https://learn.microsoft.com/training/modules/plan-implement-administer-conditional-access/)
πŸ’‘ [Conditional Access Licensing- Need at least AADP1](https://www.microsoft.com/security/business/identity-access/azure-active-directory-pricing?rtc=1)
πŸ’‘ [Conditional Access Design Principles](https://learn.microsoft.com/azure/architecture/guide/security/conditional-access-design)
πŸ’‘ [Templates -Secure Foundation & Work Toward ZT](https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policy-common)
πŸ’‘ [Conditional Access Trends and Changes](https://github.com/Cyberlorians/Workbooks/blob/main/ConditionalAccessTrendsandChanges.json)
πŸ’‘ [Implement Authentication Strengths](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/authentication-strength-choose-the-right-auth-method-for-your/ba-p/2365674)
πŸ’‘ [Intune Conditional Access](https://learn.microsoft.com/mem/intune/protect/conditional-access)
πŸ’‘ [Using Locations in Conditional Access Policies](https://learn.microsoft.com/azure/active-directory/conditional-access/location-condition) |\r\n| | 1.3 Multi-Factor Authentication (MFA) | Entra ID
Entra ID - Certificate Based Authorization (CBA) | πŸ”€ [Entra ID - Diagnostic Settings](https://portal.azure.us/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/DiagnosticSettings)
πŸ”€ [Entra ID - AuthN Methods Activity](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AuthMethodsActivity/menuId/AuthMethodsActivity)
πŸ”€ [Entra ID - AuthN Methods Policies](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods)
πŸ”€ [Entra ID - AuthN Strengths](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AuthStrengths)
πŸ”€ [Defender for Cloud Recommendations](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_Azure_Security/SecurityMenuBlade/~/5) | πŸ’‘ [How MFA Works](https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks)
πŸ’‘ [Setup Multifactor Authenication for Users M365](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy)
πŸ’‘ [Configure the MFA Azure Active Directrory Registration Policies](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy)
πŸ’‘ [Deploy Passwordless Solution](https://learn.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-deployment)
πŸ’‘ [Configure Azure AD CBA](https://learn.microsoft.com/azure/active-directory/authentication/how-to-certificate-based-authentication)
πŸ’‘ [Conditional Access Policy - MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?WT.mc_id=DT-MVP-5001664)
πŸ’‘ [Plan AAD MFA](https://learn.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted?WT.mc_id=DT-MVP-5001664) |\r\n| | 1.4 Privileged Access Management (PAM) | Entra ID
Entra ID - Privileged Identity Management (PIM) | πŸ”€ [Entra ID DiagnosticSettings](https://portal.azure.us/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/DiagnosticSettings)
πŸ”€ [Entra ID - PIM](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_Azure_PIMCommon/CommonMenuBlade/~/quickStart)
πŸ”€ [AAD PIM - Audit History](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_Azure_PIMCommon/MyAuditsMenuBlade/~/aadmigratedroles) | πŸ’‘ [Plan a Privileged Identity Management Deployment](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-deployment-plan)
πŸ’‘ [Privileged Identity Management - Why use it with Defender for O365?](https://learn.microsoft.com/microsoft-365/security/office-365-security/use-privileged-identity-management-in-defender-for-office-365?view=o365-worldwide)
πŸ’‘ [Implementing PIM - Micrsoft Entra](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started)
πŸ’‘ [Secure Roadmap - PIM](https://learn.microsoft.com/azure/active-directory/roles/security-planning#use-azure-ad-privileged-identity-management)
πŸ’‘ [PIM for Groups](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/concept-pim-for-groups)
πŸ’‘ [Configure Approve or Deny Request for AD Roles in PIM](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-approval-workflow)
πŸ’‘ [Azure Security Benchmark Defender for Identity](https://learn.microsoft.com/security/benchmark/azure/baselines/defender-for-identity-security-baseline) |\r\n| | 1.5 Identity Federation & User Credentialing | Entra ID - Certificate-Based Authorization (CBA)
Entra ID - Guest Access | πŸ”€ [Entra ID - Diagnostic Settings](https://portal.azure.us/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/DiagnosticSettings)
πŸ”€ [Entra ID - AAD Connect](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_Connect_Provisioning/AADConnectMenuBlade/~/GetStarted)
πŸ”€ [Entra ID - Enterprise Apps](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null)
πŸ”€ [Entra ID - Identity Governance](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_ERM/DashboardBlade/~/GettingStarted) | πŸ’‘ [Azure Governement - Planning Identity for Azure Government Apps](https://learn.microsoft.com/azure/azure-government/documentation-government-plan-identity)
πŸ’‘ [Federated Identity Credentials](https://learn.microsoft.com/graph/api/resources/federatedidentitycredentials-overview?view=graph-rest-1.0)
πŸ’‘ [What is Hybrid Identity](https://learn.microsoft.com/azure/active-directory/hybrid/whatis-hybrid-identity)
πŸ’‘ [Azure AD Certificate Based Authentication](https://learn.microsoft.com/azure/active-directory/authentication/concept-certificate-based-authentication)
πŸ’‘ [Azure AD SCIM](https://learn.microsoft.com/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups)
πŸ’‘ [Provisioning with Google Cloud](https://cloud.google.com/architecture/identity/federating-gcp-with-azure-ad-configuring-provisioning-and-single-sign-on)
πŸ’‘ [Provisioning with Amazon Cloud](https://learn.microsoft.com/azure/active-directory/saas-apps/aws-single-sign-on-provisioning-tutorial)
πŸ’‘ [Azure AD Application Roles](https://learn.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps)
πŸ’‘ [What is Identity Governace?](https://learn.microsoft.com/azure/active-directory/governance/identity-governance-overview) |\r\n| | 1.6 Behavioral, Contextual ID, and Biometrics | Microsoft Sentinel UEBA
Entra ID - Identity Protection | πŸ”€ [Azure Face APIs](https://portal.azure.us/#view/Microsoft_Azure_ProjectOxford/CognitiveServicesHub/~/Face)
πŸ”€ [Sentinel - UEBA](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinel)
πŸ”€ [Verified ID](https://portal.azure.us/#view/Microsoft_AAD_DecentralizedIdentity/InitialMenuBlade/~/setupBlade) | πŸ’‘ [User Entity Behavorial Analytics - What is it?](https://learn.microsoft.com/azure/sentinel/identify-threats-with-entity-behavior-analytics)
πŸ’‘ [Windows Hello Biometrics](https://learn.microsoft.com/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise)
πŸ’‘ [Identify Advanced Threats with UEBA](https://learn.microsoft.com/azure/sentinel/identify-threats-with-entity-behavior-analytics)
πŸ’‘ [UEBA Reference](https://learn.microsoft.com/azure/sentinel/ueba-reference?WT.mc_id=AZ-MVP-5004810#ueba-enrichments)
πŸ’‘ [UEBA Sentinel Content Hub](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/ueba-essentials-solution-now-available-in-content-hub/ba-p/3651074)
πŸ’‘ [Guided UEBA Investigation Scenarios](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/guided-ueba-investigation-scenarios-to-empower-your-soc/ba-p/1857100)
πŸ’‘ [Combatting Risky Sign-ins in Azure Active Directory](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/combatting-risky-sign-ins-in-azure-active-directory/ba-p/3724786)
πŸ’‘ [Securing Workload Identities](https://learn.microsoft.com/azure/active-directory/identity-protection/concept-workload-identity-risk)
πŸ’‘ [Reprise99 UEBA](https://github.com/reprise99/Sentinel-Queries/tree/main/UEBA) |\r\n| | 1.7 Least Privileged Access | Entra ID - Permissions
Azure Policy
Entra ID - Privileged Identity Management (PIM) | πŸ”€ [Entra ID - Enterprise Apps](https://portal.azure.us/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null)
πŸ”€ [Entra ID - Conditional Access Policies](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/CaTemplates.ReactView)
πŸ”€ [Entra ID - Identity Protection](https://portal.azure.us/#view/Microsoft_AAD_IAM/IdentityProtectionMenuBlade/~/Overview)
πŸ”€ [Microsoft Defender for Cloud Apps](https://security.microsoft.us/cloudapps/)
πŸ”€ [Application Security Groupss](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FapplicationSecurityGroups) | πŸ’‘ [Implementing Least-Privileged Administrative Models](https://learn.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models)
πŸ’‘ [Enhance Application Security with Lease Privilege Access Controls](https://learn.microsoft.com/azure/active-directory/develop/secure-least-privileged-access)
πŸ’‘ [Identity Protection](https://techcommunity.microsoft.com/t5/itops-talk-blog/what-s-the-difference-between-azure-active-directory-identity/ba-p/1320887?WT.mc_id=itopstalk-newsletter-abartolo)
πŸ’‘ [Continuous Access Evaluation Monitoring](https://learn.microsoft.com/azure/active-directory/conditional-access/howto-continuous-access-evaluation-troubleshoot#continuous-access-evaluation-sign-in-reporting) |\r\n| | 1.8 Continuous Authentication | Entra ID - Continuous Access Evaluation (CAE)
Entra ID - Privileged Identity Management (PIM)
Entra ID - Identity Protection | πŸ”€ [Entra ID - Device Inventory](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
πŸ”€ [Entra ID - Connect Sync (Hybrid Join)](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_Connect_Provisioning/AADConnectMenuBlade/~/ConnectSync)
πŸ”€ [Entra ID - Enterprise Apps](https://portal.azure.us/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null)
πŸ”€ [Entra ID - Conditional Access Policies](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/CaTemplates.ReactView)
πŸ”€ [Entra ID - Identity Governance](https://portal.azure.us/#view/Microsoft_AAD_ERM/DashboardBlade/~/GettingStarted)
πŸ”€ [Entra ID - PIM Insights](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_Azure_PIMCommon/ResourceMenuBlade/~/aaddiscovery/resourceId//resourceType/tenant/provider/aadroles) | πŸ’‘ [Implement Continuous Access Evaluation Microsoft Entra](https://learn.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation)
πŸ’‘ [Implementing Primary Refresh Token](https://learn.microsoft.com/azure/active-directory/devices/concept-primary-refresh-token)
πŸ’‘ [Privileged Identity Management Insights](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-security-wizard#discovery-and-insights-preview)
πŸ’‘ [Entra Permissions Managment](https://learn.microsoft.com/azure/active-directory/cloud-infrastructure-entitlement-management/permissions-management-trial-user-guide)
πŸ’‘ [Session Management with Conditional Access](https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime) |\r\n| | 1.9 Integrated ICAM Platform | Entra Entitlement Management
Entra ID Certificate Based Authentication (CBA) | πŸ”€ [Entra ID - AuthN Methods](https://portal.azure.us/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods)
πŸ”€ [Entra ID - AuthN Strengths](https://portal.azure.us/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AuthStrengths)
πŸ”€ [Entra ID - AuthN Insights](https://portal.azure.us/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AuthMethodsActivity)
πŸ”€ [Entra ID - Conditional Access Policies](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/CaTemplates.ReactView) | πŸ’‘ [Microsoft Integrated Identity Platform Entra](https://learn.microsoft.com/azure/active-directory/develop/v2-overview)
πŸ’‘ [Implement Passwordless Auth with Microsoft Entra](https://learn.microsoft.com/azure/active-directory/fundamentals/auth-passwordless)
πŸ’‘ [Configure Passwordless Key with Microsoft Entra](https://learn.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
πŸ’‘ [Entra Certificate Based Authorization](https://learn.microsoft.com/azure/active-directory/authentication/concept-certificate-based-authentication) |\r\n| Device 2.x | | | | |\r\n| | 2.1 Device Inventory | Microsft Entra ID
Microsft Entra ID Conditional Access (CA)
Microsoft Defender for Endpoint (MDE)
Microsoft Defender for Cloud (MDfC)
Microsoft Defender for Identity (MDI)
Microsoft Intune | πŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
πŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/#view/Microsoft_Intune_DeviceSettings/DevicesMenu/~/overview)
πŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)
πŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5) | πŸ’‘[M365 Defender Device inventory](https://learn.microsoft.com/graph/api/resources/intune-graph-overview?view=graph-rest-1.0%22%20%EF%BF%BDHYPERLINK%20%22https://learn.microsoft.com/microsoft-365/security/defender-endpoint/machines-view-overview?view=o365-worldwide)
πŸ’‘[What is a device identity (Azure Active Directory)?](https://learn.microsoft.com/azure/active-directory/devices/overview)
πŸ’‘[Manage device identities by using the Azure portal](https://learn.microsoft.com/azure/active-directory/devices/device-management-azure-portal)Β 
πŸ’‘[Manage your devices and control features with Microsoft Intune](https://learn.microsoft.com/mem/intune/fundamentals/manage-devices)Β 
πŸ’‘[Hybrid Azure AD joined devices](https://learn.microsoft.com/azure/active-directory/devices/concept-azure-ad-join-hybrid)Β 
πŸ’‘[Conditional Access policy: Device Compliancy](https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device)
πŸ’‘[ZT Guide: Endpoint Zero Trust Deployment Objectives](https://learn.microsoft.com/security/zero-trust/deploy/endpoints#endpoint-zero-trust-deployment-objectives)
πŸ’‘[Intune Reporting](https://learn.microsoft.com/mem/intune/fundamentals/review-logs-using-azure-monitor) ** not yet availble in DoD cloud
πŸ’‘[Provide Additional Intune Reporting](https://www.linkedin.com/pulse/provide-additional-intune-reporting-data-wmi-iren%C3%A4us-becker/)
πŸ’‘[Working with Intune in Microsoft Graph](https://learn.microsoft.com/graph/api/resources/intune-graph-overview?view=graph-rest-1.0) |\r\n| | 2.2 Device Detection and Compliance | Entra ID Conditional Access (CA)
Microsoft Defender for Endpoint (MDE)
Microsoft Intune | πŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
πŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/#view/Microsoft_Intune_Enrollment/ReportingMenu/~/deviceCompliance)
πŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints) | πŸ’‘[Device compliance policies in Microsoft Intune](https://learn.microsoft.com/mem/intune/protect/device-compliance-get-started)
πŸ’‘[Configure Microsoft Defender for Endpoint in Intune](https://learn.microsoft.com/mem/intune/protect/advanced-threat-protection-configure)
πŸ’‘[Configure Conditional Access in Microsoft Defender for Endpoint](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-conditional-access?view=o365-worldwide)
πŸ’‘[Scenarios for using Conditional Access with Microsoft Intune](https://learn.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use?source=recommendations) |\r\n| | 2.3 Device Authorization w/ Real Time Inspection | Microsft Entra ID
Microsoft Intune
Microsoft Defender for Endpoint (MDE)
Microsoft Defender for Cloud (MDfC)
Microsoft Sentinel | πŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
πŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/#view/Microsoft_Intune_Enrollment/ReportingMenu/~/deviceCompliance)
πŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)
πŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/)
πŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5) | πŸ’‘[Configure Microsoft Defender for Endpoint in Intune](https://learn.microsoft.com/mem/intune/protect/advanced-threat-protection-configure)
πŸ’‘[Device discovery overview](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide)
πŸ’‘[Learn about Conditional Access and Intune](https://learn.microsoft.com/mem/intune/protect/conditional-access)
πŸ’‘[Device compliance policies in Microsoft Intune](https://learn.microsoft.com/mem/intune/protect/device-compliance-get-started)
πŸ’‘[Configure compliance policies with actions for noncompliance in Microsoft Intune](https://learn.microsoft.com/mem/intune/protect/actions-for-noncompliance)
πŸ’‘[Require compliant, hybrid joined devices, or MFA - Microsoft Entra](https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device)
πŸ’‘[Conditional Access insights and reporting workbook - Microsoft Entra](https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting)
πŸ’‘[Plan an Azure Active Directory Conditional Access deployment - Microsoft Entra](https://learn.microsoft.com/azure/active-directory/conditional-access/plan-conditional-access)
πŸ’‘[Azure Samples for Conditional Access (PowerShell) - GitHub](https://github.com/Azure-Samples/azure-ad-conditional-access-apis/tree/main/01-configure/powershell)

Additional References:
πŸ’‘[Track changes to system files and registry keys](https://learn.microsoft.com/azure/defender-for-cloud/file-integrity-monitoring-overview)
πŸ’‘[Connect Microsoft Defender for Cloud alerts to Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/connect-defender-for-cloud)
πŸ’‘[Deploying and Managing Microsoft Defender for Cloud as Code](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/deploying-and-managing-microsoft-defender-for-cloud-as-code/ba-p/3649653)
πŸ’‘[Collect data in custom log formats to Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/connect-custom-logs?tabs=DCG)
πŸ’‘[Azure Monitor Agent overview - Azure Monitor](https://learn.microsoft.com/azure/azure-monitor/agents/agents-overview)
πŸ’‘[Use entity behavior analytics to detect advanced threats](https://learn.microsoft.com/azure/sentinel/enable-entity-behavior-analytics) |\r\n| | 2.4 Remote Access | Microsft Entra ID
Microsft Entra ID Conditional Access (CA)
Microsoft Intune
Microsoft Defender for Endpoint (MDE) | πŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
πŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/#view/Microsoft_Intune_Enrollment/ReportingMenu/~/deviceCompliance)
πŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints) | πŸ’‘[Require compliant, hybrid joined devices, or MFA - Microsoft Entra](https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device)
πŸ’‘[Conditional Access APIs and PowerShell - Microsoft Entra](https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-apis)
πŸ’‘[Device compliance policies in Microsoft Intune](https://learn.microsoft.com/mem/intune/protect/device-compliance-get-started)
πŸ’‘[Configure compliance policies with actions for noncompliance in Microsoft Intune](https://learn.microsoft.com/mem/intune/protect/actions-for-noncompliance)
πŸ’‘[Configure Microsoft Defender for Endpoint in Intune](https://learn.microsoft.com/mem/intune/protect/advanced-threat-protection-configure)
πŸ’‘[Configure Conditional Access in Microsoft Defender for Endpoint](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-conditional-access?view=o365-worldwide)
πŸ’‘[Enhance security with the principle of least privilege](https://learn.microsoft.com/azure/active-directory/develop/secure-least-privileged-access)
πŸ’‘[Best practices for Azure AD roles](https://learn.microsoft.com/azure/active-directory/roles/best-practices)
πŸ’‘[Least privileged roles by task in Azure Active Directory](https://learn.microsoft.com/azure/active-directory/roles/delegate-by-task) |\r\n| | 2.5 Partially & Fully Automated Asset, Vulnerability and Patch | Microsoft Intune
Microsoft Endpoint Configuration Manager (MECM)
Mircosoft Defender for Endpoint (MDE) Threat & Vulnerability Management (TVM)
Azure Arc-enabled Servers
Azure Automation | πŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
πŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/#view/Microsoft_Intune_Enrollment/ReportingMenu/~/deviceCompliance)
πŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)
πŸ”€ [Azure Arc](https://portal.azure.us/#view/Microsoft_Azure_HybridCompute/AzureArcCenterBlade/~/overview) | πŸ’‘ [What is Windows Update for Business?](https://learn.microsoft.com/windows/deployment/update/waas-manage-updates-wufb)
πŸ’‘ [Microsoft Configuration Manager MECEM](https://learn.microsoft.com/mem/configmgr/core/understand/introduction)
πŸ’‘ [Update rings for Windows 10 and later policy in Intune](https://learn.microsoft.com/mem/intune/protect/windows-10-update-rings?source=recommendations)
πŸ’‘ [Manage Windows 10 and Windows 11 software updates in Intune](https://learn.microsoft.com/mem/intune/protect/windows-update-for-business-configure)
πŸ’‘ [Deploy software updates with Configuration Manager](https://learn.microsoft.com/mem/configmgr/sum/deploy-use/deploy-software-updates)
πŸ’‘ [Use Intune to remediate vulnerabilities identified by Microsoft Defender for Endpoint](https://learn.microsoft.com/mem/intune/protect/atp-manage-vulnerabilities)
πŸ’‘ [Remediate vulnerabilities (Defender for Endpoint)](https://learn.microsoft.com/microsoft-365/security/defender-vulnerability-management/tvm-remediation?view=o365-worldwide)
πŸ’‘ [Choose how to deliver updates for the Microsoft 365 Apps](https://learn.microsoft.com/deployoffice/fieldnotes/choose-how-to-deliver-updates)
πŸ’‘ [Windows Release Health](https://learn.microsoft.com/windows/release-health/)
πŸ’‘ [Manage updates and patches for your VMs](https://learn.microsoft.com/azure/automation/update-management/manage-updates-for-vm)
πŸ’‘ [Automate your patching using Azure Arc and Azure Automation](https://techcommunity.microsoft.com/t5/manufacturing/automate-your-patching-using-azure-arc-and-azure-automation/ba-p/3214141)
|\r\n| | 2.6 Unified Endpoint Management (UEM) & Mobile Device Management (MDM) | Microsoft Intune
Azure Arc-enabled Servers
Azure Autiomation | πŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
πŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/#view/Microsoft_Intune_Enrollment/ReportingMenu/~/deviceCompliance)
πŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)
πŸ”€ [Azure Arc](https://portal.azure.us/#view/Microsoft_Azure_HybridCompute/AzureArcCenterBlade/~/overview) | πŸ’‘[What is Microsoft Intune](https://learn.microsoft.com/mem/intune/fundamentals/what-is-intune)
πŸ’‘[Manage your devices and control device features in Microsoft Intune](https://learn.microsoft.com/mem/intune/fundamentals/manage-devices)
πŸ’‘[Zero Trust with Microsoft Intune](https://learn.microsoft.com/mem/intune/fundamentals/zero-trust-with-microsoft-intune)
πŸ’‘[Supported operating systems and browsers in Intune](https://learn.microsoft.com/mem/intune/fundamentals/supported-devices-browsers)
πŸ’‘[Enrollment guide: Microsoft Intune enrollment](https://learn.microsoft.com/mem/intune/fundamentals/deployment-guide-enrollment)
πŸ’‘[Manage iOS/iPadOS software update policies in Intune](https://learn.microsoft.com/mem/intune/protect/software-updates-ios)
πŸ’‘[Manage macOS software update policies in Intune](https://learn.microsoft.com/mem/intune/protect/software-updates-macos)
πŸ’‘[Microsoft Intune How-To Guides](https://learn.microsoft.com/mem/intune/#how-to-guides)
πŸ’‘[What is Azure Arc-enabled servers?](https://learn.microsoft.com/azure/azure-arc/servers/overview)
πŸ’‘[Automate your patching using Azure Arc and Azure Automation](https://techcommunity.microsoft.com/t5/manufacturing/automate-your-patching-using-azure-arc-and-azure-automation/ba-p/3214141) |\r\n| | 2.7 Endpoint & Extended Detection & Response (EDR & XDR) | Microsoft 365 Defender
Microsoft Defender for Endpoint (MDE)
Microsoft Defednder for Identity (MDI)
Microsoft Defender for Office 365 (MDO)
Microsoft Defender for Cloud Apps (MDA)
Microsoft Defender for Cloud (MDfC)
Microsoft Sentinel | πŸ”€ [Entra ID](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
πŸ”€ [Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
πŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
πŸ”€ [M365 Defender Portal](https://security.microsoft.us) | πŸ’‘[What is Microsoft Defender for Endpoint?](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide)
πŸ’‘[Zero Trust with Microsoft Defender for Endpoint](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/zero-trust-with-microsoft-defender-endpoint?view=o365-worldwide)
πŸ’‘[What is Microsoft 365 Defender?](https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender?view=o365-worldwide)
πŸ’‘[Zero Trust with Microsoft 365 Defender](https://learn.microsoft.com/microsoft-365/security/defender/zero-trust-with-microsoft-365-defender?view=o365-worldwide)
πŸ’‘[Overview of endpoint detection and response (EDR) with Microsoft 365 Defender](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response?view=o365-worldwide)
πŸ’‘[Implement Microsoft Sentinel and Microsoft 365 Defender for Zero Trust](https://learn.microsoft.com/security/operations/siem-xdr-overview)
πŸ’‘[Manage endpoint detection and response (EDR) policy for endpoint security in Intune](https://learn.microsoft.com/mem/intune/protect/endpoint-security-edr-policy)
πŸ’‘[Set up your XDR tools](https://learn.microsoft.com/security/operations/setup-xdr-tools)
πŸ’‘[Architect your Microsoft Sentinel workspace](https://learn.microsoft.com/security/operations/siem-workspace)
πŸ’‘[Ingest data sources and configure incident detection in Sentinel](https://learn.microsoft.com/security/operations/ingest-data-sources)
πŸ’‘[Respond to an incident using Microsoft Sentinel and Microsoft 365 Defender](https://learn.microsoft.com/security/operations/respond-incident) |\r\n| Application & Workload 3.x | | | | |\r\n| | 3.1 Application Inventory | Entra ID
Microsoft Defender for Cloud Apps (MDA)
Microsoft Defender for Endpoint (MDE)
Microsoft Intune | πŸ”€ [Entra ID Applications - Useage & Insights](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_AAD_IAM/EnterpriseApplicationsInsightsMenuBlade/~/ApplicationActivity)
πŸ”€ [Application Security Groups](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FapplicationSecurityGroups)
πŸ”€ [Microsoft Defender for Cloud Apps - Discovery](https://security.microsoft.us/cloudapps/discovery)
πŸ”€ [Virtual Network Gateways](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways)
πŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5) | πŸ’‘ [Cloud Discovery Setup](https://learn.microsoft.com/defender-cloud-apps/set-up-cloud-discovery)
πŸ’‘ [Deploy Intune Softare inventory & Security Policies](https://learn.microsoft.com/answers/questions/67892/can-we-use-intune-to-inventory-software-on-devices)
πŸ’‘ [Configure Blocking Unwanted or Unapproved Applications](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus?view=o365-worldwide)
πŸ’‘ [Generating Software Bill of Materials (SBOM)](https://devblogs.microsoft.com/engineering-at-microsoft/generating-software-bills-of-materials-sboms-with-spdx-at-microsoft/)
πŸ’‘ [Microsoft Open Source Software Bill of Materials SBOM](https://devblogs.microsoft.com/engineering-at-microsoft/microsoft-open-sources-software-bill-of-materials-sbom-generation-tool/)
πŸ’‘ [Github Software Bill of Materials - SBOM-Tool](https://github.com/microsoft/sbom-tool)
πŸ’‘ [Active Directory Federation Services Health](https://learn.microsoft.com/azure/active-directory/hybrid/connect/how-to-connect-health-adfs)
πŸ’‘ [Azure Active Directory Application Audit](https://github.com/jsa2/AADAppAudit#azure-ad-application-analytics-solution)
πŸ’‘ [Azure Active Directory Application Proxy](https://learn.microsoft.com/azure/active-directory/app-proxy/what-is-application-proxy)
πŸ’‘ [Using Microsoft Defender for Cloud Asset Inventory](https://learn.microsoft.com/azure/defender-for-cloud/asset-inventory)
πŸ’‘ [Working with Discovered Apps](https://learn.microsoft.com/defender-cloud-apps/discovered-apps)
πŸ’‘ [Software Inventory](https://learn.microsoft.com/microsoft-365/security/defender-vulnerability-management/tvm-software-inventory?view=o365-worldwide) |\r\n| | 3.2 Secure Software Development & Integration | Azure Policy
Microsoft Defender for Cloud (MDfC)
Microsoft Defender for Endpoint (MDE) | πŸ”€ [Azure DevOps](https://portal.azure.us/#view/AzureTfsExtension/OrganizationsTemplateBlade)
πŸ”€ [Azure Dev Test Center](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.DevTestLab%2Flabs)
πŸ”€ [Azure DevTest Lab](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.DevTestLab%2Flabs)
πŸ”€ [Intune App Security](https://endpoint.microsoft.us)
πŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
πŸ”€ [M365 Defender Portal](https://security.microsoft.us/) | |\r\n| | 3.3 Software Risk Management | Microsoft Defender for Cloud Apps (MDA)
Mircosoft Defender for Endpoint (MDE) Threat & Vulnerability Management (TVM)
Microsoft Intune | πŸ”€ [Azure Enterprise Apps Portal](https://portal.azure.us/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview)
πŸ”€ [Intune Application Security](https://endpoint.microsoft.us/#view/Microsoft_Intune_DeviceSettings/AppsMenu/~/overview)
πŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
πŸ”€ [M365 Defender Portal](https://security.microsoft.us/) | πŸ’‘ [Manage and Secure Apps In Intune](https://learn.microsoft.com/mem/intune/fundamentals/manage-apps)
πŸ’‘ [App Protection Policies in Intune](https://learn.microsoft.com/mem/intune/apps/app-protection-policy)
πŸ’‘ [Microsoft Container Registry](https://mcr.microsoft.com/)
πŸ’‘ [GitHub Actaion For Vulnerability Scanning](https://github.com/marketplace/actions/anchore-container-scan)
πŸ’‘ [Code Scanning with CodeQL](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql)
πŸ’‘ [Keeping your supply chain secure with Dependabot](https://docs.github.com/en/code-security/dependabot)
πŸ’‘ [Secure Supply Chain Consumption Framework](https://www.microsoft.com/securityengineering/opensource/osssscframeworkguide)
πŸ’‘ [Generating Software Bill of Materials (SBOM)](https://devblogs.microsoft.com/engineering-at-microsoft/generating-software-bills-of-materials-sboms-with-spdx-at-microsoft/)
πŸ’‘ [Microsoft Open Source Software Bill of Materials SBOM](https://devblogs.microsoft.com/engineering-at-microsoft/microsoft-open-sources-software-bill-of-materials-sbom-generation-tool/)
πŸ’‘ [Github Software Bill of Materials - SBOM-Tool](https://github.com/microsoft/sbom-tool) |\r\n| | 3.4 Resource Authorization & Integration | Entra ID Conditional Access (CA)
Entra ID Application Proxy
Azure Policy
Entra ID Privilleged Identity Management (PIM)
Microsoft 365 Defender
Microsoft Intune
Microsoft Defender for Cloud (MDfC) | πŸ”€ [Azure Identity Governance](https://portal.azure.us/#blade/Microsoft_AAD_ERM/DashboardBlade)
πŸ”€ [Entra ID](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
πŸ”€ [Azure Application Proxy](https://portal.azure.us/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppProxy)
πŸ”€ [Managed Service Identity](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/6f3afa5d-4b81-4f10-8806-fb75689672da/appId/c75517e9-05c9-49e9-9990-94f68b04ffc4)
πŸ”€ [Intune Application Security](https://endpoint.microsoft.us/#view/Microsoft_Intune_DeviceSettings/AppsMenu/~/overview)
πŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
πŸ”€ [M365 Defender Portal](https://security.microsoft.us/) | πŸ’‘ [Deploy Microsoft Defender for Cloud - Enterprise Cloud Application Protection](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction)
πŸ’‘ [Configure Microsoft Cloud Identity for Enterprise Architects](https://www.microsoft.com/download/details.aspx?id=54431)
πŸ’‘ [Deploying Application & Authorization Azure App Services](https://learn.microsoft.com/azure/app-service/overview-authentication-authorization)
πŸ’‘ [How to create and deploy a custome Authorization Manager](https://learn.microsoft.com/dotnet/framework/wcf/extending/how-to-create-a-custom-authorization-manager-for-a-service)
πŸ’‘ [Configure with Entra Identity Platform](https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow)
πŸ’‘ [How-to Manage Apps Remove User Access with Entra](https://learn.microsoft.com/azure/active-directory/manage-apps/methods-for-removing-user-access)
πŸ’‘ [Setup Protecting Apps w. Entra Conditional Access](https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps)
πŸ’‘ [Role Based Access Control Configuration with Intune](https://learn.microsoft.com/mem/intune/fundamentals/role-based-access-control) |\r\n| | 3.5 Continuous Monitoring and Ongoing Authorizations | Entra ID - Conditional Access (CA)
Microsoft Defender for Cloud Apps (MDA)
Microsoft Senitnel Playbooks
Entra ID - Privileged Identity Management (PIM) | πŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)
πŸ”€ [Application Insights](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.insights%2Fcomponents)
πŸ”€ [Entra ID](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
πŸ”€ [Application Security Groups Portal](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FapplicationSecurityGroups)
πŸ”€ [Microsoft Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) | πŸ’‘ [How-to-Build a Successful App Security Program](https://www.microsoft.com/security/blog/2021/03/29/how-to-build-a-successful-application-security-program/)
πŸ’‘ [Setting up Hybrid Continuous Monitoring with Sentinel](https://learn.microsoft.com/azure/architecture/hybrid/hybrid-security-monitoring)
πŸ’‘ [Deploy Adaptive Appliation Conrols Microsoft Defender for Cloud](https://learn.microsoft.com/azure/defender-for-cloud/adaptive-application-controls)
πŸ’‘ [Configure Azure Security Management & Monitoring](https://learn.microsoft.com/azure/security/fundamentals/management-monitoring-overview)
πŸ’‘ [Leverage Security Baselines for M365 Apps Enterprise](https://learn.microsoft.com/deployoffice/security/security-baseline)
πŸ’‘ [Utilize Application Control for Windows](https://learn.microsoft.com/windows/security/application-security/application-control/windows-defender-application-control/wdac) |\r\n| Data 4.x | | | | |\r\n| | 4.1 Data Catalog Risk Alignment | Purview Data Catalog
Purview Data Map
Microsoft Sentinel | πŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
πŸ”€ [Microsoft Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
πŸ”€ [M365 Defender Portal](https://security.microsoft.us/)
πŸ”€ [Azure Data Classification Service](https://portal.azure.us/#view/Microsoft_AAD_IAM/ManagedAppMenuBlade/~/Overview/objectId/30ea52ed-e5a7-4e51-a4ea-6c3b96a8be36/appId/7c99d979-3b9c-4342-97dd-3239678fb300) | πŸ’‘ [Create a Azrure Data Catalog](https://learn.microsoft.com/azure/data-catalog/data-catalog-get-started)
πŸ’‘ [Use the Service Catalog](https://learn.microsoft.com/system-center/scsm/service-catalog?view=sc-sm-2022)
πŸ’‘ [Azure Data Catalog FAQ](https://learn.microsoft.com/azure/data-catalog/data-catalog-frequently-asked-questions)
πŸ’‘ [Establishing Sensitivity Labels](https://learn.microsoft.com/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide)
πŸ’‘ [Create and Publish Sensitivity Labels](https://learn.microsoft.com/microsoft-365/compliance/create-sensitivity-labels?view=o365-worldwide)Β 
πŸ’‘ [Get Started with Trainable Classifiers](https://learn.microsoft.com/microsoft-365/compliance/classifier-get-started-with?view=o365-worldwide)Β 
πŸ’‘ [Set up Azure Rights Management](https://learn.microsoft.com/azure/information-protection/what-is-azure-rms)
πŸ’‘ [Deploy Azure Information Protection](https://learn.microsoft.com/azure/information-protection/aip-classification-and-protection)
πŸ’‘ [Sentinel Data Connectors](https://learn.microsoft.com/azure/sentinel/connect-data-sources)
πŸ’‘ [Discover Data & Apply Sensitivity Labels Automatically](https://learn.microsoft.com/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide) |\r\n| | 4.2 DoD Enterprise Data Governance | Purview Data Governance
Purview Data Estate Insights
Microsoft Defender for Cloud (MDfC)
Microsoft Sentinel | πŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
πŸ”€ [Microsoft Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
πŸ”€ [M365 Defender Portal](https://security.microsoft.us/machines?category=endpoints)
πŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5) | πŸ’‘ [Implement Microsoft Purview - IRM & Compliance - DoD Deployments](https://learn.microsoft.com/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/plan-for-microsoft-purview-dod-deployments)
πŸ’‘ [Implement a Data Governance Maturity Model Framework](https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/cloud-scale-analytics/govern)
πŸ’‘ [Deploy Azure Data Governance](https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/cloud-scale-analytics/govern)
πŸ’‘ [Leverage Microsoft Defender for For Cloud Goverance Rules](https://learn.microsoft.com/azure/defender-for-cloud/governance-rules)
πŸ’‘ [Implement Purview Data Governance](https://learn.microsoft.com/purview/?view=o365-worldwide)
πŸ’‘ [Purview Data Lineage Machine Learning](https://learn.microsoft.com/samples/microsoft/purview-machine-learning-lineage-solution-accelerator/purview-machine-learning-lineage-solution-accelerator/)Β 
πŸ’‘ [Get Started with Trainable Classifiers](https://learn.microsoft.com/microsoft-365/compliance/classifier-get-started-with?view=o365-worldwide)Β 
πŸ’‘ [Azure Collaboration Governance](https://learn.microsoft.com/microsoft-365/solutions/collaboration-governance-overview?view=o365-worldwide)
πŸ’‘ [Deploy Azure Information Protection](https://learn.microsoft.com/azure/information-protection/aip-classification-and-protection)
πŸ’‘ [Configure Sentinel Data Connectors](https://learn.microsoft.com/azure/sentinel/connect-data-sources)
πŸ’‘ [Monitor Your SQL Deployments](https://learn.microsoft.com/azure/azure-sql/database/sql-insights-overview?view=azuresql)
πŸ’‘ [Apply Sensitivity Labels Automatically](https://learn.microsoft.com/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide) |\r\n| | 4.3 Data Labeling and Tagging | Purview Information Protection | πŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
πŸ”€ [Microsoft Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
πŸ”€ [M365 Defender Portal](https://security.microsoft.us/)
πŸ”€ [Microsoft Defender for Cloud: Recommendations](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5) | πŸ’‘ [Create Sensitivity Labels](https://learn.microsoft.com/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide)
πŸ’‘ [Create and Publish Sensitivity Labels](https://learn.microsoft.com/microsoft-365/compliance/create-sensitivity-labels?view=o365-worldwide)Β 
πŸ’‘ [Deploy with Trainable Classifiers](https://learn.microsoft.com/microsoft-365/compliance/classifier-get-started-with?view=o365-worldwide)Β 
πŸ’‘ [Utilize Rights Management](https://learn.microsoft.com/azure/information-protection/what-is-azure-rms)
πŸ’‘ [Deploy Azure Information Protection](https://learn.microsoft.com/azure/information-protection/aip-classification-and-protection)
πŸ’‘ [Apply Sensitivity Labels Automatically](https://learn.microsoft.com/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide)
πŸ’‘ [Use the Service Catalog](https://learn.microsoft.com/system-center/scsm/service-catalog?view=sc-sm-2022) |\r\n| | 4.4 Data Monitoring and Sensing | Purview Data Loss Protection (DLP)
Microsoft Defender for Cloud Apps (MDA)
Microsoft Defender for Endpoint (MDE)
Microsoft Sentinel | πŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
πŸ”€ [Microsoft Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
πŸ”€ [M365 Defender Portal](https://security.microsoft.us/)
πŸ”€ [Azure Monitor Control Service](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/512ba5b8-8ced-42b9-8a94-c93befaf66a1/appId/e933bd07-d2ee-4f1d-933c-3752b819567b) | πŸ’‘ [Leverage Data Monitoring & Self Healing](https://learn.microsoft.com/compliance/assurance/assurance-monitoring-and-self-healing)
πŸ’‘ [Deploy Microsoft 365 Monitorning](https://learn.microsoft.com/microsoft-365/enterprise/microsoft-365-monitoring?view=o365-worldwide)
πŸ’‘ [Senitnel Data Collection Best Practices](https://learn.microsoft.com/azure/sentinel/best-practices-data)Β 
πŸ’‘ [Deploy Microsoft Purview](https://learn.microsoft.com/purview/purview)Β 
πŸ’‘ [Utilze Azure Rights Management](https://learn.microsoft.com/azure/information-protection/what-is-azure-rms)
πŸ’‘ [Configure Azure Information Protection](https://learn.microsoft.com/azure/information-protection/aip-classification-and-protection)
πŸ’‘ [Configure Sentinel Data Connectors](https://learn.microsoft.com/azure/sentinel/connect-data-sources)
πŸ’‘ [Monitor Your SQL Deployments](https://learn.microsoft.com/azure/azure-sql/database/sql-insights-overview?view=azuresql) |\r\n| | 4.5 Data Encryption & Rights Management | Purview Data Loss Protection (DLP)
Microsoft Defender for Cloud Apps (MDA)
Microsoft Defender for Endpoint (MDE) | πŸ”€ [Azure Encryption](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/21426118-88fd-4b5e-b106-3bd5f098f31a/appId/dbc36ae1-c097-4df9-8d94-343c3d091a76)
πŸ”€ [Azure Rights Management Service](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/5f0c1df8-5bab-4fb3-b1a5-19bdba46c704/appId/00000012-0000-0000-c000-000000000000)
πŸ”€ [M365 Data At Rest Encryption](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/882ab41e-90f7-4f4e-8b24-3503495a83e6/appId/c066d759-24ae-40e7-a56f-027002b5d3e4)
πŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
πŸ”€ [M365 Defender Portal](https://security.microsoft.us/) | πŸ’‘ [Utilize Azure Encrption](https://learn.microsoft.com/azure/security/fundamentals/encryption-overview)
πŸ’‘ [Deploy Azure Rights Management](https://learn.microsoft.com/azure/information-protection/what-is-azure-rms)
πŸ’‘ [Deploy Purview Information Protection](https://learn.microsoft.com/purview/information-protection)
πŸ’‘ [Configure Dynamic Key & Encrption Delivery](https://learn.microsoft.com/azure/media-services/latest/drm-content-protection-concept)Β 
πŸ’‘ [Deploy Azure Information Protection](https://learn.microsoft.com/azure/information-protection/aip-classification-and-protection) |\r\n| | 4.6 Data Loss Prevention (DLP) | Purview Data Loss Protection (DLP)
Purview Information Protection | πŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
πŸ”€ [Endpoint DLP](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/780e77f3-df11-4525-b201-973a1b691cab/appId/c98e5057-edde-4666-b301-186a01b4dc58)
πŸ”€ [Microsoft Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
πŸ”€ [Entra ID - Diagnostic Settings](https://portal.azure.us/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/DiagnosticSettings)
πŸ”€ [Conditional Access Policies](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies)
πŸ”€ [M365 Defender Portal](https://security.microsoft.us/) | πŸ’‘ [Implement Data Loss & Prevention (DLP)](https://learn.microsoft.com/purview/dlp-learn-about-dlp)
πŸ’‘ [Informaiton Protection & Data Loss and Prevention- GITHUB LAB](https://microsoft.github.io/ComplianceCxE/dag/mip-dlp/)
πŸ’‘ [Deploy Adaptive Protection- Data Loss & Protections](https://learn.microsoft.com/purview/dlp-adaptive-protection-learn)
πŸ’‘ [Apply Rules for DLP Exchange Online](https://learn.microsoft.com/exchange/security-and-compliance/data-loss-prevention/dlp-rule-application)
πŸ’‘ [Utilize Trainable Classifiers](https://learn.microsoft.com/microsoft-365/compliance/classifier-get-started-with?view=o365-worldwide)Β 
πŸ’‘ [Deploy Azure Information Protection](https://learn.microsoft.com/azure/information-protection/aip-classification-and-protection) |\r\n| | 4.7 Data Access Control | Microsoft Defender for Cloud Apps (MDA)
Entra ID Conditional Access (CA)
Purview Insider Risk Management
Purview Information Protection
Purview Data Loss Prevention (DLP)
Microsoft Intune | πŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
πŸ”€ [Entra ID Privileged Identity Management](https://portal.azure.us/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade)
πŸ”€ [Entra ID Conditional Access](https://portal.azure.us/#blade/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade)
πŸ”€ [Azure Internal Access Scope Portal](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/a0779651-4c07-4392-a11f-a1694cb497b1/appId/c29427db-9ecc-4750-ad93-d256863f2e37)
πŸ”€ [Virtual Network Terminal Access Points](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.network%2Fvirtualnetworktaps)
πŸ”€ [Microsoft Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
πŸ”€ [Entra ID - Diagnostic Settings](https://portal.azure.us/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/DiagnosticSettings)
πŸ”€ [Conditional Access Policies](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies)
πŸ”€ [M365 Defender Portal](https://security.microsoft.us/)
πŸ”€ [Azure Data Explorer](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Kusto%2Fclusters) | πŸ’‘ [Configure Conditional Access in Azure Active Directory](https://learn.microsoft.com/azure/active-directory/conditional-access/overview)
πŸ’‘ [Use Conditional Access Microsoft Intune](https://learn.microsoft.com/mem/intune/protect/conditional-access)
πŸ’‘ [Use Conditional Access APIs](https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-apis)
πŸ’‘ [Deploy Conditional Access Policies](https://learn.microsoft.com/azure/active-directory/conditional-access/plan-conditional-access#deploy-conditional-access-policies)Β 
πŸ’‘ [Use Conditional Access With Data Explorer](https://learn.microsoft.com/azure/data-explorer/security-conditional-access)
πŸ’‘ [Deploy Common Conditional Access Policies](https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation)
πŸ’‘ [Build Conditional Access](https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policies) |\r\n| Network & Environment 5.x | | | | |\r\n| | 5.1 Data Flow Mapping | Azure Monitor Net Insights
Network Watcher
Microsoft Defender for Endpoint (MDE) | πŸ”€ [Network Security Perimeters](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FnetworkSecurityPerimeters)
πŸ”€ [Network Interfaces](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2Fnetworkinterfaces)
πŸ”€ [Azure Network Watcher](https://portal.azure.us/#view/Microsoft_Azure_Network/NetworkWatcherMenuBlade/~/overview)
πŸ”€ [Azure Firewall](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FazureFirewalls)
πŸ”€ [Web Application Firewall](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies)
πŸ”€ [DDoS Protection Plans](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FddosProtectionPlans)
πŸ”€ [Firewall Manager](https://portal.azure.us/#view/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/~/firewallManagerOverview)
πŸ”€ [M365 Defender Portal](https://security.microsoft.us/)
| πŸ’‘ [Use Data Flow Mapping Power Platform](https://learn.microsoft.com/power-query/dataflows/create-use)
πŸ’‘ [User Azure Network Traffic Analytics](https://learn.microsoft.com/azure/network-watcher/traffic-analytics)
πŸ’‘ [Azure Blue Print ](https://learn.microsoft.com/azure/governance/blueprints/overview)
πŸ’‘ [Leverage Azure Data Visualization with Data Explorer](https://learn.microsoft.com/azure/data-explorer/viz-overview)
πŸ’‘ [Use Power Automate for Event Tagging](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/api-microsoft-flow?view=o365-worldwide)
πŸ’‘ [Secure & Govern Workloads with Network-level Segmentation](https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/network-level-segmentation)
πŸ’‘ [Deploy Software Defined Netoworking](https://learn.microsoft.com/azure-stack/hci/concepts/plan-software-defined-networking-infrastructure)
πŸ’‘ [Manage Software Defined Netoworking](https://learn.microsoft.com/windows-server/networking/sdn/manage/manage-sdn)
πŸ’‘ [Key Components of Software Defined Networking Data Sheet](https://learn.microsoft.com/windows-server/networking/sdn/technologies/Software-Defined-Networking-Technologies) |\r\n| | 5.2 Software Defined Networking (SDN) | Secure Access Service Edge (SASE)
Microsoft Network Secuirty Groups (NSG)
Entra ID App Proxy | πŸ”€ [Manage Virtual Network](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks)
πŸ”€ [Network Security Groups](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
πŸ”€ [Network Managers](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FnetworkManagers)
πŸ”€ [Network Watcher](https://portal.azure.us/#view/Microsoft_Azure_Network/NetworkWatcherMenuBlade/~/overview)
πŸ”€ [Network Security Perimeters](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FnetworkSecurityPerimeters)
πŸ”€ [Entra App Proxy](https://portal.azure.us/#view/Microsoft_AAD_IAM/AppProxyOverviewBlade) | πŸ’‘ [Use Secure Access Service Edge SASE - Software Defined Networking Zero Trust](https://www.microsoft.com/security/business/security-101/what-is-sase)
πŸ’‘ [Software Defined Network Monitoring using Sentinel](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/software-defined-monitoring-using-automated-notebooks-and-azure/ba-p/2587775)
πŸ’‘ [Plan Software Defined Netoworking](https://learn.microsoft.com/azure-stack/hci/concepts/plan-software-defined-networking-infrastructure)
πŸ’‘ [Implementing Software Defined Networking](https://learn.microsoft.com/windows-server/networking/sdn/)
πŸ’‘ [Manage Software Detined Netoworking](https://learn.microsoft.com/windows-server/networking/sdn/manage/manage-sdn)
πŸ’‘ [Deploy Software Defined Networking](https://learn.microsoft.com/windows-server/networking/sdn/deploy/deploy-a-software-defined-network-infrastructure-using-scripts)
πŸ’‘ [Secure the Network Controller](https://learn.microsoft.com/azure-stack/hci/manage/nc-security)
πŸ’‘ [SDN for Win Server 2019 and 2022](https://learn.microsoft.com/windows-server/networking/sdn/sdn-whats-new)
πŸ’‘ [Key Components of Software Defined Networking Data Sheet](https://learn.microsoft.com/windows-server/networking/sdn/technologies/Software-Defined-Networking-Technologies)
πŸ’‘ [IPV6 Config Interface](https://learn.microsoft.com/javascript/api/%40azure/arm-databoxedge-profile-2020-09-01-hybrid/ipv6config?view=azure-node-latest&wt.mc_id=searchAPI_azureportal_inproduct_rmskilling&sessionId=a3b01375fbf840fe9b8065377eabbd7d)
πŸ’‘ [Leverage IPV6 for Azure Virtual Networks](https://learn.microsoft.com/azure/virtual-network/ip-services/ipv6-overview?wt.mc_id=searchAPI_azureportal_inproduct_rmskilling&sessionId=a3b01375fbf840fe9b8065377eabbd7d)
πŸ’‘ [Segementation Security Strategies](https://learn.microsoft.com/azure/well-architected/security/design-segmentation)
πŸ’‘ [Implement Network Segmentation Paterns On Azure](https://learn.microsoft.com/azure/well-architected/security/design-network-segmentation)
πŸ’‘ [Utilize Microsoft Packet Monitor](https://learn.microsoft.com/windows-server/networking/technologies/pktmon/pktmon) |\r\n| | 5.3 Macro Segmentation | Azure Subscription
Azure VNet(s)
Azure VNet Manager
Network Security Groups (NSG)
Azure Firewall | πŸ”€ [Impletment Network Segmentation](https://learn.microsoft.com/azure/well-architected/security/design-network-segmentation)
πŸ”€ [Azure Features for Segmentation](https://learn.microsoft.com/azure/well-architected/security/design-network-segmentation#azure-features-for-segmentation)
πŸ”€ [Network Service](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.HybridNetwork%2Fpublishers%2Fnetworkservicedesigngroups)
πŸ”€ [Network Watcher](https://portal.azure.us/#view/Microsoft_Azure_Network/NetworkWatcherMenuBlade/~/overview) | πŸ’‘ [Impletment Network Segmentation](https://learn.microsoft.com/azure/well-architected/security/design-network-segmentation)
πŸ’‘ [Azure Features for Segmentation](https://learn.microsoft.com/azure/well-architected/security/design-network-segmentation#azure-features-for-segmentation)
πŸ’‘ [Segementation Security Strategies](https://learn.microsoft.com/azure/well-architected/security/design-segmentation)
πŸ’‘ [Network Service Designs](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.HybridNetwork%2Fpublishers%2Fnetworkservicedesigngroups)
πŸ’‘ [Network Watcher](https://portal.azure.com/#view/Microsoft_Azure_Network/NetworkWatcherMenuBlade/~/overview) |\r\n| | 5.4 Micro Segmentation | Azure Security Groups (ASG)
Entra ID App Proxy
Microsoft Tunnel | πŸ”€ [Virtual Networks Termal Access Points](https://portal.azure.us/#view/HubsExtension/BrowseResourceBlade/resourceType/microsoft.network%2Fvirtualnetworktaps)
πŸ”€ [Conditional Access](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Overview)
πŸ”€ [Cloud Access Routers](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Orbital%2FcloudAccessRouters)
πŸ”€ [Entra ID Conditional Access](https://portal.azure.us/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Overview)
πŸ”€ [Azure Monitor Networks](https://portal.azure.us/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/networkInsights)
πŸ”€ [Azure Connection Monitor](https://portal.azure.us/#view/Microsoft_Azure_FlowLog/ConnectionMonitorV2ViewModel)
πŸ”€ [Azure Network Watcher](https://portal.azure.us/#view/Microsoft_Azure_Network/NetworkWatcherMenuBlade/~/overview/menuId~/%7B%22target%22%3A%7B%7D%7D) | πŸ’‘ [Enabling JIT Access Controls](https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-usage?wt.mc_id=searchAPI_azureportal_inproduct_rmskilling&sessionId=a3b01375fbf840fe9b8065377eabbd7d)
πŸ’‘ [Conditional Access Block Access by Location](https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-location?wt.mc_id=searchAPI_azureportal_inproduct_rmskilling&sessionId=a3b01375fbf840fe9b8065377eabbd7d)
πŸ’‘ [Secure Networks with Zero Trust](https://learn.microsoft.com/security/zero-trust/deploy/networks)
πŸ’‘ [Implement Network Segmentation Paterns On Azure](https://learn.microsoft.com/azure/well-architected/security/design-network-segmentation?wtmc_id=searchAPI_azureportal_inproduct_rmskilling&sessionId=a3b01375fbf840fe9b8065377eabbd7d)
πŸ’‘ [Microsoft Packet Monitor](https://learn.microsoft.com/windows-server/networking/technologies/pktmon/pktmon) |\r\n| Automation & Orchestration 6.x | | | | |\r\n| | 6.1 Policy Decision Point (PDP) & Policy Orchestration | Entra ID Conditional Access (CA)
Azure Policy
Azure Automation
Azure ML
Azure Firewall
Microsoft Sentinel | πŸ”€ [Azure Automation](https://portal.azure.us/#view/Microsoft_AAD_IAM/ManagedAppMenuBlade/~/Overview/objectId/d2175af3-6958-4008-83ac-ac2b81eafac7/appId/fc75330b-179d-49af-87dd-3b1acf6827fa)
πŸ”€ [Azure Machine Learning](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.MachineLearningServices%2Fworkspaces)
πŸ”€ [Azure Policy](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyMenuBlade)
πŸ”€ [Azure Virtual Desktop](https://portal.azure.us/#view/Microsoft_Azure_WVD/WvdManagerMenuBlade/~/overview)
πŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null) | πŸ’‘ [Visibility,Automation and Orchestration with Zero Trust](https://learn.microsoft.com/)
πŸ’‘ [Azure Orchestration for Azure Security Policy](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-policy-security-baseline)
πŸ’‘ [Configuration Analyzer for Security Policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies?view=o365-worldwide)
πŸ’‘ [Azure Automation Overview](https://learn.microsoft.com/azure/automation/overview)
πŸ’‘ [Azure Security Baseline for Automation](https://learn.microsoft.com/security/benchmark/azure/baselines/automation-security-baseline)
πŸ’‘ [Azure Policy](https://learn.microsoft.com/azure/governance/policy/overview)
πŸ’‘ [What is Azure Firewall?](https://learn.microsoft.com/azure/firewall/overview)
πŸ’‘ [Apply Zero Trust principles to a hub virtual network in Azure](https://learn.microsoft.com/security/zero-trust/azure-infrastructure-networking)
πŸ’‘ [Management of Role Permissions and Automation](https://learn.microsoft.com/azure/automation/automation-role-based-access-control)
πŸ’‘ [Using Azure Machine Learning to assign roles](https://learn.microsoft.com/azure/machine-learning/how-to-assign-roles?view=azureml-api-2&tabs=labeler)
πŸ’‘ [Azure AD Seccurity Groups ML](https://learn.microsoft.com/azure/machine-learning/how-to-assign-roles?view=azureml-api-2&tabs=labeler#use-azure-ad-security-groups-to-manage-workspace-access) |\r\n| | 6.2 Critical Process Automation | Microsoft Power Automate
Azure Logic Apps
Microsoft Sentinel Playbooks
Microsoft 365 Defender Automated Investigation & Response | πŸ”€ [Azure Automation](https://portal.azure.us/#view/Microsoft_AAD_IAM/ManagedAppMenuBlade/~/Overview/objectId/d2175af3-6958-4008-83ac-ac2b81eafac7/appId/fc75330b-179d-49af-87dd-3b1acf6827fa)
πŸ”€ [Microsoft Sentinel Automation Blade](https://portal.azure.us/?feature.msaljs=true#view/Microsoft_Azure_Security_Insights/MainMenuBlade/~/Automationl)
πŸ”€ [Azure Logic Apps Blade](https://portal.azure.us/?feature.msaljs=true#view/HubsExtension/BrowseResource/resourceType/Microsoft.Logic%2Fworkflows)
πŸ”€ [M365 Defender Portal](https://security.microsoft.us/) | πŸ’‘ [Azure Automation Overview](https://learn.microsoft.com/azure/automation/overview)
πŸ’‘ [Azure Security Baseline for Automation](https://learn.microsoft.com/security/benchmark/azure/baselines/automation-security-baseline)
πŸ’‘ [Visibility, Automation, and Orchestration with Zero Trust](https://learn.microsoft.com/)
πŸ’‘ [Automation in Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/automation)
πŸ’‘ [Automate Threat Response with Playbooks](https://learn.microsoft.com/azure/sentinel/automate-responses-with-playbooks)
πŸ’‘ [Automated Investigation & Response M365 Defender](https://learn.microsoft.com/microsoft-365/security/defender/m365d-autoir?view=o365-worldwide)
πŸ’‘ [Power Automate U.S Government](https://learn.microsoft.com/power-automate/us-govt) |\r\n| | 6.3 Machine Learning | Microsoft Sentinel Fusion ML
Microsoft Sentinel Bring Your Own Machine Learning (BYOML)
Microsoft Defender for Cloud (MDfC)
Azure ML | πŸ”€ [Azure Machine Learning](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.MachineLearningServices%2Fworkspaces)
πŸ”€ [Power Automate](https://make.gov.powerautomate.us/)
πŸ”€ [Power Platform Admin Center](https://admin.appsplatform.us/)
πŸ”€ [Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
πŸ”€ [Defender for Cloud](https://portal.azure.us/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0) | πŸ’‘ [Advanced multistage attack detection in Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/fusion)
πŸ’‘ [Bring your own Machine Learning (ML) into Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/bring-your-own-ml)
πŸ’‘ [Azure Machine Learning](https://learn.microsoft.com/azure/machine-learning/?view=azureml-api-2)
πŸ’‘ [Enterprise Security & Governance w. Machine Learning](https://learn.microsoft.com/azure/machine-learning/concept-enterprise-security?view=azureml-api-2)
πŸ’‘ [Azure Government Isolaiton Guidelines using AI & ML](https://learn.microsoft.com/azure/azure-government/documentation-government-impact-level-5)
πŸ’‘ [Quick Start Azure Machine Learning](https://learn.microsoft.com/azure/machine-learning/tutorial-azure-ml-in-a-day?view=azureml-api-2)
πŸ’‘ [Azure security baseline for Azure Machine Learning](https://learn.microsoft.com/security/benchmark/azure/baselines/machine-learning-security-baseline) |\r\n| | 6.4 Artificial Intelligence | Microsoft Sentinel Fusion ML
Microsoft Sentinel Tailored AI
Azure ML | πŸ”€ [Azure AI Services](https://portal.azure.us/#blade/Microsoft_Azure_ProjectOxford/CognitiveServicesHub)
πŸ”€ [Sentinel](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
πŸ”€ [Defender for Cloud](https://portal.azure.us/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0) | πŸ’‘ [AI Security Services](https://learn.microsoft.com/azure/ai-services/security-features)
πŸ’‘ [Senintel Automation](https://learn.microsoft.com/azure/sentinel/automation)
πŸ’‘ [AI ID & Access Risk Based Controls](https://azure.microsoft.com/products/category/identity/)
πŸ’‘ [Implement Sentinel & M365 Defender for XDR - AI Driven Zero Trust ](https://learn.microsoft.com/security/operations/siem-xdr-overview)
πŸ’‘ [Become a Sentinel Automation Ninja](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/become-a-microsoft-sentinel-automation-ninja/ba-p/3563377) |\r\n| | 6.5 Security Orchestration, Automation & Response (SOAR) | Microsoft 365 Defender Automated investigation and response
Microsoft Sentinel Playbooks
Microsoft Defender for Cloud (MDfC)
Azure Logic Apps | πŸ”€ [Sentinel SIEM-SOAR](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinel)
πŸ”€ [Logic Apps](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Logic%2Fworkflows)
πŸ”€ [Microsoft Defender for Cloud](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade)
πŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null) | πŸ’‘ [Security Ochestration, Automation & Response (SOAR) In Sentinel](https://learn.microsoft.com/azure/sentinel/automation)
πŸ’‘ [Sentinel SOAR](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/how-to-use-azure-sentinel-for-incident-response-orchestration/ba-p/2242397)
πŸ’‘ [Microsoft Sentinel SOAR Content Catalog](https://learn.microsoft.com/azure/sentinel/sentinel-soar-content)
πŸ’‘ [Automate Threat Response with Playbooks in Sentinel](https://learn.microsoft.com/azure/sentinel/automate-responses-with-playbooks)
πŸ’‘ [Automated investigation and response in Microsoft 365 Defender](https://learn.microsoft.com/microsoft-365/security/defender/m365d-autoir?view=o365-worldwide)
πŸ’‘ [Workflow Automation in Microsoft Defender for Cloud](https://learn.microsoft.com/azure/defender-for-cloud/workflow-automation)
πŸ’‘ [SOAR Best Practices](https://www.microsoft.com/security/business/security-101/what-is-soar#SOARbestpractices)
πŸ’‘ [Become a Sentinel Automation Ninja](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/become-a-microsoft-sentinel-automation-ninja/ba-p/3563377) |\r\n| | 6.6 API Standardization | Azure API Management
Azure Monitor Log Analytics
Azure Logic Apps
Azure Policy | πŸ”€ [API Management Services](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.ApiManagement%2Fservice)
πŸ”€ [API Connections](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fconnections)
πŸ”€ [API Playground](https://portal.azure.us/#blade/Microsoft_Azure_Resources/ArmPlayground)
πŸ”€ [Azure Logic Apps](https://portal.azure.us/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Logic%2Fworkflows) | πŸ’‘ [Microsft API Management & Security](https://azure.microsoft.com/products/api-management/)
πŸ’‘ [Mitigate OWASP Top 10 Security Threats Using Microsoft API Management](https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats)
πŸ’‘ [Security Baselines for API Management](https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline)
πŸ’‘ [Secure and Compliant APIs for a Hybrid and Multi Cloud World](https://azure.microsoft.com/blog/secure-and-compliant-apis-for-a-hybrid-and-multi-cloud-world/)
πŸ’‘ [Web API Design Best Practice](https://learn.microsoft.com/azure/architecture/best-practices/api-design)
πŸ’‘ [Monitor & Protect Your APIs](https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor) |\r\n| | 6.7 Security Operations Center (SOC) & Incident Response (IR) | Microsoft Sentinel Microsoft Defender for Cloud (MDfC)
Microsoft 365 Defender | πŸ”€ [Sentinel SIEM-SOAR](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinel)
πŸ”€ [Logic Apps](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Logic%2Fworkflows)
πŸ”€ [Microsoft Defender for Cloud](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade)
πŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
πŸ”€ [M365 Defender Portal](https://security.microsoft.us/) | πŸ’‘ [Security Operations In Azure](https://learn.microsoft.com/azure/well-architected/security/monitor-security-operations)
πŸ’‘ [Microsoft SOC Best Practices Landing Page](https://www.microsoft.com/security/business/security-101/what-is-a-security-operations-center-soc?ef_id=_k_ce7dcd6e8f2d1919667ca9a72f733870_k_&OCID=AIDcmmdamuj0pc_SEM__k_ce7dcd6e8f2d1919667ca9a72f733870_k_&msclkid=ce7dcd6e8f2d1919667ca9a72f733870)
πŸ’‘ [Playbook for Modernizing Security Operations Centers](https://www.microsoft.com/security/blog/2021/02/11/a-playbook-for-modernizing-security-operations/)
πŸ’‘ [CISO Series Lessons Learned from Microsoft's SOC](https://www.microsoft.com/security/blog/2019/10/07/ciso-series-lessons-learned-from-the-microsoft-soc-part-3a-choosing-soc-tools/)
πŸ’‘ [Integrating Microsoft 365 Defender into your security operations](https://learn.microsoft.com/microsoft-365/security/defender/integrate-microsoft-365-defender-secops?view=o365-worldwide) |\r\n| Visibility & Analytics 7.x | | | | |\r\n| | 7.1 Log All Traffic (Network, Data, Apps, Users) | Azure Monitor Log Analytics
Microsoft Sentinel | πŸ”€ [Log Analytics Workspace](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.OperationalInsights%2Fworkspaces)
πŸ”€ [Log Query Packs](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.OperationalInsights%2Fquerypacks)
πŸ”€ [Sign-in Activity Logs](https://portal.azure.us/#blade/Microsoft_AAD_IAM/SignInEventsV3Blade)
πŸ”€ [Activity Logs](https://portal.azure.us/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/activityLog)
πŸ”€ [Audit Log](https://portal.azure.us/#blade/Microsoft_AAD_IAM/AuditEventsV2PillsBlade)
πŸ”€ [Operation Log](https://portal.azure.us/#blade/Microsoft_Azure_Resources/OperationLogsBlade)
πŸ”€ [Microsoft Azure Log Search Alerts](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/c134d63b-957f-4cf7-8a34-d744aa8804df/appId/f6b60513-f290-450e-a2f3-9930de61c5e7) | πŸ’‘ [Azure Log Analytics](https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-overview)
πŸ’‘ [Azure Monitor](https://learn.microsoft.com/azure/azure-monitor/overview)
πŸ’‘ [Audit Logging and Monitoring](https://learn.microsoft.com/compliance/assurance/assurance-audit-logging)
πŸ’‘ [Maturity Model for Log Management M2131](https://techcommunity.microsoft.com/t5/public-sector-blog/microsoft-sentinel-maturity-model-for-event-log-management-m-21/ba-p/3074336)
πŸ’‘ [Device Log Capture - Intune](https://learn.microsoft.com/mem/intune/remote-actions/collect-diagnostics)
πŸ’‘ [Application Logging](https://learn.microsoft.com/sql/relational-databases/performance/view-the-windows-application-log-windows-10?view=sql-server-ver16)
πŸ’‘ [User Access Logging](https://learn.microsoft.com/windows-server/administration/user-access-logging/get-started-with-user-access-logging)
πŸ’‘ [Azure Infrastructure Logs](https://learn.microsoft.com/azure/well-architected/scalability/monitor-infrastructure)
πŸ’‘ [Network Logging](https://learn.microsoft.com/azure/azure-web-pubsub/howto-troubleshoot-network-trace)
πŸ’‘ [Supported Logs for Network](https://learn.microsoft.com/azure/azure-monitor/reference/supported-logs/microsoft-network-networkmanagers-logs) |\r\n| | 7.2 Security Information and Event Management (SIEM) | Microsoft Sentinel
Microsoft Defender for Cloud (MDfC)
Microsoft 365 Defender | πŸ”€ [Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinel)
πŸ”€ [M365 Defender Portal](https://security.microsoft.us/)
πŸ”€ [Microsoft Defender for Cloud](https://portal.azure.us/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0) | πŸ’‘[Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/overview)
πŸ’‘[Implement Sentinel & M365](https://learn.microsoft.com/security/operations/siem-xdr-overview)
πŸ’‘[Unified SIEM & XDR](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-unified-microsoft-siem-and-xdr-github-community/ba-p/3249533)
πŸ’‘[Stream Alerts Defender for Cloud to SIEM](https://learn.microsoft.com/azure/defender-for-cloud/export-to-siem#stream-alerts-to-azure-sentinel)
πŸ’‘[Azure Sentinel Github Repo](https://github.com/Azure/Azure-Sentinel)
πŸ’‘[Sentinel & SOC Analysis Process](https://learn.microsoft.com/azure/sentinel/migration-security-operations-center-processes)
πŸ’‘[Microsoft Sentinel Skill Up Training](https://learn.microsoft.com/azure/sentinel/skill-up-resources) |\r\n| | 7.3 Common Security and Risk Analytics | Microsoft Sentinel
Microsoft Defender for Cloud (MDfC) | πŸ”€ [Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinell)
πŸ”€ [Defender For Cloud](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade)
πŸ”€ [Security Baselines](https://endpoint.microsoft.us/#home) | πŸ’‘[Microsoft Security Response Center Security Updates Guide](https://msrc.microsoft.com/update-guide)
πŸ’‘[Explore Risks to Sensitive Data Microsoft Defender for Cloud](https://learn.microsoft.com/azure/defender-for-cloud/data-security-review-risks)
πŸ’‘[Identify & Analyze Risks Across Your Environment](https://learn.microsoft.com/azure/defender-for-cloud/concept-attack-path)
πŸ’‘[Cloud Security Posture Management](https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management)
πŸ’‘[Microsoft Cloud Security Benchmark](https://learn.microsoft.com/azure/defender-for-cloud/concept-regulatory-compliance) |\r\n| | 7.4 User and Entity Behavior Analytics | Microsoft Sentinel UEBA
Microsoft Defender for Cloud Apps (MDA)
Microsoft Defender for Identity (MDI)
Entra ID Conditional Access (CA)
Purview Insider Risk Management | πŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
πŸ”€ [Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinell)
πŸ”€ [Defender For Cloud](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade)
πŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
πŸ”€ [M365 Defender Portal](https://security.microsoft.us/) | πŸ’‘ [ID Threats with User and Entity Behavior Analytics](https://learn.microsoft.com/azure/sentinel/identify-threats-with-entity-behavior-analytics)
πŸ’‘ [Enable Entity Behavior Analytics to Detect Threats](https://learn.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)
πŸ’‘ [Microsoft Sentinel UEBA Reference](https://learn.microsoft.com/azure/sentinel/ueba-reference)
πŸ’‘ [Investigate Incidents with UEBA](https://learn.microsoft.com/azure/sentinel/investigate-with-ueba)
πŸ’‘ [Discover and Protect Sensitive Information in your Organization](https://learn.microsoft.com/defender-cloud-apps/tutorial-dlp)
πŸ’‘ [Purview Insider Risk Management](https://learn.microsoft.com/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/plan-for-microsoft-purview-dod-deployments) |\r\n| | 7.5 Threat Intelligence Integration | Microsoft Sentinel Threat Intelligence (TI)
Microsoft Graph Security Indicators
Microsoft Defender Threat Intelligence (MDTI) | πŸ”€ [Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinell)
πŸ”€ [Defender For Cloud](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade)
πŸ”€ [Microsoft Threat Intelligence Portal](https://ti.defender.microsoft.com/) | πŸ’‘[Microsoft Threat Intelligence](https://learn.microsoft.com/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti)
πŸ’‘[Microsoft Security Graph API](https://learn.microsoft.com/graph/api/resources/security-api-overview?view=graph-rest-beta)
πŸ’‘[Create Threat Intelligence Indicators](https://learn.microsoft.com/graph/api/tiindicators-post?view=graph-rest-beta&tabs=http)
πŸ’‘[Threat intelligence integration in Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/threat-intelligence-integration)
πŸ’‘[Bring Your Own Threat Intelligence Feeds](https://learn.microsoft.com/defender-cloud-apps/additional-integrations)
πŸ’‘[Accessing the Threat Intelligence Portal](https://learn.microsoft.com/defender/threat-intelligence/learn-how-to-access-microsoft-defender-threat-intelligence-and-make-customizations-in-your-portal) |\r\n| | 7.6 Automated Dynamic Policies | Entra ID Protection
Microsoft Defender for Endpoint (MDE)
Microsoft Defender for Cloud (MDfC)
Microsoft Sentinel Fusion ML
Microsoft Sentinel Bring Your Own Machine Learning (BYOML)
Microsoft Sentinel Playbooks
Microsoft Intune
Azure Automation
Purview Insider Risk Management | πŸ”€ [Sentinel](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.securityinsightsarg%2Fsentinell)
πŸ”€ [Defender For Cloud](https://portal.azure.us/#blade/Microsoft_Azure_Security/SecurityMenuBlade)
πŸ”€ [Logic Apps](https://portal.azure.us/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Logic%2Fworkflows)
πŸ”€ [Entra ID](https://portal.azure.us/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null)
πŸ”€ [Azure Automation](https://portal.azure.us/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/objectId/d2175af3-6958-4008-83ac-ac2b81eafac7/appId/fc75330b-179d-49af-87dd-3b1acf6827fa)
πŸ”€ [Microsoft Purview Portal](https://compliance.microsoft.us)
πŸ”€ [Microsoft Intune](https://endpoint.microsoft.us/#view/Microsoft_Intune_Enrollment/ReportingMenu/~/deviceCompliance) | πŸ’‘[Automate Threat Response with Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/automate-responses-with-playbooks)
πŸ’‘[Adaptive Protection - Microsoft Purview](https://www.microsoft.com/security/blog/2023/02/06/introducing-adaptive-protection-in-microsoft-purview-people-centric-data-protection-for-a-multiplatform-world/#:~:text=With%20Adaptive%20Protection%2C%20DLP%20policies%20become%20dynamic%2C%20ensuring,efficient%20and%20empowered%20to%20do%20more%20with%20less.)
πŸ’‘[Adaptive Policy Scopes M365](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/using-adaptive-policy-scopes-to-apply-m365-retention-to-shared/ba-p/3053641#:~:text=Back%20in%20October,in%20Microsoft%20365.)
πŸ’‘[Adaptive Application Controls](https://learn.microsoft.com/azure/defender-for-cloud/adaptive-application-controls)
πŸ’‘[AI-Driven Adaptive Device Controls Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/ai-driven-adaptive-protection-in-microsoft-defender-for-endpoint/ba-p/2966491)
πŸ’‘[AI-Driven Adaptive Protection Against Human Operated Ransomeware](https://www.microsoft.com/security/blog/2021/11/15/ai-driven-adaptive-protection-against-human-operated-ransomware/)
πŸ’‘[Microsoft Defender for Cloud Automated Security Posture Management](https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management)
πŸ’‘[Improve your network security posture with adaptive network hardening](https://learn.microsoft.com/azure/defender-for-cloud/adaptive-network-hardening)
πŸ’‘[What is Microsoft Entra ID Protection?](https://learn.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection)
πŸ’‘[Azure Automation update management](https://learn.microsoft.com/azure/architecture/hybrid/azure-update-mgmt)
πŸ’‘[Manage Windows 10 and Windows 11 software updates in Intune](https://learn.microsoft.com/mem/intune/protect/windows-update-for-business-configure) |" + }, + "conditionalVisibility": { + "parameterName": "isess3Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "showPin": true, + "name": "ztalign" + } + ] + }, + "conditionalVisibility": { + "parameterName": "pillar", + "comparison": "isEqualTo", + "value": "ess" + }, + "name": "ZTGroup" + }, + { + "type": 1, + "content": { + "json": "## DoD Zero Trust Capabilities (45) ##\r\n\r\n| ID # | Capability | Pillar | Capability Description | Capability Outcome | Impact to ZT | Associated Activities |\r\n|------|---------------------------------------------------------------------------|----------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\r\n| 1.1 | User Inventory | 1 - User | Regular and Privileged users are identified and integrated into an inventory supporting regular modifications. Applications, software and services that have local users are all part of the inventory and highlighted. | System owners have control (visibility and administrative rights) of all authorized and authenticated users on the network | Users not on the authorized user list will be denied access by policy | * Inventory User |\r\n| 1.2 | Conditional User Access | 1 - User | Through maturity levels Conditional Access works to create a dynamic level of access for users in the environment. This starts with traditional role based access controls across a federate ICAM, expands to be application focused roles and ultimately utilizes enterprise attributes to provide dynamic access rules. | Eventually, organizations control user, device, and non-user entity DAAS access through dynamically changing user risk profiles and fine grained access control to include the use of user risk assessments | Users not known to the system and users who present an unacceptable degree of risk will be denied access with greater accuracy | * Implement App Based Permissions per Enterprise
* Rule Based Dynamic Access Pt1
* Rule Based Dynamic Access Pt2
* Enterprise Gov't roles and Permissions Pt1
* Enterprise Gov't roles and Permissions Pt2 |\r\n| 1.3 | Multi-Factor Authentication (MFA) | 1 - User | This capability initially focuses on developing an organization focused MFA provider and Identity Provider to enable the centralization of users. Retirement of local and/or built-in accounts and groups is a critical piece to this capability. At the later maturity levels alternative and flexible MFA tokens can be used to provide access for standard and external users. | DoD organizations require users and non-user entities to authenticate using at least two of the following three attributes: knowledge (user ID/password), possession (CAC/token), or something you are (inherence, e.g., iris/fingerprints), in order to access DAAS | Users not presenting multiple forms of authentication will be denied access to DAAS system and resources | * Organizational MFA/IDP
* Alternative Flexible MFA Pt1
* Alternative Flexible MFA Pt2 |\r\n| 1.4 | Privileged Access Management (PAM) | 1 - User | The capability focuses on removal of permanent administrator/elevated privileges by first creating a Privileged Account Management (PAM) system and migrating privileged users to it. The capability is then expanded upon by using automation with privilege escalation approvals and feeding
analytics into the system for anomaly detection. | DoD organizations control, monitor, secure, and audit privileged identities (e.g., through password vaulting, JIT/JEA with PAWS) across their IT environments | Critical assets and applications secured, controlled, monitored and managed through limits on admin access | * Implement System and Migrate Privileged Users Pt1
* Implement System and Migrate Privileged Users Pt2
* Real time Approvals & JIT/JEA Analytics Pt1
* Real time Approvals & JIT/JEA Analytics Pt2 |\r\n| 1.5 | Identity Federation & User Credentialing | 1 - User | The initial scope of this capability focuses on standardizing the Identity Lifecycle Management (ILM) processes and integrating with the standard organizational IDP/IDM solution. Once completed the capability shifts to establishing an Enterprise ILM process/solution either through a single solution or identity federation. | DoD organizations manually issue, manage, and revoke credentials bound to DoD person, device, and NPE identities. Identity information is developed and shared across entitles and trust domains providing β€œsingle sign-on” convenience and efficiencies to identified (authenticated and authorized) users and devices. | Visibility and accuracy of user authentication information is increased, to include DoD users and users managed by other agencies.
Users lacking sufficient credentials are denied access according to established
policies. | * Organizational Identity Life-Cycle Management
* Enterprise Identity Life-Cycle Management Pt1
* Enterprise Identity Life-Cycle Management Pt2
* Enterprise Identity Life-Cycle Management Pt3 |\r\n| 1.6 | Behavioral, Contextual ID, and Biometrics | 1 - User | Utilizing the Enterprise IDP, user and entity behavioral analytics (UEBA) are enabled with basic user attributes. Once completed this is expanded into Organizational specific attributes using Organizational IDPs as available. Finally UEBA are integrated with the PAM and JIT/JEA systems to better detect anomalous and malicious activities. | DoD organizations utilize behavioral, contextual, and biometric telemetry to enhance risk-based authentication and access controls | Behavioral, contextual, and biometric telemetry enhances MFA with | * Implement User & Entity Behavior Activity (UEBA) and User Activity Monitoring (UAM) Tooling
* User Activity Monitoring Pt1
* User Activity Monitoring Pt2 |\r\n| 1.7 | Least Privileged Access | 1 - User | DoD organizations govern access to DAAS using the absolute minimum access required to perform routine, legitimate tasks or activities. DoD Application Owners identify the necessary roles and attributes for standard and privileged user access. Privileged access for all DoD organization DAAS is audited and removed when unneeded. | DoD organizations govern access to DAAS using the absolute minimum access required to perform routine, legitimate tasks or activities | Users on the network only have access to the DAAS for which they are authorized and authenticated over a specific timeframe | * Deny User by Default Policy |\r\n| 1.8 | Continuous Authentication | 1 - User | The DoD organizations and overall enterprise will methodically move towards continuous attribute based authentication. Initially the capability focuses on standardizing legacy single authentication to a organizationally approved IDP with users and groups. The second stages adds in based rule based (time) authentication and ultimately matures to Continuous Authentication based on the application/software activities and privileges requested. | DoD organizations continuously authenticate and authorize users' access to DAAS within and across sessions using MFA | Users not continuously presenting multiple forms of authentication will be denied access to DAAS system and resources | * Single Authentication
* Periodic Authentication
* Continuous Authentication Pt1
* Continuous Authentication Pt2 |\r\n| 1.9 | Integrated ICAM Platform | 1 - User | DoD organizations and overall enterprise employ enterprise-level identity management and public key infrastructure (PKI) systems to track user, administrator and NPE identities across the network and ensure access is limited to only those who have the need and the right to know. Organizations can verify they need and have the right to access via credential management systems, identity governance and administration tools, and an access management tool. PKI systems can be federated but must either trust a central root certificate authority (CA) and/or cross-sign standardized organizational CA’s. | DoD organizations employ enterprise-level identity management systems to track user and NPE identities across the network and ensure access is limited to only those who have the need and the right to know; organizations can verify they need and have the right to access via credential management systems, identity governance and administration tools, and an access management tool | Identities of users and NPE are centrally managed to ensure authorized and authenticated access to DAAS resources across platforms | * Enterprise PKI/IDP Pt1
* Enterprise PKI/IDP Pt2
* Enterprise PKI/IDP Pt3 |\r\n| 2.1 | Device Inventory | 2 - Device | DoD organizations establish and maintain an approved inventory list of all devices authorized to access the network and enroll all devices on the network prior to network connection. Device attributes will include technical details such as the PKI (802.1x) machine certificate, device object, patch/vulnerability status and others to enable successor activities. | DoD organizations establish and maintain a trusted inventory list of all devices authorized to access the network and enroll all devices on the network prior to network connection | By default policy, devices will be denied network access; the only devices permitted access to the network shall be known, authorized, and listed in the device inventory | * Device Health Tool Gap Analysis
* NPE/PKI, Device under Management
* Enterprise IDP Pt1
* Enterprise IDP Pt2 |\r\n| 2.2 | Device Detection and Compliance | 2 - Device | DoD organizations employ asset management systems for user devices to maintain and report on IT and Cybersecurity compliance. Managed devices (enterprise and mobile) attempting to connect to a DoD network or access a DAAS resource is detected and has its compliance status confirmed (via C2C) | DoD organizations employ asset management systems for user devices to maintain and report on IT compliance. Any device (including mobile, IOT, managed, and unmanaged) attempting to connect to a DoD network or access a DAAS resource is detected and has its compliance status confirmed (via C2C) | Any device attempting to connect to the network will be detected; only those devices that are compliant (e.g., anti-virus is up to date, approved configuration) will receive access to requested DAAS | * Implement C2C/Compliance Based Network Authorization Pt1
* Implement C2C/Compliance Based Network Authorization Pt2 |\r\n| 2.3 | Device Authorization w/ Real Time Inspection | 2 - Device | DoD Organizations conduct foundational and extended device tooling (NextGen AV, AppControl, File Integrity Monitoring (FIM), etc.) integration to better understand the risk posture.
Organizational PKI systems are integrated to expand the existing Enterprise PKI to devices as well. Lastly Entity Activity Monitoring is also integrated to identify anomalous activities. | DoD organizations establish processes (e.g., Enterprise PKI) and utilize tools to identify any device (including unmanaged devices, infrastructure devices, and endpoint devices) attempting to access the network, and make a determination if the device should be authorized to access the network.
Maturation of this capability monitoring and detection of this activity on endpoints and IT
infrastructure in real time | Components can use policies to deny devices by default and explicitly allow access to DAAS resources only by devices that meet mandated configuration standards. Security threats identified are remediated faster through continuous activity inspection enables faster remediation of security threats | * Entity Activity Monitoring Pt1
* Entity Activity Monitoring Pt2
* Implement Application Control & File Integrity Monitoring (FIM) Tools
* Integrate NextGen AV Tools with C2C
* Fully Integrate Device Security stack with C2C as appropriate
* Enterprise PKI Pt1
* Enterprise PKI Pt2 |\r\n| 2.4 | Remote Access | 2 - Device | DoD organizations audit existing device access processes and tooling to set a least privilege baseline. In phase 2 this access is expanded to cover basic BYOD and IOT support using the Enterprise IDP for approved applications. The final phases expand coverage to include all BYOD and IOT devices for services using
the approved set of device attributes. | DoD organizations establish policies to allow authorized users and devices access to the network or a device from a geographical distance through a network connection | Enables properly authorized and authenticated users and NPEs to access DAAS from remote locations | * Deny Device by Default Policy
* Managed and Limited BYOD & IOT Support
* Managed and Full BYOD & IOT Support Pt1
* Managed and Full BYOD & IOT Support Pt2 |\r\n| 2.5 | Partially & Fully Automated Asset, Vulnerability and Patch
Management | 2 - Device | DoD organizations establish processes to automatically test and deploy vendor patches for connected devices; hybrid patch management (both human and automated) is employed | DoD organizations establish processes to automatically test and deploy vendor patches for connected devices; hybrid patch management (both
human and automated) is employed | Risk is minimized by automatically deploying vendor patches to all network devices | * Implement Asset, Vulnerability and Patch Management Tools |\r\n| 2.6 | Unified Endpoint Management (UEM) & Mobile Device Management (MDM) | 2 - Device | DoD organizations establish a centralized UEM solution that provides the choices of agent and/or agentless management of computer and mobile devices to a single console regardless of device location. DoD-issued devices can be remotely managed and security policies are enforced. | DoD organizations establish a centralized UEM tool that provides the choices of agent and/or agentless management of computer and mobile devices to a single console. DoD-issued mobile devices are remotely managed and security policies are enforced. | DAAS resources are protected through agent and agentless management, IT is able to manage, secure, and deploy resources and applications on any device from a single console to provide redress of cybersecurity threats.
Security vulnerabilities are mitigated and policy enforcement measures are received through IT remote management of DoD-issued mobile devices | * Implement UEDM or equivalent Tools
* Enterprise Device Management Pt1
* Enterprise Device Management Pt2 |\r\n| 2.7 | Endpoint & Extended Detection & Response (EDR & XDR) | 2 - Device | DoD organizations use endpoint detection and response (EDR) tooling to monitor, detect, and remediate malicious activity on endpoints. Expanding the capability to include XDR tooling allows organizations to account for activity beyond the endpoints such as cloud and network as well. | DoD organizations use EDR tools to monitor, detect, and remediate malicious activity on endpoints as a baseline. Upgrading to XDR tools allows organizations to account for activity beyond the endpoints. | Threats originating from network- connected endpoints are initially reduced through active investigation and response. Maturation focuses on forensics and faster threat detection and remediation are enabled by correlating data across multiple security layers (e.g., email, cloud, endpoint) | * Implement Endpoint Detection & Response (EDR) Tools and Integrate with C2C
* Implement Extended Detection & Response (XDR) Tools and Integrate with C2C Pt1
* Implement Extended Detection & Response (XDR) Tools and Integrate with C2C Pt2 |\r\n| 3.1 | Application Inventory | 3 - Applications and Workloads | System owners ensure that all applications and application components are identified and inventoried; only applications and application components that have been authorized by the appropriate authorizing official/CISO/CIO shall be utilized within the system owner's purview | System owners ensure that all applications and application components are identified and inventoried; only applications and application components that have been authorized by the appropriate authorizing official/CISO/CIO shall be
utilized within the system owner's purview | Unauthorized applications and application components are not used on or within the system | * Application/Code Identification |\r\n| 3.2 | Secure Software Development & Integration | 3 - Applications and Workloads | Foundational software and application security processes and infrastructure are established following Zero Trust principles and best practices. Controls such as code review, runtime protection, secure API gateways, container and serverless security are integrated and automated. | Organization-defined security controls and practices are integrated, to include Zero Trust security controls and virtualization, into the software development lifecycle and DevOps toolchain. Custom software development teams use DevSecOps to integrate static and dynamic application security testing into software delivery workflows in accordance with the organization's requirements (policies, technologies, and processes). | Zero Trust security concepts, processes, and capabilities are accepted and integrated across the DevOps toolchain, to include static and dynamic application security testing necessary for the discovery of weaknesses and vulnerabilities during application development | * Build DevSecOps Software Factory Pt1
* Build DevSecOps Software Factory Pt2
* Automate Application Security & Code Remediation Pt1
* Automate Application Security & Code Remediation Pt2 |\r\n| 3.3 | Software Risk Management | 3 - Applications and Workloads | DoD organizations establish software/application risk management program. Foundational controls include Bill of Materials risk management, Supplier Risk Management, approved repositories and update channels, and vulnerability management program. Additional controls include Continual validation within the CI/CD pipelines and vulnerability maturation with external sources. | DoD establishes policies and procedures to secure supply chain cybersecurity for code components within DoD and DIB systems by evaluating and identifying supplier sourcing risk for approved sources, creating
repositories and update channels for use by development teams, creating Bill of Materials for applications to identify source, supportability and risk posture, and establishing industry standard (DIB) and approved vulnerability databases for use in
DevSecOps | Code used in DAAS and associated components of the supply chain is secure, vulnerabilities are reduced, and DoD is aware of potential risks | * Approved Binaries/Code
* Vulnerability Management Program Pt1
* Vulnerability Management Program Pt2
* Continual Validation |\r\n| 3.4 | Resource Authorization & Integration | 3 - Applications and Workloads | DoD establishes a standardized resource authorization gateway for authorizations via the CI/CD pipelines in a risk approach that reviews the User, Device and Data security posture.
Authorizations utilize a programmatic (e.g., Software Defined) approach in a live/production environment. Attributes are enriched utilizing other pillar activities and the API and Authorization gateway. Approved enterprise APIs are micro-
segmented using authorizations. | DoD establishes a standard approach managing the authorizations of resources in a risk approach that reviews the User, Device and Data security posture. | Resource authorization enables the ability for limited access to those resources and in a programmatic way in later stages. This improvise the ability to remove access when it is not needed. | * Resource Authorization Pt1
* Resource Authorization Pt2
* SDC Resource Authorization Pt1
* SDC Resource Authorization Pt2
* Enrich Attributes for Resource Authorization Pt1
* Enrich Attributes for Resource Authorization Pt2
* REST API Micro-Segments |\r\n| 3.5 | Continuous Monitoring
and Ongoing Authorizations | 3 - Applications and Workloads | DoD organizations employ automated tools and processes to continuously monitor applications and assess their authorization
to operate | DoD organizations employ automated tools and processes to continuously monitor applications and
assess their authorization to operate | Near real time visibility into the
effectiveness of deployed security controls | * Continuous Authorization to Operate (cATO) Pt1
* Continuous Authorization to Operate (cATO) Pt2 |\r\n| 4.1 | Data Catalog Risk Alignment | 4 - Data | Data owners ensure that data is identified and inventoried and any changes to the data landscape are automatically detected and included within the catalog. The data landscape must then be reviewed to identify potential risks related to data loss, attack, or any other unauthorized alteration and/or access | Data owners ensure that data is identified and inventoried and any changes to the data landscape are automatically detected and included within the catalog. The data landscape must then be reviewed to identify potential risks related to data loss, attack, or any other unauthorized alteration and/or access | Data assets are known and can therefore be collected, tagged, and protected according to risk levels in alignment with a prioritization framework, and encrypted for protection | * Data Analysis |\r\n| 4.2 | DoD Enterprise Data Governance | 4 - Data | DoD establishes enterprise data labeling/tagging and DAAS access control/sharing policies (e.g., SDS policy) that are enforceable. Developed enterprise standards ensure an appropriate level of interoperability between DoD Organizations. | DoD establishes enterprise data labeling/tagging and DAAS access control/sharing policies (e.g., SDS policy) that are enforceable at the field level | Decision rights and accountability framework ensure appropriate behavior in the valuation, creation, consumption, and control of data and
analytics | * Define Data Tagging Standards
* Interoperability Standards
* Develop Software Defined Storage (SDS) Policy |\r\n| 4.3 | Data Labeling and Tagging | 4 - Data | Data owners label and tag data in compliance with DoD enterprise governance on labeling/tagging policy. As phases advance automation is used to meet scaling demands and provide better accuracy. | Data owners label and tag data in compliance with DoD enterprise governance on labeling/tagging policy | Establishing machine enforceable data access controls, risk assessment, and situational awareness require consistently and correctly labeled and
tagged data | * Implement Data Tagging & Classification Tools
* Manual Data Tagging Pt1
* Manual Data Tagging Pt2
* Automated Data Tagging & Support Pt1
* Automated Data Tagging & Support Pt2 |\r\n| 4.4 | Data Monitoring and Sensing | 4 - Data | Data owners will capture active metadata that includes information about the access, sharing, transformation, and use of their data assets. Data Loss Prevention (DLP) and Data Rights Management (DRM) enforcement point analysis is conducted to determine where tooling will be deployed. Data outside of DLP and DRM scope such as File Shares and Databases is actively monitored for anomalous and malicious activity using alternative tooling. | Data owners will capture active metadata that includes information about the access, sharing, transformation, and use of their data assets | Data in all states are detectable and observable | * DLP Enforcement Point Logging and Analysis
* DRM Enforcement Point Logging and Analysis
* File Activity Monitoring Pt1
* File Activity Monitoring Pt2
* Database Activity Monitoring
* Comprehensive Data Activity Monitoring |\r\n| 4.5 | Data Encryption & Rights Management | 4 - Data | DoD organizations establish and implement a strategy for encrypting data at rest and in transit using Data Rights Management (DRM) tooling. The DRM solution utilizes data tags to determine protection and lastly integrates with ML and AI to automate protection | DoD organizations establish and implement a strategy for encrypting data at rest and in transit | Encrypting data in all states reduces the risk of unauthorized data access and improves data security | * Implement DRM and Protection Tools Pt1
* Implement DRM and Protection Tools Pt2
* DRM Enforcement via Data Tags and Analytics Pt1
* DRM Enforcement via Data Tags and Analytics Pt2
* DRM Enforcement via Data Tags and Analytics Pt3 |\r\n| 4.6 | Data Loss Prevention (DLP) | 4 - Data | DoD organizations utilize the identified enforcement points to deploy approved DLP tools and integrate tagged data attributes with DLP. Initially the DLP solution is put into a \"monitor-only\" mode to limit business impact and later using analytics is put into a \"prevent\" mode. Extended data tag attributes are used to feed the DLP solution and lastly integrate with ML and AI. | DoD organizations have identified enforcement points, deployed approved DLP tools at those enforcement points, and integrate tagged data attributes with DLP | Data breaches and data exfiltration transmissions are detected and mitigated | * Implement Enforcement Points
* DLP Enforcement via Data Tags and Analytics Pt1
* DLP Enforcement via Data Tags and Analytics Pt2
* DLP Enforcement via Data Tags and Analytics Pt3 |\r\n| 4.7 | Data Access Control | 4 - Data | DoD organizations ensure appropriate access to and use of data based on the data and user/NPE/device properties. Software Defined Storage (SDS) is utilized to scale manage permissions to DAAS. Lastly the SDS solution(s) is integrated with DRM tooling improving protections. | DoD organizations ensure appropriate access to and use of data based on the data and user/NPE/device properties | Unauthorized entities, or any entity on an unauthorized device cannot access data; Zero Trust cybersecurity will be sufficiently strong to separate community of interest data access for data in the same classification | * Integrate DAAS Access w/ SDS Policy Pt1
* Integrate DAAS Access w/ SDS Policy Pt2
* Integrate DAAS Access w/ SDS Policy Pt3
* Integrate Solution(s) and Policy with Enterprise IDP Pt1
* Integrate Solution(s) and Policy with Enterprise IDP Pt2
* Implement SDS Tool and/or integrate with DRM Tool Pt1
* Implement SDS Tool and/or integrate with DRM Tool Pt2 |\r\n| 5.1 | Data Flow Mapping | 5 - Network and Environment | DoD organizations reconcile data flows by gathering, mapping, and visualizing network traffic data flows and patterns to ensure authorized access and protection for network and DAAS resources specifically tagging programmatic (e.g., API) access when possible. | DoD organizations reconcile data flows by gathering, mapping, and visualizing network traffic data flows and patterns to ensure authorized access and protection for network and DAAS resources | Sets the foundation for network segmentation and tighter access control by understanding data traffic on the network | * Define Granular Control Access Rules & Policies Pt1
* Define Granular Control Access Rules & Policies Pt2 |\r\n| 5.2 | Software Defined Networking (SDN) | 5 - Network and Environment | DoD organizations define API decision points and implement SDN programmable infrastructure to separate the control and data planes and centrally manage and control the elements in the data plane. Integrations are conducted with decision points and segmentation gateway to accomplish the plane separation.
Analytics are then integrated to real time decision making for
access to resources. | DoD organizations define API decision points and implement SDN programmable infrastructure to separate the control and data planes and centrally manage and control the elements in the data plane | Enables the control of packets to a centralized server, provides additional visibility into the network, and enables integration requirements | * Define SDN APIs* Implement SDN Programable Infrastructure
* Segment Flows into Control, Management, and Data Planes
* Network Asset Discovery & Optimization
* Real-Time Access Decisions |\r\n| 5.3 | Macro Segmentation | 5 - Network and Environment | DoD organizations establish network boundaries and provide security against networked assets located within an environment by validating the device, user, or NPE on each attempt of accessing a remote resource prior to connection. | DoD organizations establish network perimeters and provide security against devices located within an environment by validating the device, user, or NPE on each attempt of accessing a remote resource prior to connection | Network segmentation is defined by a large perimeter to enable resource segmentation by function and user type | * Datacenter Macro segmentation
* B/C/P/S Macro segmentation |\r\n| 5.4 | Micro Segmentation | 5 - Network and Environment | DoD organizations define and document network segmentation based on identity and / or application access in their virtualized and/or cloud environments. Automation is used to apply policy changes through programmatic (e.g., API) approaches. Lastly where possible organizations will utilize host-level process micro segmentation. | DoD organizations define and document network segmentation based on identity and / or application access in their virtualized cloud environments | Network segmentation enabled by narrower and specific segmentation in a virtualized environment via identity and / or application access, allowing for improved protection of data in transit as it crosses system boundaries (e.g., in a coalition environment, system high boundaries) and supported dynamic, real-time access decisions and policy changes | * Implement Micro segmentation
* Application & Device Micro segmentation
* Process Micro segmentation
* Protect Data In Transit |\r\n| 6.1 | Policy Decision Point (PDP) & Policy Orchestration | 6 - Automation and Orchestration | DoD organizations initially collect and document all rule based policies to orchestrate across the security stack for effective automation; DAAS access procedures and policies will be defined, implemented, and updated. Organizations mature this capability by establishing PDPs and PEPs (including the Next Generation Firewall) to make DAAS resource determinations and enable, monitor, and terminate connections between a user/device and DAAS resources according to predefined policy. | DoD organizations initially collect and document all rule based policies to orchestrate across the security stack for effective automation; DAAS access procedures and policies will be defined, implemented, and updated. Organizations mature this capability by establishing PDPs and PEPs (including the Next Generation Firewall) to make DAAS resource determinations and enable, monitor, and terminate connections between a user/device and DAAS resources according to predefined policy | PDPs and PEPs ensure proper implementation of DAAS access policies to users or endpoints that are properly connected (or denied access) to requested resources | * Policy Inventory & Development
* Organization Access Profile
* Enterprise Security Profile Pt1
* Enterprise Security Profile Pt2 |\r\n| 6.2 | Critical Process Automation | 6 - Automation and Orchestration | DoD organizations employ automation methods, such as RPA, to address repetitive, predictable tasks for critical functions such as data enrichment, security controls, and incident response workflows according to system security engineering principles. | DoD organizations employ automation methods, such as RPA, to address repetitive, predictable tasks for critical functions such as data enrichment, security controls, and incident response workflows according
to system security engineering principles | Response time and capability is increased with orchestrated workflows and risk management processes | * Task Automation Analysis
* Enterprise Integration & Workflow Provisioning Pt1
* Enterprise Integration & Workflow Provisioning Pt2 |\r\n| 6.3 | Machine Learning | 6 - Automation and Orchestration | DoD organizations employ ML to execute (and enhance execution of) critical functions such as incident response, anomaly detection, user baselining, and data tagging. | DoD organizations employ ML to execute (and enhance execution of) critical functions such as incident response, anomaly detection, user
baselining, and data tagging | Response time and capability is increased with orchestrated workflows and risk management processes | * Implement Data Tagging & Classification ML Tools |\r\n| 6.4 | Artificial Intelligence | 6 - Automation and Orchestration | DoD organizations employ AI to execute (and enhance execution of) critical functions - particularly risk and access determinations and environmental analysis. | DoD organizations employ AI to execute (and enhance execution of) critical functions - particularly risk and access determinations and environmental analysis | Response time and capability is increased with orchestrated workflows and risk management processes | * Implement AI automation tools
* AI Driven by Analytics decides A&O modifications |\r\n| 6.5 | Security Orchestration, Automation & Response (SOAR) | 6 - Automation and Orchestration | DoD organizations achieve initial operational capability of security technologies to orchestrate and automate policies (e.g., PEPs and PDPs) and rulesets to improve security operations, threat and vulnerability management, and security incident response by ingesting alert data, triggering playbooks for automated response and remediation. | DoD organizations achieve IOC of security technologies to orchestrate and automate policies (e.g., PEPs and PDPs) and rulesets to improve security operations, threat and vulnerability management, and security incident response by ingesting alert data, triggering playbooks for automated response and
remediation | Pre-defined playbooks from collection to incident response and triage enables initial process automation that accelerates a security team's decision and response speed | * Response Automation Analysis
* Implement SOAR Tools
* Implement Playbooks |\r\n| 6.6 | API Standardization | 6 - Automation and Orchestration | DoD establishes and enforces enterprise-wide programmatic interface (e.g., API ) standards; all non-compliant APIs are identified and replaced. | DoD establishes and enforces enterprise-wide API standards; all non-compliant APIs are identified and replaced | Standardizing APIs across the department improves application interfaces, enabling orchestration, and enhancing interoperability | * Tool Compliance Analysis
* Standardized API Calls & Schemas Pt1
* Standardized API Calls & Schemas Pt2 |\r\n| 6.7 | Security Operations Center (SOC) & Incident Response (IR) | 6 - Automation and Orchestration | In the event a computer network defense service provider (CNDSP) does not exist, DoD organizations define and stand up security operations centers (SOC) to deploy, operate, and maintain security monitoring, protections and response for DAAS; SOCs provide security management visibility for status (upward visibility) and tactical implementation (downward visibility).
Workflows within the SOC are automated using automation tooling and enrichment occurs between service providers and
technologies. | In the event a CNDSP does not exist, DoD organizations define and stand up SOCs to deploy, operate, and maintain security monitoring, protections and response for DAAS; SOCs provide security management visibility for status (upward visibility) and tactical implementation (downward visibility) | Standardized, coordinated, and accelerated incident response and investigative efforts | * Workflow Enrichment Pt1
* Workflow Enrichment Pt2
* Workflow Enrichment Pt3
* Automated Workflow |\r\n| 7.1 | Log All Traffic (Network, Data, Apps, Users) | 7 - Visibility and Analytics | DoD organizations collect and process all logs including network, data, application, device, and user logs and make those logs available to the appropriate Computer Network Defense Service Provider (CNDSP) or security operations center (SOC). Logs and events follow a standardized format and rules/analytics are
developed as needed. | DoD organizations collect and process all logs including network, data, application, device, and user logs and make those logs available to the appropriate Computer Network Defense Service Provider (CNDSP) or SOC | Foundational to the development of automated hunt and incident response playbooks | * Scale Considerations
* Log Parsing
* Log Analysis |\r\n| 7.2 | Security Information and Event Management (SIEM) | 7 - Visibility and Analytics | Computer Network Defense Service Provider (CNDSP) or security operations centers (SOC) monitor, detect, and analyze data logged into a security information and event management (SIEM) tool.
User and device baselines are created using security controls and integrated with the SIEM. Alerting within the SIEM is matured over the phases to support more advanced data points (e.g., Cyber Threat Intel, Baselines, etc.) | CNDSPs/SOCs monitor, detect, and analyze data logged into a security information and event management (SIEM) tool | Processing and exploiting data in the SIEM enables effective security analysis of anomalous user behavior, alerting, and automation of relevant incident response to common threat events | * Threat Alerting Pt1
* Threat Alerting Pt2
* Threat Alerting Pt3
* Asset ID & Alert Correlation
* User/Device Baselines |\r\n| 7.3 | Common Security and Risk Analytics | 7 - Visibility and Analytics | Computer Network Defense Service Provider (CNDSP) or security operations centers (SOC) employ data tools across their enterprises for multiple data types to unify data collection and examine events, activities, and behaviors. | CNDSPs/SOCs employ big data tools across their enterprises for multiple data types to unify data collection and examine events, activities, and behaviors | Analysis integrated across multiple data types to examine event, activities, and behaviors | * Implement Analytics Tools
* Establish User Baseline Behavior |\r\n| 7.4 | User and Entity Behavior Analytics | 7 - Visibility and Analytics | DoD organizations initially employ analytics to profile and baseline activity of users and entities and to correlate user activities and behaviors and detect anomalies. Computer Network Defense Service Provider (CNDSP) or security operations centers (SOC) mature this capability through the employment of advanced analytics to profile and baseline activity of users and entities and to correlate user activities and behaviors, and detect anomalies. | DoD organizations initially employ analytics to profile and baseline activity of users and entities and to correlate user activities and behaviors, and detect anomalies. CNDSPs/SOCs mature this capability through the employment of advanced analytics to profile and baseline activity of users and entities and to correlate user activities and behaviors, and detect anomalies | Advanced analytics support detection of anomalous users, devices, and NPE actions and advanced threats | * Baseline & Profiling Pt1
* Baseline & Profiling Pt2
* UEBA Baseline Support Pt1
* UEBA Baseline Support Pt2 |\r\n| 7.5 | Threat Intelligence Integration | 7 - Visibility and Analytics | Computer Network Defense Service Provider (CNDSP) or security operations centers (SOC) integrate threat intelligence information and streams about identities, motivations, characteristics, and tactics, techniques and procedures (TTPs) with data collected in the SIEM. | CNDSPs/SOCs integrate threat intelligence information and streams about identities, motivations, characteristics, and tactics, techniques and procedures (TTPs) with data collected in the SIEM | Integrating threat intelligence into other SIEM data enhances monitoring efforts and incident response | * Cyber Threat Intelligence Program Pt1
* Cyber Threat Intelligence Program Pt2 |\r\n| 7.6 | Automated Dynamic Policies | 7 - Visibility and Analytics | DoD Organization ML & AI solutions dynamically and automatically update security profiles and device configuration through continuous security posture monitoring, risk and confidence scoring, and automated patch management. | CNDSPs/SOCs dynamically and automatically update security profiles and device configuration through continuous security posture monitoring, risk and confidence scoring, and automated patch
management | Users and NPEs are denied access based on automated, real-time security profiles based on external conditions and evolving risk and confidence scores | * AI-enabled Network Access
* AI-enabled Dynamic Access Control |", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "DoDZT", + "comparison": "isEqualTo", + "value": "Capabilities" + }, + "name": "ZTCapabilities" + }, + { + "type": 1, + "content": { + "json": "## DoD Zero Trust Activities (152) ##\r\n\r\n| ID# | Activity Name | Associated Capability | Phase | Duration (months) | Descriptions | Outcomes | Controls | Predecessor(s) | Successor(s) |\r\n|-------|---------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------|-----------------|-------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|\r\n| 1.1.1 | Inventory User | 1.1 User Inventory | Target Level ZT | 25.9 | DoD Organizations establish and update a user inventory manually if needed, preparing for automated approach in later stages. Accounts both centrally managed by an IdP/ICAM and locally on systems will be identified and inventoried. Privileged accounts will be identified for future audit and both standard and privileged user accounts local to applications and systems will be identified for future migration and/or decommission. | Identified Managed Regular Users; Identified Managed Privileged Users; Identified applications using their own user account management for non-administrative and administrative accounts | | | |\r\n| 1.2.1 | Implement App Based Permissions per Enterprise | 1.2 Conditional User Access | Target Level ZT | 17.7 | The DoD enterprise working with the Organizations establishes a basic set of user attributes for authentication and authorization. These are integrated with the β€œEnterprise Identity Life-Cycle Management Pt1” activity process for a complete enterprise standard. The enterprise Identity, Credential and Access Management (ICAM) solution is enabled for self-service functionality for adding/updating attributes within the solution. Remaining Privileged Access Management (PAM) activities are fully migrated to PAM solution. | Enterprise roles/attributes needed for user authorization to application functions and/or data have been registered with enterprise ICAM; DoD Enterprise ICAM has self-service attribute/role registration service that enables application owners to add attributes or use existing enterprise attributes; Privileged activities are fully migrated to PAM | | | |\r\n| 1.2.2 | Rule Based Dynamic Access Pt1 | 1.2 Conditional User Access | Target Level ZT | 22.1 | DoD Organizations utilize the rules from the β€œPeriodic Authentication” activity to build basic rules enabling and disabling privileges dynamically. High-risk user accounts utilize the PAM solution to move to dynamic privileged access using Just-In-Time access and Just-Enough Administration methods. | Access to application’s/service’s functions and/or data are limited to users with appropriate enterprise attributes; All possible applications use JIT/JEA permissions for administrative users | | Single Authentication | Rule Based Dynamic Access Pt2; AI- enabled Network Access |\r\n| 1.2.3 | Rule Based Dynamic Access Pt2 | 1.2 Conditional User Access | Advanced ZT | 15.5 | DoD Organizations expand the development of rules for dynamic access decision making accounting for risk. Solutions used for dynamic access are integrated with cross pillar Machine Learning and Artificial Intelligence functionality enabling automated rule management. | Components and services are fully utilizing rules to enable dynamic access to applications and services; Technology utilized for Rule Based Dynamic Access supports integration with AI/ML tooling | | Rule Based Dynamic Access Pt1; File Activity Monitoring Pt2 | |\r\n| 1.2.4 | Enterprise Gov't roles and Permissions Pt1 | 1.2 Conditional User Access | Advanced ZT | 11.6 | DoD Organizations federate remaining user and group attributes as appropriate to the Enterprise Identity, Credential and Access Management (ICAM) solution. The updated attribute set is used to create universal roles for Organizations to use. Core functions of the Identity Provider (IdP) and Identity, Credential and Access Management (ICAM) solutions are migrated to cloud services and/or environments enabling improved resilience and performance. | Component attribute and role data repository federated with enterprise ICAM; Cloud-based enterprise IdP can be used by cloud and on-premises applications; A standardized set of roles and permissions are created and aligned to attributes | | | Enterprise Gov't roles and Permissions Pt2 |\r\n| 1.2.5 | Enterprise Gov't roles and Permissions Pt2 | 1.2 Conditional User Access | Advanced ZT | 11.2 | DoD Organizations move all possible functions of the Identity Provider (IdP) and Identity, Credential and Access Management (ICAM) solutions to cloud environments. Enclave/DDIL environments local capabilities to support disconnected functions but ultimately are managed by the centralized Identity, Credential and Access Management (ICAM) solutions. Updated roles are now mandated for usage and exceptions are reviewed following a risk-based approach. | Majority of components utilize cloud IdP functionality Where possible on-prem IdP is decommissioned; Permissions and roles are mandated for usage when evaluating attributes | | Enterprise Gov't roles and Permissions Pt1 | |\r\n| 1.3.1 | Organizational MFA/IDP | 1.3 Multi-Factor Authentication (MFA) | Target Level ZT | 10.6 | DoD Organizations procure and implement a centralized Identity Provider (IdP) solution and Multi-Factor (MFA) solution. The IdP and MFA solution may be combined in a single application or separated as needed assuming automated integration is supported by both solutions. Both IdP and MFA support integration with the Enterprise PKI capability as well enabling key pairs to be signed by the trusted root certificate authorities. Mission/Task-Critical applications and services are utilizing the IdP and MFA solution for management of users and groups. | Component is using IdP with MFA for critical applications/services; Components have implemented an Identity Provider (IdP) that enables DoD PKI multifactor authentication; Organizational Standardized PKI for critical services | | | Alternative Flexible MFA Pt1 |\r\n| 1.3.2 | Alternative Flexible MFA Pt1 | 1.3 Multi-Factor Authentication (MFA) | Advanced ZT | 17.4 | DoD Organization’s Identity Provider (IdP) supports alternative methods of multi-factor authentication complying with Cyber Security requirements (e.g., FIPS 140-2, FIPS 197, etc.). Alternative tokens can be used for application-based authentication. Multi-Factor options support Biometric capability and can be managed using a self-service approach. Where possible multi-factor provider(s) is moved to cloud services instead of being hosted on-premise. | IdP provides user self-service alternative token; IdP provides alt token MFA for approved applications per policy | | Organizational MFA/IDP | Alternative Flexible MFA Pt2 |\r\n| 1.3.3 | Alternative Flexible MFA Pt2 | 1.3 Multi-Factor Authentication (MFA) | Advanced ZT | 14.6 | Alternative tokens utilize user activity patterns from cross pillar activities such as \"User Activity Monitoring (UAM) and User & Entity Behavior Analytics (UEBA)\" to assist with access decision making (e.g., not grant access when pattern deviation occurs). This functionality is further extended onto Biometric enabled alternative tokens as well. | User Activity Patterns Implemented | | Alternative Flexible MFA Pt1 | |\r\n| 1.4.1 | Implement System and Migrate Privileged Users Pt1 | 1.4 Privileged Access Management (PAM) | Target Level ZT | 12.4 | DoD Organizations procure and implement a Privileged Access Management (PAM) solution support all critical privileged use cases. Application/Service integration points are identified to determine status of support for the PAM solution. Applications/Services that easily integrate with PAM solution are transitioned over to using solution versus static and direct privileged permissions. | Privilege Access Management (PAM) tooling is implemented; applications and devices that support and do not support PAM tools identified; Applications that support PAM, now use PAM for controlling emergency/built-in accounts | MA-5 (1) individuals without appropriate access | | Implement System and Mitigate Privileged Users Pt2 |\r\n| 1.4.2 | Implement System and Migrate Privileged Users Pt2 | 1.4 Privileged Access Management (PAM) | Target Level ZT | 14.4 | DoD Organizations utilize the inventory of supported and unsupported Applications/Services for integration with privileged access management (PAM) solution to extend integrations. PAM is integrated with the more challenging Applications/Services to maximize PAM solution coverage. Exceptions are managed in a risk-based methodical approach with the goal of migration off and/or decommissioning Applications/Services that do not support PAM solution. | Privileged activities are migrated to PAM and access is fully managed | | Implement System and Mitigate Privileged Users Pt1 | Real time Approvals & JIT/JEA Analytics Pt1 |\r\n| 1.4.3 | Real time Approvals & JIT/JEA Analytics Pt1 | 1.4 Privileged Access Management (PAM) | Advanced ZT | 12.5 | Identification of necessary attributes (Users, Groups, etc.) are automated and integrated into the Privileged Access Management (PAM) solution. Privilege access requests are migrated to the PAM
solution for automated approvals and denials. | Identified accounts, applications, devices, and data of concern (of greatest risk to DoD mission); Using PAM tools, applied JIT/JEA access to high-risk accounts; Privileged
access requests are automated as appropriate | IA-12 (4) in-person validation and verification; AC-3 (14) individual access; CM-8 (4) accountability information; | Implement System and Mitigate Privileged Users Pt2 | Real time Approvals & JIT/JEA Analytics Pt2 |\r\n| 1.4.4 | Real time Approvals & JIT/JEA Analytics Pt2 | 1.4 Privileged Access Management (PAM) | Advanced ZT | 8.9 | DoD Organizations integrate User & Entity Behavior Analytics (UEBA) and User Activity Monitoring (UAM) solutions with the Privileged Access Management (PAM) solution providing user pattern analytics for decision making. | UEBA or similar analytic system integrated with PAM tools for JIT/JEA account approvals | IA-4 (5) dynamic management; AC-2 (6) dynamic account management | Real time Approvals & JIT/JEA Analytics Pt1 | |\r\n| 1.5.1 | Organizational Identity Life-Cycle Management | 1.5 Identity Federation & User Credentialing | Target Level ZT | 14.8 | DoD Organizations establish a process for life cycle management of users both privileged and standard. Utilizing the Organizational Identity Provider (IdP) the process is implemented and followed by the maximum number of users. Any users who fall outside of the standard process are approved through risk-based exceptions to be evaluated regularly for decommission. | Standardized Identity Lifecycle Process | MA-5 (1) individuals without appropriate access | | Enterprise Identity Life-cycle Management Pt1 |\r\n| 1.5.2 | Enterprise Identity Life- Cycle Management Pt1 | 1.5 Identity Federation & User Credentialing | Target Level ZT | 11.7 | The DoD Enterprise works with Organizations to review and align the existing Identity Lifecycle Processes, policy, and standards. A finalized agreed upon policy and supporting process are developed and followed by the DoD Organizations. Utilizing the centralized or federated Identity Provider (IdP) and Identity & Access Management (IdAM) solutions, DoD Organizations implement the Enterprise Lifecycle Management process for the maximum number of identities, groups, and permissions. Exceptions to the policy are managed in a risk based methodical approach. | Automated Identity Lifecycle Processes; Integrated with Enterprise ICAM process and tools | | Organization Identity Life-cycle Management | Enterprise Identity Life-cycle Management Pt2 |\r\n| 1.5.3 | Enterprise Identity Life- Cycle Management Pt2 | 1.5 Identity Federation & User Credentialing | Advanced ZT | 12.8 | DoD Organizations further integrate the critical automation functions of the Identity Provider (IdP) and Identity, Credential and Access Management (ICAM) solutions following the Enterprise Lifecycle Management process to enable Enterprise automation and analytics.
Identity Lifecycle Management primary processes are integrated into
the cloud-based Enterprise ICAM solution. | Integration w/ Critical IDM/IDP functions; Primary ILM functions are cloud based | | Enterprise Identity Life-cycle Management Pt1 | Enterprise Identity Life-cycle Management Pt3 |\r\n| | | | | | | | | | |\r\n| 1.5.4 | Enterprise Identity Life- Cycle Management Pt3 | 1.5 Identity Federation & User Credentialing | Advanced ZT | 9.2 | DoD Organizations integrate remaining Identity Lifecycle Management processes with the Enterprise Identity, Credential and Access Management solution. Enclave/DDIL environments while still authorized to operate integrate with the Enterprise ICAM using local connectors to the cloud environment. | All ILM functions moved to cloud as appropriate; Integration with all IDM/IDP functions | | Enterprise Identity Life-cycle Management Pt2 | |\r\n| 1.6.1 | Implement User & Entity Behavior Activity (UEBA) and User Activity Monitoring (UAM) Tooling | 1.6 Behavioral, Contextual ID, and
Biometrics | Target Level ZT | 15.9 | DoD Organizations procure and implement User & Entity Behavior Analytics (UEBA) and User Activity Monitoring (UAM) solutions. Initial integration point with Enterprise IdP is completed enabling future usage in decision making. | UEBA and UAM functionality is implemented for Enterprise IDP | | | Establish User Baseline Behavior; Baseline & Profiling Pt1 |\r\n| 1.6.2 | User Activity Monitoring Pt1 | 1.6 Behavioral, Contextual ID, and
Biometrics | Advanced ZT | 13.5 | DoD Organizations integrate User & Entity Behavior Analytics (UEBA) and User Activity Monitoring (UAM) solutions with Organizational Identity Providers (IdP) for extended visibility as needed. Analytics and data generated by UEBA and UAM for critical applications/services are integrated with the Just-in-Time and Just-Enough-Access solution improving decision making further. | UEBA is integrated with Org IDPs as appropriate; UEBA is integrated with JIT/JEA for critical services | | User/Device Baselines | User Activity Monitoring Pt2 |\r\n| 1.6.3 | User Activity Monitoring Pt2 | 1.6 Behavioral, Contextual ID, and
Biometrics | Advanced ZT | 11.2 | DoD Organizations continue the analytics usage from User & Entity Behavior Analytics (UEBA) and User Activity Monitoring (UAM) solutions by using generated data for all monitored applications and services when decision making occurs in the Just-in-Time and Just- Enough-Access solution. | UEBA/Entity Monitoring is integrated with JIT/JEA for all services | | User Activity Monitoring Pt1 | Real-Time Access Decisions; AI- enabled Dynamic Access Control; Enrich Attributes for Resource Authorization Pt1; AI-enabled Network Access |\r\n| 1.7.1 | Deny User by Default Policy | 1.7 Least Privileged Access | Target Level ZT | 22.7 | DoD Organizations audit internal user and group usage for permissions and revoke permissions when possible. This activity includes the revocation and/or decommission of excess permissions and access for application/service-based identities and groups. Where possible static privileged users are decommissioned or reduced permissions preparing for future rule/dynamic based access. | Applications updated to deny by default to functions/data requiring specific roles/attributes for access; Reduced default permissions levels are implemented; Applications/services have reviewed/audited all privileged users and removed those users who do not need that level of access; Applications' identify functions and data requiring specific roles/attributes for access | AC-17 (10) authenticate remote commands; SC-7 (15) networked privileged access | | |\r\n| 1.8.1 | Single Authentication | 1.8 Continuous Authentication | Target Level ZT | 19.2 | DoD Organizations employ basic authentication processes to authenticate users and NPEs at least once per session (e.g., logon). Importantly users being authenticated are managed by the parallel activity β€œOrganizational MFA/IDP” with the Organizational Identity Provider (IdP) versus using application/service-based identities and groups. | Authentication implemented across applications per session | | | Periodic Authentication; Rule Based Dynamic Access Pt1 |\r\n| 1.8.2 | Periodic Authentication | 1.8 Continuous Authentication | Target Level ZT | 25.4 | DoD Organizations enable period authentication requirements for applications and services. Traditionally these are based on duration and/or duration timeout but other period based analytics can be used to mandate re-authentication of user sessions. | Authentication implemented multiple times per session based on security attributes | | Single Authentication | Continuous Authentication Pt1; AI- enabled Network Access |\r\n| 1.8.3 | Continuous Authentication Pt 1 | 1.8 Continuous Authentication | Advanced ZT | 16.8 | DoD Organizations’ applications/service utilize multiple session authentications based on security attributes and access requested. Privilege changes and associational transaction requests required additional levels of authentication such as Multi-Factor Authentication (MFA) pushes to users. | Transaction authentication implemented per session based on security attributes | | Periodic Authentication | Continuous Authentication Pt2 |\r\n| 1.8.4 | Continuous Authentication Pt 2 | 1.8 Continuous Authentication | Advanced ZT | 16.8 | DoD Organizations continue usage of transaction-based authentication to include integration such as user patterns. | Transaction authentication implemented per session based on security attributes | | Continuous Authentication Pt1 | Real-Time Access Decisions; AI- enabled Dynamic Access Control |\r\n| 1.9.1 | Enterprise PKI/IDP Pt1 | 1.9 Integrated ICAM Platform | Target Level ZT | 12.4 | The DoD Enterprise works with Organizations to implement Enterprise Public Key Infrastructure (PKI) and Identity Provider (IdP) solutions in a centralized and/or federated fashion. The Enterprise PKI solution utilizes a single or set of Enterprise level Root Certificate Authorities (CA) which can then be trusted by Organizations to build Intermediate CA’s off. The Identity Provider solution may either be a single solution or federated set of Organizational IdPs with standard level of access across Organizations and standardized set of attributes. Organizations’ IdPs and PKI Certificated Authorities are integrated with the Enterprise IdP and PKI solutions. | Components are using IdP with MFA for all applications/services; Organizational MFA/PKI integrated with Enterprise MFA/PKI; Organizational Standardized PKI for all services | | | Enterprise PKI/IDP Pt2 |\r\n| 1.9.2 | Enterprise PKI/IDP Pt2 | 1.9 Integrated ICAM Platform | Advanced ZT | 27.2 | DoD Organizations enable Biometric support in the Identity Provider (IdP) for mission/task-critical applications and services as appropriate. Biometric functionality is moved from Organizational solutions to the Enterprise. Organizational Multi-Factor (MFA) and Public Key Infrastructure (PKI) is decommissioned and migrated to the Enterprise as appropriate. | Critical Organizational Services Integrated w/ Biometrics; Decommission organizational MFA/PKI as appropriate in leu of enterprise MFA/PKI; Enterprise Biometric Functions Implemented | | Enterprise PKI/IDP Pt1 | Enterprise PKI/IDP Pt3 |\r\n| 1.9.3 | Enterprise PKI/IDP Pt3 | 1.9 Integrated ICAM Platform | Advanced ZT | 30.0 | DoD Organizations integrate the remaining applications/services with Biometrics functionalities. Alternative Multi-Factor (MFA) tokens can be used. | All Organizational Services Integrate w/ Biometrics | | Enterprise PKI/IDP Pt2 | |\r\n| 2.1.1 | Device Health Tool Gap Analysis | 2.1 Device Inventory | Target Level ZT | 9.8 | DoD Organizations develop a manual inventory of devices within the environment. Device attributes tracked in the inventory enable functionality outlined in the ZTA target level. | Manual inventory of devices is created per organization w/ owners | | | |\r\n| 2.1.2 | NPE/PKI, Device under Management | 2.1 Device Inventory | Target Level ZT | 22.8 | DoD Organizations utilize the DoD Enterprise PKI solution/service to deploy x509 certificates to all supported and managed devices. Additional other Non-Person Entities (NPEs) that support x509
certificates are assigned in the PKI and/or IdP systems. | Non-person entities are managed via Org PKI and Org IDP | | Enterprise Device Management Pt1 | Implement C2C/Compliance Based Network Authorization Pt1; Enterprise PKI Pt1; Deny Device by
Default Policy |\r\n| 2.1.3 | Enterprise IDP Pt1 | 2.1 Device Inventory | Target Level ZT | 12.8 | The DoD Enterprise Identity Provider (IdP) either using a centralized technology or federated organizational technologies integrates Non- Person Entities (NPEs) such as devices and service accounts.
Integration is tracked in the Enterprise Device Management solution when applicable as to whether it is integrated or not. NPEs not able to be integrated with the IdP are either marked for retirement or
excepted using a risk based methodical approach. | NPEs including devices are integrated with Enterprise IDP | IA-3 (4) device attestation | | Enterprise IDP Pt2 |\r\n| 2.1.4 | Enterprise IDP Pt2 | 2.1 Device Inventory | Advanced ZT | 8.8 | The DoD Enterprise Identity Provider (IdP) either using a centralized technology or federated organizational technologies adds additional dynamic attributes for NPEs such as location, usage patterns, etc. | Conditional device attributes are part of the IdP profile | | Enterprise IDP Pt1 | |\r\n| 2.2.1 | Implement C2C/Compliance Based Network Authorization Pt1 | 2.2 Device Detection and Compliance | Target Level ZT | 9.4 | The DoD Enterprise working with the Organizations develops a policy, standard and requirements for Comply to Connect. Once agreement is reached solution procurement is started, a vendor(s) is selected, and implementation begins with base level functionality in ZT Target environments (low risk). Base level checks are implemented in the new Comply to Connection solution enabling the ability to meet ZTA target functionalities. | C2C is enforced at the enterprise level for low risk and testing environments; Basic devices checks are implemented using C2C | AC-20 (5) network accessible storage devices – prohibited use | NPE/PKI Device Under Management; Integrate NextGen AV Tools with C2C; Managed and Limited BYOD & IOT Support; Implement Asset, Vulnerability and Patch Management Tools | Implement C2C/Compliance Based Network Authorization Pt2 |\r\n| 2.2.2 | Implement C2C/Compliance Based Network Authorization Pt2 | 2.2 Device Detection and Compliance | Advanced ZT | 18.2 | DoD Organizations expand the deployment and usage of Comply to Connect to all supported environments required to meet ZT advanced functionalities. Comply to Connect teams integrate their solution(s) with the Enterprise IdP and Authorization Gateways to better manage access and authorizations to resources. | C2C is enforced in all supported environments; Advanced devices checks are completed and integrated with dynamic access (Enterprise IDP / ZTNA) | | Implement C2C/Compliance Based Network Authorization Pt1; Fully Integrate Device Security Stack w/ C2C as appropriate | Real-Time Access Decisions |\r\n| 2.3.1 | Entity Activity Monitoring Pt1 | 2.3 Device Authorization w/ Real Time Inspection | Advanced ZT | 16.4 | Using the developed User and Device baselines, DoD Organizations utilize the implemented User and Entity Behavioral Activity (UEBA) solution to integrate baselines. UEBA device attributes and baselines are available to be used for device authorization detections. | UEBA attributes are integrated for device baselining; UEBA attributes are available for usage with device access | | User/Device Baselines; Implement User & Entity Behavior Activity (UEBA); User Activity Monitoring Tooling | Entity Activity Monitoring Pt2 |\r\n| 2.3.2 | Entity Activity Monitoring Pt2 | 2.3 Device Authorization w/ Real Time Inspection | Advanced ZT | 16.7 | DoD Organizations utilize the User and Entity Behavioral Activity (UEBA) solution with network access solutions to mandate UEBA attributes (e.g., device health, logon patterns, etc.) for accessing environments and resources. | UEBA attributes are mandated for device access | | Entity Activity Monitoring Pt1 | Real-Time Access Decisions; AI- enabled Dynamic Access Control; Enrich Attributes for Resource Authorization Pt1; AI-enabled Network Access |\r\n| 2.3.3 | Implement Application Control & File Integrity Monitoring (FIM) Tools | 2.3 Device Authorization w/ Real Time Inspection | Target Level ZT | 16.2 | DoD Organizations procure and implement File Integrity Monitoring (FIM) and Application Control solutions. FIM continues development and expansion of monitoring in the Data Pillar. Application Control is deployed to low-risk environments in a monitor only mode establishing baseline allowances. Application control teams being integration with the Enterprise and Organization PKI environments utilize certificates for application allowances. NextGen AV covers all possible services and applications. | AppControl and FIM tooling is implemented on all critical services/applications; EDR tooling covers maximum amount of services/applications; AppControl and FIM data is sent to C2C as needed | | | |\r\n| 2.3.4 | Integrate NextGen AV Tools with C2C | 2.3 Device Authorization w/ Real Time Inspection | Target Level ZT | 18.5 | DoD Organizations procure and implement Next Generation Anti-Virus & Anti-Malware solutions as needed. These solutions are integrated with the initial deployment of Comply to Connect for baseline status checks of signatures, updates, etc. | Critical NextGen AV data is being sent to C2C for checkslll;
NextGen AV tooling is implemented on all critical
services/applicationslll | | | Implement C2C/Compliance Based Network Authorization Pt1 |\r\n| 2.3.5 | Fully Integrate Device Security stack with C2C as appropriate | 2.3 Device Authorization w/ Real Time Inspection | Advanced ZT | 13.3 | DoD Organizations continue the deployment of Application Control to all environments and in prevention mode. File Integrity Monitoring (FIM) and Application Controls analytics are integrated into Comply to Connect for expanded access decision making data points. Comply to Connect analytics are evaluated for further device/endpoint security stack data points such as UEDM and are integrated as necessary. | AppControl and FIM deployment is expanded to all necessary services/applications; Remaining data from Device Security tooling is implemented with C2C | | | Implement C2C/Compliance Based Network Authorization Pt2; Managed and Full BYOD & IOT Support Pt2 |\r\n| 2.3.6 | Enterprise PKI Pt1 | 2.3 Device Authorization w/ Real Time Inspection | Advanced ZT | 22.7 | The DoD Enterprise Public Key Infrastructure (PKI) is expanded to include the addition of NPE and device certificates. NPEs and device that do not support PKI certificates are marked for retirement and decommission starts. | Devices that are unable to have certificates are phased out and/or moved to minimal access environments; All devices and NPEs have certs installed for authentication in the Enterprise PKI | | Implement UEDM or equivalent Tools; NPE/PKI Device Under Management | Enterprise PKI Pt2 |\r\n| 2.3.7 | Enterprise PKI Pt2 | 2.3 Device Authorization w/ Real Time Inspection | Advanced ZT | 10.5 | DoD Organizations utilize certificates for device authentication and machine to machine communications. Unsupported devices complete retirement and exceptions are approved using a risk based methodical approach. | Devices are required to authenticate to communicate with other services and devices | | Enterprise PKI Pt1 | |\r\n| 2.4.1 | Deny Device by Default Policy | 2.4 Remote Access | Target Level ZT | 9.6 | DoD Organizations block all unmanaged remote and local device access to resources. Compliant managed devices are provided risk based methodical access following ZTA target level concepts. | Components can block device access by default to resources (apps/data) and explicitly allow compliant devices per policy; Remote Access is enabled following a \"deny device by default policy\" approach | | NPE/PKI Device Under Management | |\r\n| 2.4.2 | Managed and Limited BYOD & IOT Support | 2.4 Remote Access | Target Level ZT | 39.7 | DoD Organizations utilize Unified Endpoint and Device Management (UEDM) and similar solutions to ensure that managed Bring Your Own Device (BYOD) and Internet of Things (IoT) devices are fully integrated with Enterprise IdP enable user and device-based authorization are supported. Device access for all applications requires dynamic access policies. | All applications require dynamic permissions access for devices; BYOD and IOT device permissions are baselined and integrated with Enterprise IDP | | | Implement C2C/Compliance Based Network Authorization Pt1; Managed and Full BYOD & IOT Support Pt1 |\r\n| 2.4.3 | Managed and Full BYOD & IOT Support Pt1 | 2.4 Remote Access | Advanced ZT | 24.7 | DoD Organizations utilize Unified Endpoint and Device Management (UEDM) and similar solutions to enable access for managed and approved devices to Mission and Operational Critical services/applications using dynamic access policies. BYOD and Internet of Things (IoT) devices are required to meet standard baseline checks before authorization. | Only BYOD and IOT devices that meet mandated configuration standards allowed to access resources; Critical Services require dynamic access for devices | | Managed and Limited BYOD & IOT Support | Managed and Full BYOD & IOT Support Pt2 |\r\n| 2.4.4 | Managed and Full BYOD & IOT Support Pt2 | 2.4 Remote Access | Advanced ZT | 24.6 | DoD Organizations utilize Unified Endpoint and Device Management (UEDM) and similar solutions to enable access for unmanaged devices meeting device checks and standard baselines. All possible services/applications are integrated to allow access to managed devices. Unmanaged devices are integrated with services/applications based on risk driven methodical authorization approach. | All possible services require dynamic access for deviceslll | | Fully Integrate Device Security Stack w/ C2C as appropriate; Managed and Full BYOD & IOT Support Pt1 | |\r\n| 2.5.1 | Implement Asset, Vulnerability and Patch Management Tools | 2.5 Partially & Fully Automated Asset,
Vulnerability and Patch Management | Target Level ZT | 18.4 | DoD Organizations implement solution(s) for managing assets/devices configurations, vulnerabilities, and patches. Using minimum compliance standards (e.g., STIGs, etc.) teams can confirm or deny managed device compliance. As part of the procurement and implementation process for solutions, APIs or other programmatic interfaces will be in scope for future levels of automation and integration. | Components can confirm if devices meet minimum compliance standards or not; Components have asset management, vulnerability, and patching systems with APIs that will enable integration across the systems | | | Implement C2C/Compliance Based Network Authorization Pt1 |\r\n| 2.6.1 | Implement UEDM or equivalent Tools | 2.6 Unified Endpoint Management (UEM) &
Mobile Device Management (MDM) | Target Level ZT | 18.1 | DoD Organizations will work closely with the β€œImplement Asset, Vulnerability, and Patch Management tools” activity to procure and implement and Unified Endpoint and Device Management (UEDM) solution ensuring that requirements are integrated with the procurement process. Once a solution is procured the UEDM team(s) ensure that critical ZT target functionalities such as minimum compliance, asset management, and API support are in place. | Components can confirm if devices meet minimum compliance standards or not; Components have asset management system(s) for user devices (phones, desktops, laptops) that maintains IT compliance, which is reported up to DoD enterprise; Components asset management systems can programmatically, i.e., API, provide device compliance status and if it meets minimum standards | AC-7 (2) purge or wipe mobile device | | Enterprise PKI Pt1 |\r\n| 2.6.2 | Enterprise Device Management Pt1 | 2.6 Unified Endpoint Management (UEM) &
Mobile Device Management (MDM) | Target Level ZT | 17.6 | DoD Organizations migrate the manual device inventory to an automated approach using the Unified Endpoint and Device Management solution. Approved devices are able to be managed regardless of location. Devices part of critical services are mandated to be managed by the Unified Endpoint and Device Management solution supporting automation. | Manual inventory is integrated with an automated management solution for critical services; Enable ZT Device Management (from any location with or without remote access) | | | NPE/PKI Device Under Management; Enterprise Device Management Pt2 |\r\n| 2.6.3 | Enterprise Device Management Pt2 | 2.6 Unified Endpoint Management (UEM) &
Mobile Device
Management (MDM) | Target Level ZT | 12.6 | DoD Organizations migrate the remaining devices to Enterprise Device Management solution. EDM solution is integrated with risk and compliance solutions as appropriate. | Manual inventory is integrated with an automated management solution for all services | | Enterprise Device Management Pt1 | |\r\n| 2.7.1 | Implement Endpoint Detection & Response (EDR) Tools and Integrate with C2C | 2.7 Endpoint & Extended Detection & Response (EDR & XDR) | Target Level ZT | 16.5 | DoD Organizations procure and implement Endpoint Detection and Response (EDR) solution(s) within environments. EDR is protecting, monitoring, and responding to malicious and anomalous activities enabling ZT Target functionality and is sending data to the Comply to Connection solution for expanded device and user checks. | Endpoint Detection & Response Tooling is implemented ; Critical EDR data is being sent to C2C for checks; NextGen AV tooling covers maximum amount of services/applications | | | Implement Extended Detection & Response (XDR) & Integrate w/ C2C Pt 1 |\r\n| 2.7.2 | Implement Extended Detection & Response (XDR) Tools and Integrate with C2C Pt1 | 2.7 Endpoint & Extended Detection & Response (EDR & XDR) | Target Level ZT | 19.2 | DoD Organizations procure and implement Extended Detection & Response (XDR) solution(s). Integration points with cross pillar capabilities are identified and prioritized based on risk. The riskiest of these integration points are actioned and integration is started. EDR continues coverage of endpoints to include the maximum number of services and applications as part of the XDR implementation. Basic analytics are sent from the XDR solution stack to the SIEM. | Integration Points have been identified per Capability; Riskiest integration points have been integrated w/ XDR; Basic alerting is in place with SIEM and/or other mechanisms | | Implement Endpoint Detection & Response (EDR) Tools & Integrate w/ C2C; Threat Alerting Pt1 | Implement Extended Detection & Response (XDR) & Integrate w/ C2C Pt 2 |\r\n| 2.7.3 | Implement Extended Detection & Response (XDR) Tools and Integrate with C2C Pt2 | 2.7 Endpoint & Extended Detection & Response (EDR & XDR) | Advanced ZT | 19.9 | XDR solution stack completes identification of integration points expanding coverage to the fullest amount possible. Exceptions are tracked and managed using a risk based methodical approach for continued operation. Extended analytics enabling ZT Advanced functionalities are integrated into the SIEM and other appropriate solutions. | Remaining integration points have been integrate as appropriate; Extended alerting and response is enabled with other Analytics tools at least using SIEM | | Implement Extended Detection & Response (XDR) & Integrate w/ C2C Pt 1 | Threat Alerting Pt3 |\r\n| 3.1.1 | Application/Code Identification | 3.1 Application Inventory | Target Level ZT | 16.7 | DoD Organizations create an inventory of approved applications and code (e.g., source code, libraries, etc.). Each organization will track the supportability (i.e., active, legacy, etc.) and hosted location (i.e., cloud, on-premise, hybrid, etc.) at least in the inventory. | Component has identified applications and classified as either legacy, virtualized on-premises, and cloud hosted | | | |\r\n| 3.1.2 | Resource Authorization Pt1 | 3.4 Resource Authorization &
Integration | Target Level ZT | 18.5 | The DoD Enterprise standardizes on resource authorization approaches (e.g., Software Defined Perimeter) with the organizations. At a minimum the resource authorization gateways will be integrated with identities and devices. Organizations deploy approved resource authorization gateways and enable for external facing applications/services. Additional applications for migration and applications unable to be migrated are identified for exception or decommission. | Resource Authorization Gateway is in place for external facing applications; Resource Authorization policy integrated with identity and device; Enterprise-wide Guidance on conversion standards are communicated to stakeholders | | NPE/PKI, Device under Management
Datacenter Macro segmentation | Resource Authorization Pt2 |\r\n| 3.1.3 | Resource Authorization Pt2 | 3.4 Resource Authorization &
Integration | Target Level ZT | 20.6 | Resource authorization gateways are used for all possible applications/services. Application unable to utilize gateways are either decommissioned or excepted using a risk based methodical approach.
Authorizations are further integrated with the CI/CD pipeline for automated decision making. | Resource Authorization gateway is utilized for all applications; Resource Authorization is integrated with DevSecOps and CI/CD for automated functions | | Resource Authorization Pt1 | |\r\n| 3.2.1 | Build DevSecOps Software Factory Pt1 | 3.2 Secure Software Development &
Integration | Target Level ZT | 19.3 | The DoD enterprise creates the foundational standards for modern DevSecOps processes and CI/CD pipelines. The concepts are applied in a standardized technology stack across DoD organizations able to meet future Application Security requirements. An enterprise-wide Vulnerability Management program is integrated with the CI/CD pipelines following the Vulnerability Management Program activities. | Developed Data/Service Standards for DevSecOps; CI/CD Pipeline is fully functional and tested successfully; Vulnerability Management program is officially in place and operating | SC-3 (3) minimize nonsecurity functionality | | Build DevSecOps Software Factory Pt2 |\r\n| 3.2.2 | Build DevSecOps Software Factory Pt2 | 3.2 Secure Software Development &
Integration | Target Level ZT | 10.8 | DoD Organizations will use their approved CI/CD pipelines to develop most new applications. Any exceptions will follow a standardized approval process to be allowed to develop in a legacy fashion.
DevSecOps processes are also used to develop all new applications and update existing applications. Continual validation functions are integrated into the CI/CD pipelines and DevSecOps processes and
integrated with existing applications. | Development of applications is migrated to CI/CD pipeline; Continual validation process/technology is implemented and in use; Development of applications is migrated to DevSecOps process and technology | AC-6 (4) separate processing domains; CM 7 (6) confined environments with limited privileges | Build DevSecOps Software Factory Pt1 | Continuous Authorization to Operate (cATO) Pt1 |\r\n| 3.2.3 | Automate Application Security & Code Remediation Pt1 | 3.2 Secure Software Development &
Integration | Target Level ZT | 18.0 | A standardized approach to application security including code remediation is implemented across the DoD enterprise. Part one (1) of this activity includes the integration of a Secure API gateway with applications utilizing API or similar calls. Code reviews are conducted in a methodical approach and standardized protections for containers and their infrastructure are in place. Additionally, any serverless functions where the 3rd party manages the infrastructure such as Platform as a Service utilize adequate serverless security monitoring and response functions. Code Reviews, Container and Serverless security functions are integrated into the CI/CD and/or DevSecOps process appropriate. | Secure API Gateway is operational and majority of API calls are passing through gateway; Application Security functions (e.g., code review, container and serverless security) are implemented as part of CI/CD and DevSecOps | SI-7 (12) integrity verification; SI-7 (15) code authentication; SC-7 (21) isolation of system components; | Implement Asset, Vulnerability and Patch Management Tools | Automate Application Security & Code Remediation Pt2; REST API Micro-Segments |\r\n| 3.2.4 | Automate Application Security & Code Remediation Pt2 | 3.2 Secure Software Development &
Integration | Advanced ZT | 16.2 | DoD Organizations modernize approaches to delivering internally developed and managed services following best practice approaches such as Microservices. These approaches will enable more resilient and secure architectures by allowing for quicker changes to code in each microservice as security issues are discovered. Further advancement security remediation activities continue across the DoD Enterprise with the inclusion of runtime security functions for containers as appropriate, automated vulnerable library updates and automated CI/CD approvals during the release process. | Secure API Gateway is operational and majority of API calls are passing through gateway; Services are provided following a Service Oriented Architecture (SOA); Security Remediation activities (e.g., runtime security, library updates, release approvals) are fully automated | CM-7 (7) code execution in protected environments; CM-14 Signed Components; SI-7 (17) runtime application self-protection | Automate Application Security & Code Remediation Pt1 | |\r\n| 3.3.1 | Approved Binaries/Code | 3.3 Software Risk Management | Target Level ZT | 23.4 | The DoD enterprise uses best practice approaches to manage approved binaries and code in a methodical approach. These approaches will include supplier sourcing risk management, approved repository usage, bill of materials supply chain risk management, and industry standard vulnerability management. | Supplier sourcing risk evaluated and identified for approved sources; Repository and update channel established for use by development teams; Bill of Materials is created for applications identify source, supportability and risk posture; Industry standard (DIB) and approved vulnerability databases are pulled in to be used in DevSecOps | SI-19 (7) validated algorithms and software | Vulnerability Management Program Pt1 | |\r\n| 3.3.2 | Vulnerability Management Program Pt1 | 3.3 Software Risk Management | Target Level ZT | 7.8 | The DoD Enterprise works with Organizations to establish and manage a Vulnerability Management program. The program includes a policy and standards agreed upon by all Organizations. The developed program includes at a minimum the track and management of public vulnerabilities based on DoD applications/services. Organizations establish a vulnerability management team with key stakeholders where vulnerabilities are discussed and managed following the Enterprise policy and standards. | Vulnerability Management Team is in place w/ appropriate stakeholder membership; Vulnerability Management policy and process is in place and agreed to w/ stakeholders; Public source of vulnerabilities are being utilized for tracking | SA-11 (2) threat modeling and vulnerability analyses | | Approved Binaries/Code; Vulnerability Management Program Pt2 |\r\n| 3.3.3 | Vulnerability Management Program Pt2 | 3.3 Software Risk Management | Target Level ZT | 12.1 | Processes are established at the DoD Enterprise level for managing the disclosure of vulnerabilities in DoD maintained/operated services both publicly and privately accessible. DoD Organizations expand the vulnerability management program to track and manage closed vulnerability repositories such as DIB, CERT, and others. | Controlled (e.g., DIB, CERT) sources of vulnerabilities are being utilized for tracking; Vulnerability management program has a process for accepting external/public disclosures for managed services | | Vulnerability Management Program Pt1 | Automate Application Security & Code Remediation Pt1 |\r\n| 3.3.4 | Continual Validation | 3.3 Software Risk Management | Target Level ZT | 11.1 | DoD Organizations will implement a continual validation approach for application development where parallel deployment is conducted and integrated with an approved environment level (e.g., UAT, Prod).
Applications unable to integrate continual validation into their CI/CD process are identified and exceptions are provided as needed using a methodical approach. | Updated Applications are deployed in a live and/or production environment; Applications that were marked for retirement and transition are decommissioned; Continual validation tools are implemented and applied to code in the CI/CD pipeline; Code requiring continuous validation is identified and validation criteria are established | | | |\r\n| 3.4.1 | SDC Resource Authorization Pt1 | 3.4 Resource Authorization &
Integration | Target Level ZT | 31.1 | The DoD Enterprise provides a standardized approach for code based compute management (i.e., Software Defined Compute) following industry best practices. Using risk-based approaches baselines are created using the approved set of code libraires and packages. DoD Organizations work with the approved code/binaries activities to ensure that applications are identified which can and cannot support the approach. Applications which can support a modern software- based configuration and management approaches are identified and transitioning begins. Applications which cannot follow software-based configuration and management approaches are identified and allowed through exception using a methodical approach. | Applications unable to be updated to use approved binaries/code are marked for retirement and transition plans are created; Identified applications without approved binaries and code are updated to use approved binaries/code; Enterprise-wide Guidance on conversion standards are communicated to stakeholders | | | SDC Resource Authorization Pt2 |\r\n| 3.4.2 | SDC Resource Authorization Pt2 | 3.4 Resource Authorization &
Integration | Target Level ZT | 21.8 | Applications which support software-based configuration and management have been transitioned to a production/live environment and are in normal operations. Where possible applications which cannot support software-based configuration and management are decommissioned. | Updated Applications are deployed in a live and/or production environment; Applications that were marked for retirement and transition are decommissioned | | SDC Resource Authorization Pt1 | |\r\n| 3.4.3 | Enrich Attributes for Resource Authorization Pt1 | 3.4 Resource Authorization &
Integration | Advanced ZT | 17.6 | Initial attributes from sources such as User and Entity Activity Monitoring, Micro-segmentation services, DLP and DRM are integrated into the Resource Authorization technology stack and policy. Any additional attributes for later integration are identified and planned.
Attributes are used to create basic risk posture of users, NPEs and devices allowing for authorization decisions. | Most API calls are passing through the Secure API Gateway; Resource Authorization receives data from Analytics Engine; Authorization policies incorporate identified attributes in making authorization decisions; Attributes to be used for initial enrichment are identified; Identified attributes are assigned to resources and/or entities | SC-3 (2) access and flow control functions | User Activity Monitoring Pt2; Entity Activity Monitoring Pt2; Application & Device Micro segmentation; Manual Data Tagging Pt2; DLP Enforcement via Data Tags and Analytics Pt2; DRM Enforcement via Data Tags and Analytics Pt2 | Enrich Attributes for Resource Authorization Pt2 |\r\n| 3.4.4 | Enrich Attributes for Resource Authorization Pt2 | 3.4 Resource Authorization &
Integration | Advanced ZT | 17.8 | Extended identified attributes are integrated with the resource authorization technology and policy. Confidence scoring is introduced across the attributes to create a more advanced method of
authorization decision making in an automated fashion. | Authorization policies incorporate confidence levels in making authorization decisions; Confidence levels for attributes are defined | | Enrich Attributes for Resource Authorization Pt1 | |\r\n| 3.4.5 | REST API Micro-Segments | 3.4 Resource Authorization &
Integration | Advanced ZT | 18.1 | Using the DoD Enterprise approved API gateway(s), application calls are micro-segmented only allowing authenticated and authorized access to specific destinations (e.g., microservices). When possible, API Micro-Segmentation consoles are integrated and aware of other Micro Segmentation consoles such as Software Defined Perimeter Controllers and/or Software Defined Networking Consoles. | Approved Enterprise APIs are Micro-Segmented appropriately | SC-39 (2) separate execution domain per thread | Automate Application Security & Code Remediation Pt1 | |\r\n| 3.5.1 | Continuous Authorization to Operate (cATO) Pt1 | 3.5 Continuous Monitoring and Ongoing
Authorizations | Advanced ZT | 15.1 | DoD Organizations utilize automation solutions within the environment to standardize the monitoring of controls and offer the capability to identify deviations. Where appropriate monitoring and testing is integrated with DevSecOps processes. | Controls derivation is standardized and ready for automation; Controls testing is integrated with DevSecOps processes and technology | | Policy Inventory & Development; Build DevSecOps Software Factory Pt2 | Continuous Authorization to Operate (ATO) Pt2 |\r\n| 3.5.2 | Continuous Authorization to Operate (cATO) Pt2 | 3.5 Continuous Monitoring and Ongoing
Authorizations | Advanced ZT | 21.8 | DoD Organizations fully automate control derivation, testing and monitoring processes. Deviations are automatically tested and resolved using existing cross pillar automation infrastructure. Dashboarding is used to monitor the status of authorizations and analytics are integrated with the responsible authorizing officials. | Controls testing is fully automated; Integration with standard IR and SOC operations is automated; Control derivation and applicability is fully automated; Dashboards are used to track continuing authorization status | | Continuous Authorization to Operate (ATO) Pt1; Threat Alerting Pt3; Automated Workflow | |\r\n| 4.1.1 | Data Analysis | 4.1 Data Catalog Risk Alignment | Target Level ZT | 17.4 | DoD Organizations update the service and application catalog(s) with data classifications. Data tags are also added to each service and
application. | The service catalog is updated with data types for each application and service based on data classification levels | | | |\r\n| 4.2.1 | Define Data Tagging Standards | 4.2 DoD Enterprise Data Governance | Target Level ZT | 15.8 | The DoD Enterprise works with organizations to establish data tagging and classification standards based on industry best practices.
Classifications are agreed upon and implemented in processes. Tags are identified as manual and automated for future activities. | Enterprise data classification and tagging standards are developed; Organizations align to enterprise standards and begin implementation | | | Implement Data Tagging & Classification Tools; Manual Data Tagging Pt1 |\r\n| 4.2.2 | Interoperability Standards | 4.2 DoD Enterprise Data Governance | Target Level ZT | 14.4 | The DoD Enterprise collaborating with the organizations develops interoperability standards integrating mandatory Data Rights Management (DRM) and Protection solutions with necessary technologies to enable ZT target functionality. | Formal standards are in place by the Enterprise for the appropriate data standards | | | Implement DRM and Protection Tools Pt1 |\r\n| 4.2.3 | Develop Software Defined Storage (SDS) Policy | 4.2 DoD Enterprise Data Governance | Target Level ZT | 9.9 | The DoD enterprise working with organizations establishes a software define storage (SDS) policy and standards based on industry best practices. DoD organizations evaluate current data storage strategy and technology for implementation of SDS. Where appropriate storage technology is identified for SDS implementation. | Determine need for SDS tool implementation; Policy for SDS is created at the enterprise and org levels | | | Integrate DAAS Access w/ SDS Policy Pt1; Integrate Solution & Policy w/ Enterprise IDP Pt1 |\r\n| 4.3.1 | Implement Data Tagging & Classification Tools | 4.3 Data Labeling and Tagging | Target Level ZT | 15.9 | DoD Organizations utilize the enterprise standard and requirements to implement data tagging and classification solution(s). Organizations ensure that future ML and AI integrations are supported by solutions through DoD enterprise requirements. | A requirement of Data classification and tagging tools must include integration and/or support of Machine Learning (ML); Data classification and tagging tools are implemented at org and enterprise levels | | Define Data Tagging Standards | Implement Enforcement Points |\r\n| 4.3.2 | Manual Data Tagging Pt1 | 4.3 Data Labeling and Tagging | Target Level ZT | 17.6 | Using the DoD Enterprise data tagging and classification policy and standards, manual tagging starts using basic data level attributes to meet ZT target functionality. | Manual data tagging begins at the enterprise level with basic attributes | SI-18 (2) data tags | Define Data Tagging Standards | Manual Data Tagging Pt2; DRM Enforcement via Data Tags and Analytics Pt1; DLP Enforcement via Data Tags and Analytics Pt1 |\r\n| 4.3.3 | Manual Data Tagging Pt2 | 4.3 Data Labeling and Tagging | Advanced ZT | 16.1 | DoD organizational specific data level attributes are integrated into the manual data tagging process. DoD enterprise and organizations collaborate to decide which attributes are required to meet ZTA advanced functionality. Data level attributes for ZTA advanced functionality are standardized across the enterprise and incorporated. | Manual data tagging is expanded to the program/org levels with specific attributes | AC-4 (6) metadata | Manual Data Tagging Pt1 | Enrich Attributes for Resource Authorization Pt1 |\r\n| 4.3.4 | Automated Data Tagging & Support Pt1 | 4.3 Data Labeling and Tagging | Advanced ZT | 14.1 | DoD Organizations use data loss prevention, rights management, and/or protection solutions to conduct scanning of data repositories. Standardized tags are applied to supported data repositories and data types. Unsupported data repositories and types are identified. | Basic automation begins by scanning data repositories and applying tags | | Implement Data Tagging & Classification ML Tools | Automated Data Tagging & Support Pt2 |\r\n| 4.3.5 | Automated Data Tagging & Support Pt2 | 4.3 Data Labeling and Tagging | Advanced ZT | 38.8 | Remaining supported data repositories have basic and extended data tags which are applied using machine learning and artificial intelligence. Extended data tags are applied to existing repositories.
Unsupported data repositories and data types are evaluated for decommissioning using a risk based methodical approach. Approved exceptions utilize manual data tagging approaches with data owners
and/or custodians to manage tagging. | Full automation of data tagging is completed; Results of data tagging are fed into ML algorithms to develop AI driven data tagging | | Automated Data Tagging & Support Pt1 | |\r\n| 4.4.1 | DLP Enforcement Point Logging and Analysis | 4.4 Data Monitoring and Sensing | Target Level ZT | 10.8 | DoD Organizations identify data loss prevention (DLP) enforcement points such as specific services and user endpoints. Using the established DoD Enterprise cybersecurity incident response standard, DoD organizations ensure the appropriate detail of data is captured.
Additionally, protection, detection, and response use cases are
developed to better outline solution coverage. | Enforcement points are identified; Standardized Logging schema is enforced at the enterprise and org levels | AC-3 (8) revocation of access authorizations | | Comprehensive Data Activity Monitoring |\r\n| 4.4.2 | DRM Enforcement Point Logging and Analysis | 4.4 Data Monitoring and Sensing | Target Level ZT | 12.6 | DoD Organizations identify data rights management (DRM) enforcement points such as specific services and user endpoints. Using the established DoD Enterprise cybersecurity incident response standard, DoD organizations ensure the appropriate detail of data is captured. Additionally, protection, detection, and response use cases are developed to better outline solution coverage. | Enforcement points are identified; Standardized Logging schema is enforced at the enterprise and org levels | | | Comprehensive Data Activity Monitoring |\r\n| 4.4.3 | File Activity Monitoring Pt1 | 4.4 Data Monitoring and Sensing | Target Level ZT | 16.8 | DoD Organizations utilize File Monitoring tools to monitor the most critical data classification levels in applications, services, and repositories. Analytics from monitoring is fed into the SIEM with basic data attributes to accomplish ZT Target functionality. | Data and files of critical classification are actively being monitored; Basic Integration is in place with monitoring system such as the SIEM | MP-8 (3) controlled unclassified information | | File Activity Monitoring Pt2 |\r\n| 4.4.4 | File Activity Monitoring Pt2 | 4.4 Data Monitoring and Sensing | Target Level ZT | 18.9 | DoD Organizations utilize File Monitoring tools to monitor all regulatory protected data (e.g., CUI, PII, PHI, etc.) in applications, services, and repositories. Extended integration is used to send data to appropriate inter/intra-pillar solutions such as Data Loss Prevention, Data Rights Management/Protection and User & Entity Behavior Analytics. | Data and files of all regulated classifications are actively being monitored; Extended integrations are in place as appropriate to further manage risk | MP-8 (4) classified information | File Activity Monitoring Pt1 | Rule Based Dynamic Access Pt2; Database Activity Monitoring |\r\n| 4.4.5 | Database Activity Monitoring | 4.4 Data Monitoring and Sensing | Advanced ZT | 18.2 | DoD Organizations procure, implement, and utilize Database Monitor solutions to monitor all databases containing regulated data types (CUI, PII, PHI, etc.). Logs and analytics from the database monitoring solution are fed to the SIEM for monitoring and response. Analytics are fed into cross pillar activities such as \"Enterprise Security Profile\" and \"Real Time Access\" to better direct decision making. | Appropriate Database are being actively monitored; Monitoring technology is integrated with solutions such as SIEM, PDP and Dynamic Access Control mechanisms | | File Activity Monitoring Pt2 | Comprehensive Data Activity Monitoring |\r\n| 4.4.6 | Comprehensive Data Activity Monitoring | 4.4 Data Monitoring and Sensing | Advanced ZT | 27.2 | DoD Organizations expand monitoring of data repositories including databases as appropriate based on a methodical risk approach.
Additional data attributes to meet the ZT Advanced functionalities are integrated into the analytics for additional integrations. | Data Activity monitoring mechanisms are integrated to provide a unified view of monitoring across data repositories; Appropriate integrations exist with solutions such as SIEM and PDP | | DLP Enforcement Point Logging and Analysis;
DRM Enforcement Point Logging and Analysis;
Database Activity Monitoring | AI-enabled Dynamic Access Control; FF Baseline & Profiling Pt. 2; AI- enabled Network Access |\r\n| 4.5.1 | Implement DRM and Protection Tools Pt1 | 4.5 Data Encryption & Rights Management | Target Level ZT | 11.7 | DoD Organizations procure and implement DRM and Protection solution(s) as needed following the DoD Enterprise standard and requirements. Newly implement DRM and protection solution(s) are implemented with high risk data repositories using ZTA target level
protections. | DRM and protection tools are enabled for high risk data repositories with basic protections | AU-9 (2) store on separate physical systems or components | Interoperability Standards | Implement DRM and Protection Tools Pt2 |\r\n| 4.5.2 | Implement DRM and Protection Tools Pt2 | 4.5 Data Encryption & Rights Management | Target Level ZT | 22.0 | DRM and protection coverage is expanded to cover all in scope data repositories. Encryption keys are automatically managed to meet best practices (e.g., FIPS). Extended data protection attributes are implemented based on the environment classification. | DRM and protection tools are enabled for possible repositories | AC-3 (9) controlled release; MP-6 (8) remote purging or wiping of information; SI-19 (4) removal, masking, encryption, hashing, or replacement of direct identifiers | Implement DRM and Protection Tools Pt1 | |\r\n| 4.5.3 | DRM Enforcement via Data Tags and Analytics Pt1 | 4.5 Data Encryption & Rights Management | Target Level ZT | 16.2 | Data rights management (DRM) and protection solutions are integrated with basic data tags defined by the DoD Enterprise standard. Initial data repositories are monitored and have protect and response actions enabled. Data at rest is encrypted in repositories. | Data Tags are integrated with DRM and monitored repositories are expanded; Based on data tags, data is encrypted at rest | | Manual Data Tagging Pt1 | DRM Enforcement via Data Tags and Analytics Pt2 |\r\n| 4.5.4 | DRM Enforcement via Data Tags and Analytics Pt2 | 4.5 Data Encryption & Rights Management | Advanced ZT | 19.0 | Extended data repositories are protected with DRM and Protection solutions. DoD Organizations implement extended data tags applicable to organizations versus mandated enterprise. Data is encrypted in extended repositories using additional tags. | All applicable data repositories are protected using DRM; Data is encrypted using extended data tags from the org levels | SC-16 (3) cryptographic binding | DRM Enforcement via Data Tags and Analytics Pt1 | Enrich Attributes for Resource Authorization Pt1; DRM Enforcement via Data Tags and Analytics Pt3 |\r\n| 4.5.5 | DRM Enforcement via Data Tags and Analytics Pt3 | 4.5 Data Encryption & Rights Management | Advanced ZT | 23.3 | DRM and Protection solutions integrate with AI and ML tooling for encryption, rights management and protection functions. | Analytics from ML/AI are integrated with DRM to better automate protections; Encryption protection is integrated with AI/ML and updated encryption methods are used as needed | AC-4 (19) validation of metadata | DRM Enforcement via Data Tags and Analytics Pt2 | |\r\n| 4.6.1 | Implement Enforcement Points | 4.6 Data Loss Prevention (DLP) | Target Level ZT | 21.2 | Data loss prevention (DLP) solution is deployed to the in-scope enforcement points. DLP solution is set to β€œmonitor-only” and/or β€œlearning” mode limiting impact. DLP solution results are analyzed, and
policy is fine tuned to manage risk to an acceptable level. | Identified enforcement points have DLP tool deployed and set to monitor mode with standardized logging | | Implement Data Tagging & Classification Tools | Process Micro segmentation |\r\n| 4.6.2 | DLP Enforcement via Data Tags and Analytics Pt1 | 4.6 Data Loss Prevention (DLP) | Target Level ZT | 21.3 | Data loss prevention (DLP) solution is updated from monitor only mode to prevention mode. Basic data tags are utilized for DLP solution and
logging schema is integrated. | Enforcement Points to set to prevent mode integrating the logging schema and manual tags | | Manual Data Tagging Pt1 | DLP Enforcement via Data Tags and Analytics Pt2 |\r\n| 4.6.3 | DLP Enforcement via Data Tags and Analytics Pt2 | 4.6 Data Loss Prevention (DLP) | Advanced ZT | 19.0 | Data loss prevention (DLP) solution is updated to include extended data tags based on parallel Automation activities. | Enforcement points have extended data tag attributes applied for additional prevention | | DLP Enforcement via Data Tags and Analytics Pt1 | Enrich Attributes for Resource Authorization Pt1; DLP Enforcement via Data Tags and Analytics Pt3 |\r\n| 4.6.4 | DLP Enforcement via Data Tags and Analytics Pt3 | 4.6 Data Loss Prevention (DLP) | Advanced ZT | 41.6 | Data loss prevention (DLP) solution is integrated with automated data tagging techniques to include any missing enforcement points and tags. | Automated tagging attributes are integrated with DLP and resulting metrics are used for ML | | DLP Enforcement via Data Tags and Analytics Pt2 | |\r\n| 4.7.1 | Integrate DAAS Access w/ SDS Policy Pt1 | 4.7 Data Access Control | Target Level ZT | 15.3 | Utilizing the DoD enterprise SDS policy, organizational DAAS policy is developed with intended integration in mind. SDS implementation guide is developed by DoD organizations due to environment specific nature. | Attribute base fine-grained DAAS policy is developed w/ enterprise and org level support; SDS Integration plan is developed to support DAAS policy | | Develop Software Defined Storage (SDS) Policy | Integrate DAAS Access w/ SDS Policy Pt2 |\r\n| 4.7.2 | Integrate DAAS Access w/ SDS Policy Pt2 | 4.7 Data Access Control | Advanced ZT | 12.6 | DoD Organizations implement the DAAS policy in an automated fashion. | Attribute based fine-grained DAAS Policy implemented in an automated fashion | | Integrate DAAS Access w/ SDS Policy Pt1; Implement SDS Tool and/or Integrate w/ DRM Tool Pt1 | Integrate DAAS Access w/ SDS Policy Pt3 |\r\n| 4.7.3 | Integrate DAAS Access w/ SDS Policy Pt3 | 4.7 Data Access Control | Advanced ZT | 9.2 | Newly implemented SDS technology and/or functionalities are integrated with the DAAS policy in a risk-based fashion. A phased approach should be taken to during implementation to measure results and adjust accordingly. | SDS is integrated with DAAS policy functionality; all data in all applications are protected with attribute based fine- grained DAAS policy | | Integrate DAAS Access w/ SDS Policy Pt2 | |\r\n| 4.7.4 | Integrate Solution(s) and Policy with Enterprise IDP
Pt1 | 4.7 Data Access Control | Target Level ZT | 13.9 | DoD Organizations develop an integration plan using the SDS policy and technology/functionality with the enterprise Identity Provider
(IdP) solution. | Integration plan between SDS and authoritative Identity Provider is developed to support existing DAAS access | | Develop Software Defined Storage (SDS) Policy; Enterprise IDP Pt1 | Integrate Solution & Policy w/ Enterprise IDP Pt2 |\r\n| 4.7.5 | Integrate Solution(s) and Policy with Enterprise IDP Pt2 | 4.7 Data Access Control | Advanced ZT | 9.2 | Newly implemented SDS technology and/or functionalities are integrated with the Enterprise Identity Provider (IdP) following the integration plan. Identity attributes required to meet ZT Target functionalities are required for integration. | Complete integration with Enterprise IDP and SDS toolingto support all attribute based fine-grained DAAS access | | Integrate Solution & Policy w/ Enterprise IDP Pt1 | |\r\n| 4.7.6 | Implement SDS Tool and/or integrate with DRM Tool Pt1 | 4.7 Data Access Control | Advanced ZT | 17.4 | Depending on the need for a Software Defined Storage tool, a new solution is implemented or an existing solution is identified meeting the functionality requirements to be integrated with DLP,
DRM/Protection, and ML solutions. | If tooling is needed ensure there is supported integrations with DLP, DRM and ML tooling | | Develop Software Defined Storage (SDS) Policy; Integrate Solution & Policy w/ Enterprise IDP Pt1 | Integrate DAAS Access w/ SDS Policy Pt2; Implement SDS Tool and/or Integrate w/ DRM Tool Pt2 |\r\n| 4.7.7 | Implement SDS Tool and/or integrate with DRM Tool Pt2 | 4.7 Data Access Control | Advanced ZT | 15.3 | DoD Organizations configure the SDS functionality and/or solution to be integrated with the underlying DLP and DRM/Protection infrastructure as appropriate. Lower-level integrations enable more
effective protection and response. | Integrate SDS infrastructure with existing DLP and DRM infrastructure | | Implement SDS Tool and/or Integrate w/ DRM Tool Pt1 | |\r\n| 5.1.1 | Define Granular Control Access Rules & Policies Pt1 | 5.1 Data Flow Mapping | Target Level ZT | 10.3 | The DoD Enterprise working with the Organizations creates granular network access rules and policies. Associated Concept of Operations (ConOps) are developed in alignment with access policies as well ensure future supportability. Once agreed upon, DoD Organizations will implement these access policies into existing network technologies (e.g., Next Generation Firewalls, Intrusion Prevention Systems, etc.) to improve initial risk levels. | Provide Technical Standards; Develop Concept of Operations; Identify Communities of Interest | | | Define SDN APIs; Define Granular Control Access Rules & Policies Pt2 |\r\n| 5.1.2 | Define Granular Control Access Rules & Policies Pt2 | 5.1 Data Flow Mapping | Target Level ZT | 8.0 | DoD Organizations utilize data tagging and classification standards to develop data filters for API access to the SDN Infrastructure. API Decision Points are formalized within the SDN architecture and implemented with non-mission/task critical applications and services. | Define Data Tagging Filters for API Infrastructure | | Define Granular Control Access Rules & Policies Pt1 | |\r\n| 5.2.1 | Define SDN APIs | 5.2 Software Defined Networking (SDN) | Target Level ZT | 8.3 | The DoD Enterprise works with the Organizations to define the necessary APIs and other programmatic interfaces to enable Software Defined Networking (SDN) functionalities. These APIs will enable Authentication Decision Point, Application Delivery Control Proxy and Segmentation Gateways automation. | SDN APIs are standardized and implemented; APIs are functional for AuthN Decision Point, App Delivery Control Proxy and Segmentation Gateways | | Define Granular Control Access Rules & Policies Pt1 | Implement SDN Programable Infrastructure |\r\n| 5.2.2 | Implement SDN Programable Infrastructure | 5.2 Software Defined Networking (SDN) | Target Level ZT | 32.0 | Following the API standards, requirements and SDN API functionalities, DoD Organizations will implement Software Defined Networking (SDN) infrastructure to enable automation tasks. Segmentation Gateways and Authentication Decision Points are integrated into the SDN infrastructure along with output logging into a standardized repository (e.g., SIEM, Log Analytics) for monitoring and alerting. | Implemented Application Delivery Control Proxy; Established SIEM Logging Activities; Implemented User Activity Monitoring (UAM); Integrated with Authentication Decision Point; Implemented Segmentation Gateways | | Define SDN APIs; Standardized API Calls & Schemas Pt1 | |\r\n| 5.2.3 | Segment Flows into Control, Management, and Data Planes | 5.2 Software Defined Networking (SDN) | Target Level ZT | 13.0 | Network infrastructure and flows are segmented either physically or logically into control, management, and data planes. Basic segmentation using IPv6/VLAN approaches is implemented to better organize traffic across data planes. Analytics and NetFlow from the updated infrastructure is automatically fed into Operations Centers and analytics tools. | IPv6 Segmentation; Enable Automated NetOps Information Reporting; Ensure Configuration Control Across Enterprise; Integrated with SOAR | AC-4 (21) physical or logical separation of information flows | | B/C/P/S Macro segmentation; Application & Device Micro segmentation |\r\n| 5.2.4 | Network Asset Discovery & Optimization | 5.2 Software Defined Networking (SDN) | Advanced ZT | 30.2 | DoD Organizations automate network asset discovery through the SDN infrastructure limiting access to devices based on risk based methodical approaches. Optimization is conducted based on the SDN analytics to improve overall performance along with provide necessary approved access to resources. | Technical Refreshment/Technology Evolution; Provide Optimization/Performance Controls | | | |\r\n| 5.2.5 | Real-Time Access Decisions | 5.2 Software Defined Networking (SDN) | Advanced ZT | 15.6 | SDN Infrastructure utilizes cross Pillar data sources such as User Activity Monitoring, Entity Activity Monitoring, Enterprise Security Profiles and more for real-time access decisions. Machine learning is used to assist decision making based on advanced network analytics (full packet capture, etc.). Policies are consistently implemented across the Enterprise using unified access standards. | Analyze SIEM Logs with Analytics Engine to Provide Real- Time Policy Access Decisions; Support Sending Captured Packets, Data/Network Flows, and other Specific Logs for Analytics; Segment End-to-End Transport Network Flows; Audit Security Policies for Consistency across Enterprise; Protect Data-in-Transit During Coalition Information Sharing | | Continuous Authentication Pt2; User Activity Monitoring Pt2; Implement C2C/Compliance Based Network Authorization Pt2; Entity Activity Monitoring Pt2; AI-enabled Network Access; Enterprise Security Profile Pt2 | |\r\n| 5.3.1 | Datacenter Macro segmentation | 5.3 Macro Segmentation | Target Level ZT | 17.6 | DoD Organizations implement data center focused macro- segmentation using traditional tiered (web, app, db) and/or service- based architectures. Proxy and/or enforcement checks are integrated with the SDN solution(s) based on device attributes and behavior. | Log Actions to SIEM; Establish Proxy/Enforcement Checks of Device Attributes, Behavior, and other Data; Analyze Activities with Analytics Engine | | | Implement Micro segmentation |\r\n| 5.3.2 | B/C/P/S Macro segmentation | 5.3 Macro Segmentation | Target Level ZT | 18.1 | DoD Organizations implement base, camp, post, and station macro- segmentation using logical network zones limiting lateral movement.
Proxy and/or enforcement checks are integrated with the SDN
solution(s) based on device attributes and behavior. | Establish Proxy/Enforcement Checks of Device Attributes, Behavior, and other Data; Log Actions to SIEM; Analyze Activities with Analytics Engine; Leverage SOAR to Provide RT Policy Access Decisions | | Segment Flows into Control, Management, and Data Planes | |\r\n| 5.4.1 | Implement Micro segmentation | 5.4 Micro Segmentation | Target Level ZT | 17.3 | DoD Organizations implement Micro-Segmentation infrastructure into SDN environment enabling basic segmentation of service components (e.g., web, app, db), ports and protocols. Basic automation is accepted for policy changes including API decision making. Virtual hosting environments implement micro-segmentation at the host/container level. | Accept Automated Policy Changes; Implement API Decision Points; Implement NGF/Micro FW/Endpoint Agent in Virtual Hosting Environment | SC-7 (22) separate subnets for connecting to different security domains | Datacenter Macro segmentation | Application & Device Micro segmentation |\r\n| 5.4.2 | Application & Device Micro segmentation | 5.4 Micro Segmentation | Target Level ZT | 17.9 | DoD Organizations utilize Software Defined Networking (SDN) solution(s) to establish infrastructure meeting the ZT Target functionalities – logical network zones, role, attribute and conditional based access control for user and devices, privileged access management services for network resources, and policy-based control on API access. | Assign Role, Attribute, & Condition Based Access Control to User & Devices; Provide Privileged Access Management Services; Limit Access on Per Identity Basis for User & Device; Create Logical Network Zones; Support Policy Control via REST API | | Segment Flows into Control, Management, and Data Planes; Implement Micro segmentation | Enrich Attributes for Resource Authorization Pt1 |\r\n| 5.4.3 | Process Micro segmentation | 5.4 Micro Segmentation | Advanced ZT | 20.3 | DoD Organizations utilize existing micro-segmentation and SDN automation infrastructure enabling process micro-segmentation. Host- level processes are segmented based on security policies and access is granted using real-time access decision making. | Segment Host-Level Processes for Security Policies; Support Real-Time Access Decisions and Policy Changes; Support Offload of Logs for Analytics and Automation; Support Dynamic Deployment of Segmentation Policy | AC-4 (7) one-way flow mechanisms; AC-4
(17) domain authentication; SC-7 (20) dynamic isolation and segregation | Implement Enforcement Points | |\r\n| 5.4.4 | Protect Data In Transit | 5.4 Micro Segmentation | Target Level ZT | 9.1 | Based on the data flow mappings and monitoring, policies are enabled by DoD Organizations to mandate protection of data in transit.
Common use cases such as Coalition Information Sharing, Sharing
Across System Boundaries and Protection across Architectural Components are included in protection policies. | Protect Data In Transit During Coalition Information Sharing; Protect Data in Transit Across System High Boundaries; Integrate Data In Transit Protection Across Architecture Components | | | |\r\n| 6.1.1 | Policy Inventory & Development | 6.1 Policy Decision Point (PDP) & Policy Orchestration | Target Level ZT | 9.8 | The DoD Enterprise works with the Organizations to catalog and inventory existing Cyber Security policies and standards. Policies are updated and created in cross pillar activities as needed to meet critical ZT Target functionality. | Policies have been collected in reference to applicable compliance and risk (e.g. RMF, NIST); Policies have been reviewed for missing Pillars and Capabilities per the ZTRA; Missing areas of policies are updated to meet the capabilities per ZTRA | | | Continuous Authorization to Operate (cATO) Pt1 |\r\n| 6.1.2 | Organization Access Profile | 6.1 Policy Decision Point (PDP) & Policy Orchestration | Target Level ZT | 19.4 | DoD Organizations develop basic access profiles for mission/task and non-mission/task DAAS access using the data from the User, Data, Network, and device pillars. The DoD Enterprise works with the Organizations to develop an Enterprise Security Profile using the existing Organizational security profiles to create a common access approach to DAAS. A phased approach can be used in organizations to limit risk to mission/task critical DAAS access once the security profile(s) are created. | Organization scoped profile(s) are created to determine access to DAAS using capabilities from User, Data, Network, and Device pillars; Initial enterprise profile access standard is developed for access to DAAS ; When possible the organization profile(s) utilizes enterprise available services in the User, Data, Network and Device pillars; Organization Mission/Task critical profile(s) are created | | | Enterprise Security Profile Pt1 |\r\n| 6.1.3 | Enterprise Security Profile Pt1 | 6.1 Policy Decision Point (PDP) & Policy Orchestration | Target Level ZT | 16.0 | The Enterprise Security profile covers the User, Data, Network and Device pillars initially. Existing Organizational Security Profiles are integrated for non-mission/task DAAS access following an iterative approach to tuning access. | Enterprise Profile(s) are created to access DAAS using capabilities from User, Data, Network and Device Pillars; Non-mission/task critical organization profile(s) are integrated with the enterprise profile(s) using a standardized approach | | Organization Access Profile | Enterprise Security Profile Pt2 |\r\n| 6.1.4 | Enterprise Security Profile Pt2 | 6.1 Policy Decision Point (PDP) & Policy Orchestration | Advanced ZT | 12.5 | The minimum number of Enterprise Security Profile(s) exist granting access to the widest range of DAAS across Pillars within the DoD Organizations. Mission/task organization profiles are integrated with the Enterprise Security Profile(s) and exceptions are managed in a risk based methodical approach. | Enterprise Profile(s) have been reduced and simplified to support widest array of access to DAAS; Where appropriate Mission/Task Critical profile(s) have been integrated and supported Organization profiles are considered the exception | | Enterprise Security Profile Pt1 | Real-Time Access Decisions
AI-enabled Dynamic Access Control |\r\n| 6.2.1 | Task Automation Analysis | 6.2 Critical Process Automation | Target Level ZT | 6.3 | DoD Organizations identify and enumerate all task activities that can be executed both manually and in an automated fashion. Task activities are organized into automated and manual categories.
Manual activities are analyzed for possible retirement. | Automatable tasks are identified; Tasks are enumerated | | | |\r\n| 6.2.2 | Enterprise Integration & Workflow Provisioning Pt1 | 6.2 Critical Process Automation | Target Level ZT | 23.4 | The DoD enterprise establishes baseline integrations within the Security Orchestration, Automation and Response solution (SOAR) required to enable target level ZTA functionality. DoD organizations identify integration points and prioritize key ones per the DoD enterprise baseline. Critical integrations occur meeting key services enabling recovery and protection capabilities. | Implement full enterprise integration; Identify key integrations; Identify recovery and protection requirements | | | Enterprise Integration & Workflow Provisioning Pt2 |\r\n| 6.2.3 | Enterprise Integration & Workflow Provisioning Pt2 | 6.2 Critical Process Automation | Advanced ZT | 12.7 | DoD Organizations integrate remaining services to meet baseline requirements and advanced ZTA functionality requirements as appropriate per environment. Service provisioning is integrated and automated into workflows where required meeting ZTA target functionalities. | Services identified; Service provisioning is implemented | CM-3 (3) automated change implementation | Enterprise Integration & Workflow Provisioning Pt1 | Automated Workflow |\r\n| 6.3.1 | Implement Data Tagging & Classification ML Tools | 6.3 Machine Learning | Target Level ZT | 16.0 | DoD Organizations utilize existing Data Tagging and Classification standards and requirements to procure Machine Learning solution(s) as needed. Machine Learning solution(s) is implemented in organizations and existing tagged and classified data repositories are used to establish baselines. Machine learning solution(s) applies data tags in a supervised approach to continually improve analysis. | Implemented data tagging and classification tools are integrated with ML tools | | Define Data Tagging Standards | Automated Data Tagging & Support Pt1 |\r\n| 6.4.1 | Implement AI automation tools | 6.4 Artificial Intelligence | Advanced ZT | 25.7 | DoD Organizations identify areas of improvement based on existing machine learning techniques for Artificial Intelligence. AI solutions are identified, procured, and implemented using the identified areas as requirements. | Develop AI Tool Requirements; Procure and Implement AI Tools | | | Automated Workflow |\r\n| 6.4.2 | AI Driven by Analytics decides A&O modifications | 6.4 Artificial Intelligence | Advanced ZT | 42.0 | DoD Organizations utilizing existing machine learning functions implement and use AI technology such as neural networks to drive automation and orchestration decisions. Decision making is moved to AI as much as possible freeing up human staff for other efforts.
Utilizing historical patterns, AI will make anticipatory changes in the
environment to better reduce risk. | AI is able to make changes to automated workflow activities | | | |\r\n| 6.5.1 | Response Automation Analysis | 6.5 Security Orchestration,
Automation & Response
(SOAR) | Target Level ZT | 9.0 | DoD Organizations identify and enumerate all response activities that executed both manually and in an automated fashion. Response activities are organized into automated and manual categories.
Manual activities are analyzed for possible retirement. | Automatable response activities are identified; Response activities are enumerated | AC-21 (1) automated decision support; SI- 4 (3) automated tool and mechanism integration; SI-18 (1) automation support | | |\r\n| 6.5.2 | Implement SOAR Tools | 6.5 Security Orchestration,
Automation & Response (SOAR) | Target Level ZT | 14.9 | DoD enterprise working with Organizations develops a standard set of requirements for security orchestration, automation, and response (SOAR) tooling to enable target level ZTA functions. DoD Organizations use approved requirements to procure and implement SOAR solution.
Basic infrastructure integrations for future SOAR functionality is
completed. | Develop requirements for SOAR tool; Procure SOAR tools | | Standardized API Calls & Schemas Pt1; Workflow Enrichment Pt1 | |\r\n| 6.5.3 | Implement Playbooks | 6.5 Security Orchestration,
Automation & Response (SOAR) | Advanced ZT | 14.0 | DoD organizations review all existing playbooks to identify for future automation. Existing manual and automated processes missing playbooks have playbooks developed. Playbooks are prioritized for automation to be integrated with the Automated Workflows activities covering Critical Processes. Manual processes without playbooks are authorized using a risk based methodical approach. | When possible automated playbooks based on automated workflows capability; Manual Playbooks are developed and implemented | CA-7 (6) automation support for monitoring; CM-3 (1) automated documentation, notification, and prohibition of changes; CM-3 (5) automated security response | | |\r\n| 6.6.1 | Tool Compliance Analysis | 6.6 API Standardization | Target Level ZT | 7.3 | Automation and Orchestration tooling and solutions are analyzed for compliance and capabilities based on the DoD Enterprise programmatic interface standard and requirements. Any additional tooling or solutions are identified to support the programmatic interface standards and requirements. | API status is determined compliance or non-compliance to API standards; Tools to be used are Identified | | | |\r\n| 6.6.2 | Standardized API Calls & Schemas Pt1 | 6.6 API Standardization | Target Level ZT | 13.6 | The DoD enterprise works with organizations to establish a programmatic interface (e.g., API) standard and requirements as needed to enable target ZTA functionalities. DoD Organizations update programmatic interfaces to the new standard and mandate newly acquired/developed tools to meet the new standard. Tools unable to meet the standard are allowed by exception using a risk based methodical approach. | Initial calls and schemas are implemented; Non-compliant tools are replaced | | | Implement SDN Programable Infrastructure; Implement SOAR Tools; Standardized API Calls & Schemas Pt2 |\r\n| 6.6.3 | Standardized API Calls & Schemas Pt2 | 6.6 API Standardization | Target Level ZT | 14.2 | DoD Organizations complete the migration to the new programmatic interface standard. Tools marked for decommission in the previous activity are retired and functions are migrated to modernized tools.
Approved schemas are adopted based on the DoD Enterprise
standard/requirements. | All calls and schemas are implemented | | Standardized API Calls & Schemas Pt1 | |\r\n| 6.7.1 | Workflow Enrichment Pt1 | 6.7 Security Operations Center (SOC) & Incident
Response (IR) | Target Level ZT | 7.3 | DoD Enterprise works with organizations to establish a cybersecurity incident response standard using industry best practices such as NIST. DoD Organizations utilize the enterprise standard to determine incident response workflows. External sources of enrichment are identified for future integration. | Threat events are identified; Workflows for threat events are developed | | | Implement SOAR Tools; Workflow Enrichment Pt2 |\r\n| 6.7.2 | Workflow Enrichment Pt2 | 6.7 Security Operations Center (SOC) & Incident
Response (IR) | Target Level ZT | 9.1 | DoD organizations identify and establish extended workflows for additional incident response types. Initial enrichment data sources are used for existing workflows. Additional enrichment sources are identified for future integrations. | Workflows for Advanced threat events are developed; Advanced Threat events are identified | SI-4 (7) automated response to suspicious events | Workflow Enrichment Pt1 | Workflow Enrichment Pt3 |\r\n| 6.7.3 | Workflow Enrichment Pt3 | 6.7 Security Operations Center (SOC) & Incident
Response (IR) | Advanced ZT | 12.4 | DoD organizations use final enrichment data sources on basic and extended threat response workflows. | Enrichment data has been identified; Enrichment data is integrated into workflows | | Workflow Enrichment Pt2 | Automated Workflow |\r\n| 6.7.4 | Automated Workflow | 6.7 Security Operations Center (SOC) & Incident
Response (IR) | Advanced ZT | 14.4 | DoD organizations focus on automating Security Orchestration, Automation and Response (SOAR) functions and playbooks. Manual processes within security operations are identified and fully automated as possible. Remaining manual processes are decommissioned when possible or marked for exception using a risk based approach. | Workflow processes are fully automated; Manual Processes have been identified; Remaining Processes are marked as exceptions and documented | MA-2 (2) automated maintenance activities; PE-8 (1) automated records maintenance and review; RA-5 (6) automated trend analysis; SC-7 (17) automated enforcement of protocol formats; SI-5 (1) automated alerts and advisories; SI-7 (2) automated notifications of integrity violations; SI-7 (5) automated response to integrity violations | Workflow Enrichment Pt3; Implement AI automation tools; Enterprise Integration & Workflow Provisioning Pt2 | Continuous Authorization to Operate (cATO) Pt2 |\r\n| 7.1.1 | Scale Considerations | 7.1 Log All Traffic (Network, Data, Apps,
Users) | Target Level ZT | 11.6 | DoD Organizations conduct analysis to determine current and future needs of scaling. Scaling is analyzed following common industry best practice methods and ZT Pillars. The team works with existing Business Continuity Planning (BCP) and Disaster Recovery Planning (DPR) groups to determine distributed environment needs in emergencies and as organizations grow. | Sufficient infrastructure in place; Distributed environment established; Sufficient bandwidth for network traffic | | | |\r\n| 7.1.2 | Log Parsing | 7.1 Log All Traffic (Network, Data, Apps,
Users) | Target Level ZT | 6.3 | DoD Organizations identify and prioritize log and flow sources (e.g., Firewalls, Endpoint Detection & Response, Active Directory, Switches, Routers, etc.) and develop a plan for collection of high priority logs first then low priority. An open industry-standard log format is agreed upon at the DoD Enterprise level with the Organizations and implemented in future procurement requirements. Existing solutions and technologies are migrated to the format on a continual basis. | Standardized log formats; Rules developed for each log format | | | Implement Analytics Tools; Asset ID & Alert Correlation |\r\n| 7.1.3 | Log Analysis | 7.1 Log All Traffic (Network, Data, Apps,
Users) | Target Level ZT | 10.3 | Common user and device activities are identified and prioritized based on risk. Activities deemed the most simplistic and risky have analytics created using different data sources such as logs. Trends and patterns are developed based on the analytics collected to look at activities over longer periods of time. | Develop analytics per activity; Identify activities to analyze | RA-5 (10) correlate scanning information; SI-4 (13) analyze traffic and event patterns; SI-4 (18) analyze traffic and covert exfiltration | | Establish User Baseline Behavior; User/Device Baselines; Baseline & Profiling Pt1 |\r\n| 7.2.1 | Threat Alerting Pt1 | 7.2 Security Information and Event Management
(SIEM) | Target Level ZT | 7.5 | DoD Organizations utilize existing Security Information and Event Management (SIEM) solution to develop basic rules and alerts for common threat events (malware, phishing, etc.) Alerts and/or rule firings are fed into the parallel β€œAsset ID & Alert Correlation” activity to being automation of responses. | Rules developed for threat correlation | | | Threat Alerting Pt2; Implement Extended Detection & Response (XDR) Tools and Integrate with C2C Pt1 |\r\n| 7.2.2 | Threat Alerting Pt2 | 7.2 Security Information and Event Management
(SIEM) | Target Level ZT | 16.5 | DoD Organizations expand threat alerting in the Security Information and Event Management (SIEM) solution to include Cyber Threat Intelligence (CTI) data feeds. Deviation and anomaly rules are developed in the SIEM to detect advanced threats. | Develop analytics to detect deviations | | Threat Alerting Pt1; Cyber Threat Intelligence Program Pt1 | Threat Alerting Pt3 |\r\n| 7.2.3 | Threat Alerting Pt3 | 7.2 Security Information and Event Management
(SIEM) | Advanced ZT | 12.9 | Threat Alerting is expanded to include advanced data sources such as Extended Detection & Response (XDR), User & Entity Behavior Analytics (UEBA), and User Activity Monitoring (UAM). These advanced data sources are used to develop improved anomalous and pattern activity detections. | Identify Triggering Anomalous Events; Implement Triggering Policy | AU-6 (6) correlation with physical monitoring; PE-6 (4) monitoring physical access to systems | Threat Alerting Pt2; Implement Extended Detection & Response (XDR) Tools and Integrate with C2C Pt2 | Continuous Authorization to Operate (cATO) Pt2 |\r\n| 7.2.4 | Asset ID & Alert Correlation | 7.2 Security Information and Event Management
(SIEM) | Target Level ZT | 10.2 | DoD Organizations develop basic correlation rules using asset and alert data. Response to common threat events (e.g., malware, phishing, etc.) are automated within the Security Information and Event Management (SIEM) solution. | Rules developed for asset ID based responses | | Log Parsing | |\r\n| 7.2.5 | User/Device Baselines | 7.2 Security Information and Event Management
(SIEM) | Target Level ZT | 13.0 | DoD Organizations develop user and device baseline approaches based on DoD Enterprise standards for the appropriate pillar. Attributes utilized in baselining are pulled from the enterprise wide standards developed in cross pillar activities. | Identify user and device baselines | | Implement User & Entity Behavior Activity (UEBA) and User Activity Monitoring (UAM) Tooling;
Log Analysis | User Activity Monitoring Pt1; Entity Activity Monitoring Pt1 |\r\n| 7.3.1 | Implement Analytics Tools | 7.3 Common Security and Risk Analytics | Target Level ZT | 12.1 | DoD Organizations procure and implement basic Cyber-focused analytics tools. Analytics development is prioritized based on risk and complexity looking for easy impactful analytics first. Continued analytics development focuses on Pillar requirements to better meet reporting needs. | Develop requirements for analytic environment; Procure and implement analytic tools | | Log Parsing | |\r\n| 7.3.2 | Establish User Baseline Behavior | 7.3 Common Security and Risk Analytics | Target Level ZT | 13.8 | Utilizing the analytics developed for users and devices in a parallel activity, baselines are established in a technical solution. These baselines are applied to an identified set of users based on risk initially and then expanded to the larger DoD Organization user base. The technical solution used is integrated with machine learning functionality to begin automation. | Identify users for baseline; Establish ML-based baselines | | Implement User & Entity Behavior Activity (UEBA)
and User Activity Monitoring (UAM) Tooling; Log Analysis | |\r\n| 7.4.1 | Baseline & Profiling Pt1 | 7.4 User and Entity Behavior Analytics | Target Level ZT | 12.3 | Utilizing the analytics developed for users and devices in a parallel activity, common profiles are created for typical user and device types.
Analytics taken from baselining are updated to look at larger
containers, profiles. | Develop analytics to detect changing threat conditions; Identify user and device threat profiles | | Implement User & Entity Behavior Activity (UEBA)
and User Activity Monitoring (UAM)
Tooling; Log Analysis | Baseline & Profiling Pt2; UEBA Baseline Support Pt 1 |\r\n| 7.4.2 | Baseline & Profiling Pt2 | 7.4 User and Entity Behavior Analytics | Advanced ZT | 22.7 | DoD Organizations expand baselines and profiles to include unmanaged and non-standard device types including Internet of Things (IoT) and Operational Technology (OT) through data output monitoring. These devices are again profiled based on standardized attributes and use cases. Analytics are updated to consider the new baselines and profiles accordingly enabling further detections and response. Specific risky users and devices are automatically prioritized for increased monitoring based on risk. Detection and response are integrated with cross pillar functionalities. | Add threat profiles for IoT and OT devices; Develop and extend analytics; Extend threat profiles to individual users and devices | | Baseline & Profiling Pt1 | |\r\n| 7.4.3 | UEBA Baseline Support Pt 1 | 7.4 User and Entity Behavior Analytics | Advanced ZT | 6.3 | User & Entity Behavior Analytics (UEBA) within DoD Organizations expands monitoring to advanced analytics such as Machine Learning (ML). These results are in turn reviewed and fed back into the ML algorithms to improve detection and response. | Implement ML-based Analytics to detect anomalies | RA-3 (4) predictive cyber analytics; SI-4
(25) optimize network traffic analysis | Baseline & Profiling Pt1 | AI-enabled Network Access; UEBA Baseline Support Pt2 |\r\n| 7.4.4 | UEBA Baseline Support Pt 2 | 7.4 User and Entity Behavior Analytics | Advanced ZT | 6.3 | User & Entity Behavior Analytics (UEBA) within DoD Organizations completes it expansion by using traditional and machine learning (ML) based results to be fed into Artificial Intelligence (AI) algorithms.
Initially AI based detections are supervised but ultimately using advanced techniques such as neural networks, UEBA operators are not
part of the learning process | Implement ML-based Analytics to detect anomalies | | UEBA Baseline Support Pt1 | |\r\n| 7.5.1 | Cyber Threat Intelligence Program Pt1 | 7.5 Threat Intelligence Integration | Target Level ZT | 9.9 | The DoD Enterprise works with the Organizations to develop and Cyber Threat Intelligence (CTI) program policy, standard and process.
Organizations utilize this documentation to develop organizational CTI teams with key mission/task stakeholders. CTI Teams integrate common feeds of data with the Security Information and Event Management (SIEM) for improved alerting and response. Integrations with Device and Network enforcement points (e.g., Firewalls, Endpoint Security Suites, etc.) are created to conduct basic monitoring of CTI
driven data. | Cyber Threat Intelligence team is in place with critical stakeholders; Public and Baseline CTI feeds are being utilized by SIEM for alerting; Basic integration points exist with Device and Network enforcement points (e.g., NGAV, NGFW, NG-IPS) | AU-6 (5) integrated analysis of audit records; SI-4 (17) integrated situational awareness | | Cyber Threat Intelligence Program Pt2;
Threat Alerting Pt 2 |\r\n| 7.5.2 | Cyber Threat Intelligence Program Pt2 | 7.5 Threat Intelligence Integration | Target Level ZT | 19.5 | DoD Organizations expand their Cyber Threat Intelligence (CTI) teams to include new stakeholders as appropriate. Authenticated, private and controlled CTI data feeds are integrated into Security Information and Event Management (SIEM) and enforcement points from the Device, User, Network and Data pillars. | Cyber Threat Intelligence team is in place with extended stakeholders as appropriate; Controlled and Private feed are being utilized by SIEM and other appropriate Analytics tools for alerting and monitoring; Integration is in place for extended enforcement points within the Device, User, Network and Data pillars (UEBA, UAM) | AU-5 (2) real-time alerts; SI-6 (3) report verification results | Cyber Threat Intelligence Program Pt1 | |\r\n| 7.6.1 | AI-enabled Network Access | 7.6 Automated Dynamic Policies | Advanced ZT | 27.8 | DoD Organizations utilize the SDN Infrastructure and Enterprise Security Profiles to enable Artificial Intelligence (AI)/Machine Learning (ML) driven network access. Analytics from previous activities is used to teach the AI/ML algorithms improving decision making. | Network Access is AI driven based on environment analytics | SI-8 (3) continuous learning capability | UEBA Baseline Support Pt1; Periodic Authentication; Rule Based Dynamic Access Pt1
The following activities are to be completed in parallel: Comprehensive Data Activity Monitoring
User Activity Monitoring Pt2
Entity Activity Monitoring Pt2 | Real-Time Access Decisions; AI- enabled Dynamic Access Control |\r\n| 7.6.2 | AI-enabled Dynamic Access Control | 7.6 Automated Dynamic Policies | Advanced ZT | 24.4 | DoD Organizations utilize previous rule based dynamic access to teach Artificial Intelligence (AI)/Machine Learning (ML) algorithms to make access decision to various resources. The β€œAI-enabled Network Access” activity algorithms are updated to enable broader decision making to all DAAS. | JIT/JEA are integrated with AI; Access is AI driven based on environment analytics | | Continuous Authentication Pt2; AI- enabled Network Access |\t|", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "DoDZT", + "comparison": "isEqualTo", + "value": "Activities" + }, + "name": "ZTActivities" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [Recommended Data Connectors](https://docs.microsoft.com/azure/sentinel/connect-data-sources)\r\n---\r\n\r\nAfter onboarding Microsoft Sentinel into your workspace, connect data sources to start ingesting your data into Microsoft Sentinel. Microsoft Sentinel comes with many connectors for Microsoft products, available out of the box and providing real-time integration. For example, service-to-service connectors include Microsoft 365 Defender connectors and Microsoft 365 sources, such as Office 365, Azure Active Directory (Azure AD), Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. Check out these references if you're new to Microsoft Sentinel." + }, + "customWidth": "40", + "name": "NS Guide" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "10", + "name": "text - 2" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "b1cd1f8a-e807-4deb-93f4-7812e5ed014a", + "linkTarget": "OpenBlade", + "linkLabel": "Data Connectors >>", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorsBlade", + "extensionName": "Microsoft_Azure_Security_Insights" + } + } + ] + }, + "customWidth": "20", + "name": "EL0" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "nav", + "links": [ + { + "id": "b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722", + "cellValue": "https://docs.microsoft.com/azure/sentinel/best-practices", + "linkTarget": "Url", + "linkLabel": "Best Practices", + "style": "link" + }, + { + "id": "1bad541e-219a-4277-9510-876b0e8cad51", + "cellValue": "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-all-in-one-accelerator/ba-p/1807933", + "linkTarget": "Url", + "linkLabel": "Microsoft Sentinel All-In-One Accelerator", + "style": "link" + }, + { + "id": "7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31", + "cellValue": "https://docs.microsoft.com/learn/browse/?wt.mc_id=resilience_skilling_webpage_gdc&terms=sentinel", + "linkTarget": "Url", + "linkLabel": "Microsoft Sentinel Training", + "style": "link" + } + ] + }, + "customWidth": "40", + "name": "links - 29" + } + ], + "exportParameters": true + }, + "name": "group - 7" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Event Logging (EL0) Connectors", + "style": "info" + }, + "name": "text - 13" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Azure Activity Connector](https://docs.microsoft.com/azure/azure-monitor/essentials/activity-log)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "909d0019-23cb-43ad-8285-9f1dca1cd1be", + "version": "KqlParameterItem/1.0", + "name": "AzureActivity", + "label": "Status", + "type": 1, + "query": "AzureActivity\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "Azure Activity Connector" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "58cc25ab-a9af-4516-99e1-fa22e0637a76", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "AzureActivity" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "33", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Azure Active Directory (AAD) Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "23ba579d-c894-43be-9fe1-d1b04bc34d7a", + "version": "KqlParameterItem/1.0", + "name": "SignInLogs", + "label": "Status", + "type": 1, + "query": "SigninLogs\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "Azure Active Directory" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "7c97e893-29f3-4d4c-a379-f220bb82518c", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "AzureActiveDirectory" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Azure Active Directory (AAD) Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Office 365 Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-office-365)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "68bd12c8-e473-45d1-8bbc-2dd9f326ea69", + "version": "KqlParameterItem/1.0", + "name": "OfficeActivity", + "label": "Status", + "type": 1, + "query": "OfficeActivity\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "Azure Activity Connector - Copy - Copy" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "6a86eb8d-5487-4aad-ae7b-b526e68a249f", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "Office365" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Office 365 Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Microsoft Defender for Cloud Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-cloud)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "1673e4cf-354f-4a42-bed2-2374be47779e", + "version": "KqlParameterItem/1.0", + "name": "MDfC", + "label": "Status", + "type": 1, + "query": "SecurityAlert\r\n| where ProviderName == \"Azure Security Center\"\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "Azure Activity Connector - Copy - Copy - Copy" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "56600b70-0e55-433a-be86-b7c561bced8b", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "AzureSecurityCenter" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Microsoft Defender for Cloud Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Network Security Groups (NSG) Connector](https://docs.microsoft.com/azure/virtual-network/virtual-network-nsg-manage-log)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "b17ce357-e8d5-4c7c-a4f0-765598462a1c", + "version": "KqlParameterItem/1.0", + "name": "NSG", + "label": "Status", + "type": 1, + "query": "AzureDiagnostics\r\n| where Category == \"NetworkSecurityGroupEvent\"\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "Azure Activity Connector - Copy - Copy - Copy - Copy" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "935bb630-1fce-4021-b7b4-c010b9e05973", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "AzureNSG" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Network Security Groups (NSG) Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Windows Security Events (AMA) Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-windows-microsoft-services?tabs=SA%2CAMA#windows-agent-based-connections)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "d9af27d9-8c90-4c85-a57f-f329257d9956", + "version": "KqlParameterItem/1.0", + "name": "AMA", + "label": "Status", + "type": 1, + "query": "SecurityEvent\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "Azure Activity Connector - Copy - Copy - Copy - Copy - Copy" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "d002eb41-c632-429b-8504-846b69314620", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "WindowsSecurityEvents" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Windows Security Events (AMA) Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Security Events via Legacy Agent Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-windows-microsoft-services?tabs=SA%2CLAA#windows-agent-based-connections)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "b2737fbc-c0e2-4584-9fba-ee7d057d7db0", + "version": "KqlParameterItem/1.0", + "name": "SecurityEvent", + "label": "Status", + "type": 1, + "query": "SecurityEvent\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "9a8b0649-e79b-4a30-be25-4a5486f302ee", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "SecurityEvents" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Security Events via Legacy Agent Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [DNS Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#windows-dns-server-preview)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "8b7ac3ca-b46c-43e0-ae8c-e2b5189596bc", + "version": "KqlParameterItem/1.0", + "name": "DNS", + "label": "Status", + "type": 1, + "query": "DnsEvents\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": null + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "2d8731f5-c225-4a39-9914-6391b2c89ecb", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "DNS" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "DNS Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Azure Storage Accounts Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-storage-account)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "4f291c03-8d98-47b6-ba82-1282322bb7a5", + "version": "KqlParameterItem/1.0", + "name": "StorageLogs", + "label": "Status", + "type": 1, + "query": "StorageBlobLogs\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "6d9cd26b-3fcd-4556-b2eb-3dcb711c4de4", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "AzureStorageAccount" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Azure Storage Logs Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Common Event Format (CEF) Connector](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "4fcf795c-75b8-4010-bd24-1d66511ff6e8", + "version": "KqlParameterItem/1.0", + "name": "CommonSecurityLog", + "label": "Status", + "type": 1, + "query": "CommonSecurityLog\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "452e02e1-b0c4-4b9b-8a54-bc9295db22b9", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "CEF" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Common Event Format (CEF) Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Syslog Connector](https://docs.microsoft.com/azure/sentinel/connect-syslog)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "fa63a08f-dd08-4e11-bcb6-c075a6d6c15c", + "version": "KqlParameterItem/1.0", + "name": "Syslog", + "label": "Status", + "type": 1, + "query": "Syslog\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "021644a3-bd51-4b09-8117-017a89c71d58", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "Syslog" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Syslog Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Amazon Web Services (AWS) Connector](https://docs.microsoft.com/azure/sentinel/connect-aws?tabs=s3)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "18ed59f0-c497-44b1-94b7-8700051cf189", + "version": "KqlParameterItem/1.0", + "name": "AWS", + "label": "Status", + "type": 1, + "query": "AWSCloudTrail\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "393c465e-4398-428b-8da2-87ac07d8a987", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "AWS" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Amazon Web Services (AWS) Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Amazon Web Services (AWS) S3 Connector](https://docs.microsoft.com/azure/sentinel/connect-aws?tabs=s3)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8", + "version": "KqlParameterItem/1.0", + "name": "AWSS3", + "label": "Status", + "type": 1, + "query": "AWSVPCFlow\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "AwsS3" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Amazon Web Services (AWS) S3 Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Google Cloud Platform IAM Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#google-workspace-g-suite-preview)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8", + "version": "KqlParameterItem/1.0", + "name": "GCP", + "label": "Status", + "type": 1, + "query": "GCP_IAM_CL\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": null + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "parameters - 3" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "1f2ba663-dd7a-49b6-87ba-0b8adf6d2d34" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Amazon Web Services (AWS) S3 Connector - Copy", + "styleSettings": { + "showBorder": true + } + } + ], + "exportParameters": true + }, + "name": "group - 5", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Basic Event Logging (EL1) Connectors", + "style": "info" + }, + "name": "text - 13" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Microsoft 365 Defender Connector](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender?tabs=MDE)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8", + "version": "KqlParameterItem/1.0", + "name": "M365Defender", + "label": "Status", + "type": 1, + "query": "AlertEvidence\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "parameters - 3" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "MicrosoftThreatProtection" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Microsoft 365 Defender Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Microsoft Defender for Endpoint Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-endpoint)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8", + "version": "KqlParameterItem/1.0", + "name": "MDE", + "label": "Status", + "type": 1, + "query": "SecurityAlert\r\n| where ProviderName == \"MDATP\"\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "parameters - 3" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "MicrosoftDefenderAdvancedThreatProtection" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Microsoft 365 Defender Connector - Copy", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Azure Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-firewall)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8", + "version": "KqlParameterItem/1.0", + "name": "AzureFirewall", + "label": "Status", + "type": 1, + "query": "AzureDiagnostics\r\n| where ResourceType == \"AZUREFIREWALLS\"\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "parameters - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "AzureFirewall" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Azure Firewall Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Windows Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#windows-firewall)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8", + "version": "KqlParameterItem/1.0", + "name": "WindowsFirewall", + "label": "Status", + "type": 1, + "query": "WindowsFirewall\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "parameters - 3" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "WindowsFirewall" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Windows Firewall Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Azure Web Application Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-web-application-firewall-waf)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8", + "version": "KqlParameterItem/1.0", + "name": "AzureWAF", + "label": "Status", + "type": 1, + "query": "AzureDiagnostics | where ResourceType in (\"APPLICATIONGATEWAYS\", \"FRONTDOORS\", \"CDNWEBAPPLICATIONFIREWALLPOLICIES\", \"PROFILES\")\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "parameters - 3" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "WAF" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Azure Web Application Firewall Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Azure SQL Databases Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-sql-databases)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "8b7ac3ca-b46c-43e0-ae8c-e2b5189596bc", + "version": "KqlParameterItem/1.0", + "name": "SQL", + "label": "Status", + "type": 1, + "query": "AzureDiagnostics | where Category contains \"SQL\"\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "parameters - 3" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "2d8731f5-c225-4a39-9914-6391b2c89ecb", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "AzureSql" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "SQL Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Azure Key Vault Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-key-vault)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8", + "version": "KqlParameterItem/1.0", + "name": "AzureKeyVault", + "label": "Status", + "type": 1, + "query": "AzureDiagnostics | where ResourceProvider == \"MICROSOFT.KEYVAULT\"\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "parameters - 3" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "AzureKeyVault" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Azure Key Vault Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Azure DDoS Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-ddos-protection)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8", + "version": "KqlParameterItem/1.0", + "name": "DDoS", + "label": "Status", + "type": 1, + "query": "AzureDiagnostics | where ResourceType == \"PUBLICIPADDRESSES\"\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "DDOS" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Azure DDoS Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [VMware ESXi Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#vmware-esxi-preview)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8", + "version": "KqlParameterItem/1.0", + "name": "VMwareESXi", + "label": "Status", + "type": 1, + "query": "VMwareESXi\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": null + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "parameters - 3" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "VMwareESXi" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "VMware ESXi Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Microsoft Defender for Cloud: Continuous Export](https://docs.microsoft.com/azure/defender-for-cloud/continuous-export?tabs=azure-portal)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8", + "version": "KqlParameterItem/1.0", + "name": "SecurityRecommendation", + "label": "Status", + "type": 1, + "query": "SecurityRecommendation\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "parameters - 3" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Feature", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "SecurityMenuBlade", + "extensionName": "Microsoft_Azure_Security" + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Continuous Export Connector", + "styleSettings": { + "showBorder": true + } + } + ], + "exportParameters": true + }, + "name": "group - 6", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Intermediate Event Logging (EL2) Connectors", + "style": "info" + }, + "name": "text - 13" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Azure Information Protection Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-information-protection-preview)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8", + "version": "KqlParameterItem/1.0", + "name": "InformationProtectionLogs_CL", + "type": 1, + "query": "InformationProtectionLogs_CL​​\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "label": "Status", + "value": null + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "parameters - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "AzureInformationProtection" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Azure Information Protection Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Dynamics 365 Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#dynamics-365)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8", + "version": "KqlParameterItem/1.0", + "name": "Dynamics365Activity", + "label": "Status", + "type": 1, + "query": "Dynamics365Activity\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "parameters - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "Dynamics365" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Dynamics 365 Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Azure Kubernetes Service (AKS) Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-kubernetes-service-aks)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8", + "version": "KqlParameterItem/1.0", + "name": "AKS", + "label": "Status", + "type": 1, + "query": "AzureDiagnostics\r\n| where Category == \"kube-audit\"\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "parameters - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "AzureKubernetes" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Azure Kubernetes Service (AKS) Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Qualys Vulnerability Management Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#qualys-vulnerability-management-vm-preview)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8", + "version": "KqlParameterItem/1.0", + "name": "Qualys", + "label": "Status", + "type": 1, + "query": "QualysHostDetection_CL\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": null + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "parameters - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "QualysVulnerabilityManagement" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Qualys Vulnerability Management Connector", + "styleSettings": { + "showBorder": true + } + } + ], + "exportParameters": true + }, + "name": "group - 6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "## Advanced Event Logging (EL3) Connectors", + "style": "info" + }, + "name": "text - 13" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Entity Behavior (UEBA)](https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8", + "version": "KqlParameterItem/1.0", + "name": "BehaviorAnalytics", + "label": "Status", + "type": 1, + "query": "BehaviorAnalytics​​\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "parameters - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Feature", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "EntitySearchBlade", + "extensionName": "Microsoft_Azure_Security_Insights" + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Entity Behavior (UEBA) Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Azure Active Directory Identity Protection Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-active-directory-identity-protection)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8", + "version": "KqlParameterItem/1.0", + "name": "AADIP", + "label": "Status", + "type": 1, + "query": "SecurityAlert | where ProductName == \"Azure Active Directory Identity Protection\"​​\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "parameters - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "AzureActiveDirectoryIdentityProtection" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Azure Active Directory Identity Protection Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Threat Intelligence TAXII Connector](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence-taxii)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8", + "version": "KqlParameterItem/1.0", + "name": "TAXII", + "label": "Status", + "type": 1, + "query": "ThreatIntelligenceIndicator | where SourceSystem !in (\"SecurityGraph\", \"Microsoft sentinel\", \"Microsoft Sentinel\") ​​\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "parameters - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "ThreatIntelligenceTaxii" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Threat Intelligence TAXII Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Threat Intelligence Platform Connector](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence-tip)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8", + "version": "KqlParameterItem/1.0", + "name": "ThreatIntelligence", + "label": "Status", + "type": 1, + "query": "ThreatIntelligenceIndicator | where SourceSystem in (\"SecurityGraph\", \"Microsoft sentinel\", \"Microsoft Sentinel\") ​​\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "parameters - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "ThreatIntelligence" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Threat Intelligence Platform Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Microsoft Defender for IoT Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-iot)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8", + "version": "KqlParameterItem/1.0", + "name": "MD4IOT", + "label": "Status", + "type": 1, + "query": "SecurityAlert | where ProductName == \"Azure Security Center for IoT\"​​\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "parameters - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "IoT" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Microsoft Defender for IoT Connector", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "### [Microsoft Purview: Insider Risk Management Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-purview-insider-risk-management-irm-preview)" + }, + "customWidth": "33", + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "548cdd92-87c3-4e69-be08-52ecca0f76a8", + "version": "KqlParameterItem/1.0", + "name": "IRM", + "label": "Status", + "type": 1, + "query": "SecurityAlert\r\n| where ProductName == \"Microsoft 365 Insider Risk Management\"​​\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"❌ Not Connected\", \"βœ… Connected\")\r\n| project Results", + "crossComponentResources": [ + "{Workspace}" + ], + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "33", + "name": "parameters - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "d9b9144c-69bc-4eb2-a747-a9e0d206780b", + "linkTarget": "OpenBlade", + "linkLabel": "Enable Connector", + "style": "secondary", + "bladeOpenContext": { + "bladeName": "DataConnectorBlade", + "extensionName": "Microsoft_Azure_Security_Insights", + "bladeParameters": [ + { + "name": "dataConnectorId", + "source": "static", + "value": "OfficeIRM" + } + ] + } + } + ] + }, + "customWidth": "33", + "name": "EL0" + } + ], + "exportParameters": true + }, + "name": "Microsoft Purview: Insider Risk Management Connector", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "name": "group - 6" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "ifess2Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Recommended Data Connectors - Copy" + } + ], + "fromTemplateId": "sentinel-DoDZeroTrust", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +}