diff --git a/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml b/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml
index 27e3efd4f07..b27848acd0d 100644
--- a/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml
+++ b/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml
@@ -2,7 +2,7 @@ id: a1bddaf8-982b-4089-ba9e-6590dfcf80ea
name: Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)
description: |
This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.
- This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.
+ This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.
severity: Low
requiredDataConnectors:
- connectorId: SquidProxy
@@ -49,7 +49,7 @@ customDetails:
alertDetailsOverride:
alertDisplayNameFormat: Excessive number of HTTP authentication failures from {{SrcIpAddr}
alertDescriptionFormat: A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.
-version: 1.0.5
+version: 1.0.6
kind: Scheduled
metadata:
source:
diff --git a/Detections/CommonSecurityLog/Wazuh-Large_Number_of_Web_errors_from_an_IP.yaml b/Detections/CommonSecurityLog/Wazuh-Large_Number_of_Web_errors_from_an_IP.yaml
index d8a72cfb8ff..d9fd12d3c7b 100644
--- a/Detections/CommonSecurityLog/Wazuh-Large_Number_of_Web_errors_from_an_IP.yaml
+++ b/Detections/CommonSecurityLog/Wazuh-Large_Number_of_Web_errors_from_an_IP.yaml
@@ -1,7 +1,7 @@
id: 2790795b-7dba-483e-853f-44aa0bc9c985
name: Wazuh - Large Number of Web errors from an IP
description: |
- 'Identifies instances where Wazuh logged over 400 '403' Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst'
+ 'Identifies instances where Wazuh logged over 400 '403' Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://documentation.wazuh.com/current/cloud-security/azure/index.html'
severity: Low
requiredDataConnectors: []
queryFrequency: 1d
@@ -31,7 +31,7 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: SourceIP
-version: 1.0.4
+version: 1.0.5
kind: Scheduled
metadata:
source:
diff --git a/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml b/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml
index f3fca03815b..8c3b7e2efab 100644
--- a/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml
+++ b/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml
@@ -3,7 +3,7 @@ name: ADFS DKM Master Key Export
description: |
'Identifies an export of the ADFS DKM Master Key from Active Directory.
References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/,
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1
+ https://cloud.google.com/blog/topics/threat-intelligence/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor
To understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:
https://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469
https://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339
@@ -85,7 +85,7 @@ entityMappings:
fieldMappings:
- identifier: ResourceId
columnName: _ResourceId
-version: 1.2.1
+version: 1.2.2
kind: Scheduled
metadata:
source:
diff --git a/Detections/MultipleDataSources/GainCodeExecutionADFSviaWMI.yaml b/Detections/MultipleDataSources/GainCodeExecutionADFSviaWMI.yaml
index f06da824d91..8a9a004fff4 100644
--- a/Detections/MultipleDataSources/GainCodeExecutionADFSviaWMI.yaml
+++ b/Detections/MultipleDataSources/GainCodeExecutionADFSviaWMI.yaml
@@ -7,7 +7,6 @@ description: |
Failed to resolve scalar expression named "[@Name]"
For more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.
The query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.
- - ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml
- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml'
severity: Medium
requiredDataConnectors:
@@ -158,7 +157,7 @@ entityMappings:
columnName: HostName
- identifier: NTDomain
columnName: HostNameDomain
-version: 1.1.3
+version: 1.1.4
kind: Scheduled
metadata:
source:
diff --git a/Detections/SecurityEvent/AdminSDHolder_Modifications.yaml b/Detections/SecurityEvent/AdminSDHolder_Modifications.yaml
index 10244703125..7e5b7a1d834 100644
--- a/Detections/SecurityEvent/AdminSDHolder_Modifications.yaml
+++ b/Detections/SecurityEvent/AdminSDHolder_Modifications.yaml
@@ -4,7 +4,7 @@ description: |
'This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence.
AdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.
This query searches for the event id 5136 where the Object DN is AdminSDHolder.
- Ref: https://attack.stealthbits.com/adminsdholder-modification-ad-persistence'
+ Ref: https://netwrix.com/en/cybersecurity-glossary/cyber-security-attacks/adminsdholder-attack/'
severity: High
requiredDataConnectors:
- connectorId: SecurityEvents
@@ -43,7 +43,7 @@ entityMappings:
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
-version: 1.0.4
+version: 1.0.5
kind: Scheduled
metadata:
source:
diff --git a/Detections/http_proxy_oab_CL/ExchagngeSuspiciousFileDownloads.yaml b/Detections/http_proxy_oab_CL/ExchagngeSuspiciousFileDownloads.yaml
index fcda17ca213..84d743b5446 100644
--- a/Detections/http_proxy_oab_CL/ExchagngeSuspiciousFileDownloads.yaml
+++ b/Detections/http_proxy_oab_CL/ExchagngeSuspiciousFileDownloads.yaml
@@ -4,7 +4,7 @@ description: |
'This query looks for messages related to file downloads of suspicious file types on an Exchange Server. This could indicate attempted deployment of webshells.
This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query.
This log is commonly found at C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog on the Exchange server. Details on collecting custom logs into Sentinel
- can be found here: https://learn.microsoft.com/azure/sentinel/connect-custom-logs
+ can be found here: https://learn.microsoft.com/en-us/azure/sentinel/connect-custom-logs-ama
severity: Medium
requiredDataConnectors: []
queryFrequency: 1d
@@ -35,7 +35,7 @@ entityMappings:
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
metadata:
source:
diff --git a/Solutions/Amazon Web Services/Analytic Rules/AWS_ChangeToRDSDatabase.yaml b/Solutions/Amazon Web Services/Analytic Rules/AWS_ChangeToRDSDatabase.yaml
index b815050750c..4964dc8e069 100644
--- a/Solutions/Amazon Web Services/Analytic Rules/AWS_ChangeToRDSDatabase.yaml
+++ b/Solutions/Amazon Web Services/Analytic Rules/AWS_ChangeToRDSDatabase.yaml
@@ -4,8 +4,7 @@ description: |
'Amazon Relational Database Service (RDS) is scalable relational database in the cloud.
If your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service)
Once alerts triggered, validate if changes observed are authorized and adhere to change control policy.
- More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255
- and RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html'
+ RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html'
severity: Low
status: Available
requiredDataConnectors:
@@ -47,5 +46,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: SourceIpAddress
-version: 1.0.3
+version: 1.0.4
kind: Scheduled
diff --git a/Solutions/Amazon Web Services/Analytic Rules/AWS_ChangeToVPC.yaml b/Solutions/Amazon Web Services/Analytic Rules/AWS_ChangeToVPC.yaml
index 0651abbda58..aa5317b661d 100644
--- a/Solutions/Amazon Web Services/Analytic Rules/AWS_ChangeToVPC.yaml
+++ b/Solutions/Amazon Web Services/Analytic Rules/AWS_ChangeToVPC.yaml
@@ -2,9 +2,8 @@ id: 65360bb0-8986-4ade-a89d-af3cf44d28aa
name: Changes to Amazon VPC settings
description: |
'Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.
- This identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.
- More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255
- and AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html'
+ This identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.
+ AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html'
severity: Low
status : Available
requiredDataConnectors:
@@ -50,5 +49,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: SourceIpAddress
-version: 1.0.6
+version: 1.0.7
kind: Scheduled
diff --git a/Solutions/Amazon Web Services/Analytic Rules/AWS_IngressEgressSecurityGroupChange.yaml b/Solutions/Amazon Web Services/Analytic Rules/AWS_IngressEgressSecurityGroupChange.yaml
index 7a2f0a63aec..21ebff611d4 100644
--- a/Solutions/Amazon Web Services/Analytic Rules/AWS_IngressEgressSecurityGroupChange.yaml
+++ b/Solutions/Amazon Web Services/Analytic Rules/AWS_IngressEgressSecurityGroupChange.yaml
@@ -2,8 +2,7 @@ id: 4f19d4e3-ec5f-4abc-9e61-819eb131758c
name: Changes to AWS Security Group ingress and egress settings
description: |
'A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic.
- Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.
- More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255. '
+ Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors. '
severity: Low
status: Available
requiredDataConnectors:
@@ -47,5 +46,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: SourceIpAddress
-version: 1.0.3
+version: 1.0.4
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Amazon Web Services/Analytic Rules/AWS_LoadBalancerSecGroupChange.yaml b/Solutions/Amazon Web Services/Analytic Rules/AWS_LoadBalancerSecGroupChange.yaml
index 4ff777e596e..127362600f2 100644
--- a/Solutions/Amazon Web Services/Analytic Rules/AWS_LoadBalancerSecGroupChange.yaml
+++ b/Solutions/Amazon Web Services/Analytic Rules/AWS_LoadBalancerSecGroupChange.yaml
@@ -3,8 +3,7 @@ name: Changes to AWS Elastic Load Balancer security groups
description: |
'Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications.
Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.
- More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255
- and https://aws.amazon.com/elasticloadbalancing/. '
+ More information: https://aws.amazon.com/elasticloadbalancing/. '
severity: Low
status: Available
requiredDataConnectors:
@@ -48,5 +47,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: SourceIpAddress
-version: 1.0.3
+version: 1.0.4
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Amazon Web Services/Hunting Queries/AWS_IAM_PrivilegeEscalationbyAttachment.yaml b/Solutions/Amazon Web Services/Hunting Queries/AWS_IAM_PrivilegeEscalationbyAttachment.yaml
index 98eecc598ce..c45efe86069 100644
--- a/Solutions/Amazon Web Services/Hunting Queries/AWS_IAM_PrivilegeEscalationbyAttachment.yaml
+++ b/Solutions/Amazon Web Services/Hunting Queries/AWS_IAM_PrivilegeEscalationbyAttachment.yaml
@@ -5,7 +5,7 @@ description: |
Identifies when existing role is removed and new/existing high privileged role is added to instance profile.
Any instance with this instance profile attached is able to perform privileged operations.
AWS Instance Profile: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
- and CloudGoat - IAM PrivilegeEscalation by Attachment: https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/scenarios/iam_privesc_by_attachment '
+ and CloudGoat - IAM PrivilegeEscalation by Attachment: https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/cloudgoat/scenarios/aws/iam_privesc_by_attachment '
requiredDataConnectors:
- connectorId: AWS
dataTypes:
diff --git a/Solutions/Amazon Web Services/Package/3.0.8.zip b/Solutions/Amazon Web Services/Package/3.0.8.zip
new file mode 100644
index 00000000000..36f1018d5ba
Binary files /dev/null and b/Solutions/Amazon Web Services/Package/3.0.8.zip differ
diff --git a/Solutions/Amazon Web Services/Package/createUiDefinition.json b/Solutions/Amazon Web Services/Package/createUiDefinition.json
index e41ae3e4800..b8aa7d2c061 100644
--- a/Solutions/Amazon Web Services/Package/createUiDefinition.json
+++ b/Solutions/Amazon Web Services/Package/createUiDefinition.json
@@ -74,7 +74,7 @@
"name": "dataconnectors3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This Solution installs the data connector for Amazon Web Services. You can get Amazon Web Services data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ "text": "This Solution installs the data connector for Amazon Web Services S3 WAF. You can get Amazon Web Services S3 WAF data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
@@ -180,7 +180,7 @@
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Amazon Relational Database Service (RDS) is scalable relational database in the cloud.\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service)\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html"
+ "text": "Amazon Relational Database Service (RDS) is scalable relational database in the cloud.\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service)\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy.\nRDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html"
}
}
]
@@ -194,7 +194,7 @@
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html"
+ "text": "Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways. \nAWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html"
}
}
]
@@ -278,7 +278,7 @@
"name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic.\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255. "
+ "text": "A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic.\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors. "
}
}
]
@@ -292,7 +292,7 @@
"name": "analytic9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications.\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \n and https://aws.amazon.com/elasticloadbalancing/. "
+ "text": "Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications.\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\n More information: https://aws.amazon.com/elasticloadbalancing/. "
}
}
]
@@ -1086,7 +1086,7 @@
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance start.\nIdentifies when existing role is removed and new/existing high privileged role is added to instance profile. \nAny instance with this instance profile attached is able to perform privileged operations.\nAWS Instance Profile: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html \nand CloudGoat - IAM PrivilegeEscalation by Attachment: https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/scenarios/iam_privesc_by_attachment This hunting query depends on AWS AWSS3 data connector (AWSCloudTrail AWSCloudTrail Parser or Table)"
+ "text": "An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance start.\nIdentifies when existing role is removed and new/existing high privileged role is added to instance profile. \nAny instance with this instance profile attached is able to perform privileged operations.\nAWS Instance Profile: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html \nand CloudGoat - IAM PrivilegeEscalation by Attachment: https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/cloudgoat/scenarios/aws/iam_privesc_by_attachment This hunting query depends on AWS AWSS3 data connector (AWSCloudTrail AWSCloudTrail Parser or Table)"
}
}
]
diff --git a/Solutions/Amazon Web Services/Package/mainTemplate.json b/Solutions/Amazon Web Services/Package/mainTemplate.json
index a367207d74a..00852465243 100644
--- a/Solutions/Amazon Web Services/Package/mainTemplate.json
+++ b/Solutions/Amazon Web Services/Package/mainTemplate.json
@@ -61,7 +61,7 @@
},
"variables": {
"_solutionName": "Amazon Web Services",
- "_solutionVersion": "3.0.7",
+ "_solutionVersion": "3.0.8",
"solutionId": "azuresentinel.azure-sentinel-solution-amazonwebservices",
"_solutionId": "[variables('solutionId')]",
"uiConfigId1": "AWS",
@@ -103,18 +103,18 @@
"_workbookContentId2": "[variables('workbookContentId2')]",
"_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]",
"analyticRuleObject1": {
- "analyticRuleVersion1": "1.0.3",
+ "analyticRuleVersion1": "1.0.4",
"_analyticRulecontentId1": "8c2ef238-67a0-497d-b1dd-5c8a0f533e25",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8c2ef238-67a0-497d-b1dd-5c8a0f533e25')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8c2ef238-67a0-497d-b1dd-5c8a0f533e25')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8c2ef238-67a0-497d-b1dd-5c8a0f533e25','-', '1.0.3')))]"
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8c2ef238-67a0-497d-b1dd-5c8a0f533e25','-', '1.0.4')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.6",
+ "analyticRuleVersion2": "1.0.7",
"_analyticRulecontentId2": "65360bb0-8986-4ade-a89d-af3cf44d28aa",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '65360bb0-8986-4ade-a89d-af3cf44d28aa')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('65360bb0-8986-4ade-a89d-af3cf44d28aa')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','65360bb0-8986-4ade-a89d-af3cf44d28aa','-', '1.0.6')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','65360bb0-8986-4ade-a89d-af3cf44d28aa','-', '1.0.7')))]"
},
"analyticRuleObject3": {
"analyticRuleVersion3": "1.0.4",
@@ -152,18 +152,18 @@
"_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','826bb2f8-7894-4785-9a6b-a8a855d8366f','-', '1.0.4')))]"
},
"analyticRuleObject8": {
- "analyticRuleVersion8": "1.0.3",
+ "analyticRuleVersion8": "1.0.4",
"_analyticRulecontentId8": "4f19d4e3-ec5f-4abc-9e61-819eb131758c",
"analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4f19d4e3-ec5f-4abc-9e61-819eb131758c')]",
"analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4f19d4e3-ec5f-4abc-9e61-819eb131758c')))]",
- "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4f19d4e3-ec5f-4abc-9e61-819eb131758c','-', '1.0.3')))]"
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4f19d4e3-ec5f-4abc-9e61-819eb131758c','-', '1.0.4')))]"
},
"analyticRuleObject9": {
- "analyticRuleVersion9": "1.0.3",
+ "analyticRuleVersion9": "1.0.4",
"_analyticRulecontentId9": "c7bfadd4-34a6-4fa5-82f8-3691a32261e8",
"analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c7bfadd4-34a6-4fa5-82f8-3691a32261e8')]",
"analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c7bfadd4-34a6-4fa5-82f8-3691a32261e8')))]",
- "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c7bfadd4-34a6-4fa5-82f8-3691a32261e8','-', '1.0.3')))]"
+ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c7bfadd4-34a6-4fa5-82f8-3691a32261e8','-', '1.0.4')))]"
},
"analyticRuleObject10": {
"analyticRuleVersion10": "1.0.3",
@@ -728,7 +728,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Amazon Web Services data connector with template version 3.0.7",
+ "description": "Amazon Web Services data connector with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -885,7 +885,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Amazon Web Services data connector with template version 3.0.7",
+ "description": "Amazon Web Services data connector with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion2')]",
@@ -1893,7 +1893,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AmazonWebServicesNetworkActivities Workbook with template version 3.0.7",
+ "description": "AmazonWebServicesNetworkActivities Workbook with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -1980,7 +1980,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AmazonWebServicesUserActivities Workbook with template version 3.0.7",
+ "description": "AmazonWebServicesUserActivities Workbook with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion2')]",
@@ -2067,7 +2067,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ChangeToRDSDatabase_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_ChangeToRDSDatabase_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -2081,7 +2081,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Amazon Relational Database Service (RDS) is scalable relational database in the cloud.\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service)\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html",
+ "description": "Amazon Relational Database Service (RDS) is scalable relational database in the cloud.\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service)\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy.\nRDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html",
"displayName": "Changes to internet facing AWS RDS Database instances",
"enabled": false,
"query": "let EventNameList = dynamic([\"AuthorizeDBSecurityGroupIngress\",\"CreateDBSecurityGroup\",\"DeleteDBSecurityGroup\",\"RevokeDBSecurityGroupIngress\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\n| extend UserName = tostring(split(UserIdentityArn, '/')[-1])\n| extend AccountName = case( UserIdentityPrincipalid == \"Anonymous\", \"Anonymous\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\n| extend AccountName = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 0)[0]), AccountName),\n AccountUPNSuffix = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 1)[0]), \"\")\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend timestamp = StartTimeUtc\n",
@@ -2193,7 +2193,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ChangeToVPC_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_ChangeToVPC_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -2207,7 +2207,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html",
+ "description": "Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways. \nAWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html",
"displayName": "Changes to Amazon VPC settings",
"enabled": false,
"query": "let EventNameList = dynamic([\"CreateNetworkAclEntry\",\"CreateRoute\",\"CreateRouteTable\",\"CreateInternetGateway\",\"CreateNatGateway\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| where EventSource != \"apigateway.amazonaws.com\"\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\n| extend UserName = tostring(split(UserIdentityArn, '/')[-1])\n| extend AccountName = case( UserIdentityPrincipalid == \"Anonymous\", \"Anonymous\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\n| extend AccountName = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 0)[0]), AccountName),\n AccountUPNSuffix = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 1)[0]), \"\")\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend timestamp = StartTimeUtc\n",
@@ -2321,7 +2321,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ClearStopChangeTrailLogs_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_ClearStopChangeTrailLogs_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -2447,7 +2447,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ConfigServiceResourceDeletion_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_ConfigServiceResourceDeletion_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -2577,7 +2577,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ConsoleLogonWithoutMFA_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_ConsoleLogonWithoutMFA_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -2706,7 +2706,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CredentialHijack_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_CredentialHijack_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -2832,7 +2832,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_FullAdminPolicyAttachedToRolesUsersGroups_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_FullAdminPolicyAttachedToRolesUsersGroups_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -2959,7 +2959,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_IngressEgressSecurityGroupChange_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_IngressEgressSecurityGroupChange_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -2973,7 +2973,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic.\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255. ",
+ "description": "A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic.\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors. ",
"displayName": "Changes to AWS Security Group ingress and egress settings",
"enabled": false,
"query": "let EventNameList = dynamic([ \"AuthorizeSecurityGroupEgress\", \"AuthorizeSecurityGroupIngress\", \"RevokeSecurityGroupEgress\", \"RevokeSecurityGroupIngress\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\n| extend UserName = tostring(split(UserIdentityArn, '/')[-1])\n| extend AccountName = case( UserIdentityPrincipalid == \"Anonymous\", \"Anonymous\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\n| extend AccountName = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 0)[0]), AccountName),\n AccountUPNSuffix = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 1)[0]), \"\")\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated)\nby EventSource, EventName, UserIdentityType, RecipientAccountId, AccountName, AccountUPNSuffix, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\n| extend timestamp = StartTimeUtc\n",
@@ -3085,7 +3085,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_LoadBalancerSecGroupChange_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_LoadBalancerSecGroupChange_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -3099,7 +3099,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications.\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \n and https://aws.amazon.com/elasticloadbalancing/. ",
+ "description": "Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications.\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\n More information: https://aws.amazon.com/elasticloadbalancing/. ",
"displayName": "Changes to AWS Elastic Load Balancer security groups",
"enabled": false,
"query": "let EventNameList = dynamic([\"ApplySecurityGroupsToLoadBalancer\", \"SetSecurityGroups\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\n| extend UserName = tostring(split(UserIdentityArn, '/')[-1])\n| extend AccountName = case( UserIdentityPrincipalid == \"Anonymous\", \"Anonymous\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\n| extend AccountName = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 0)[0]), AccountName),\n AccountUPNSuffix = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 1)[0]), \"\")\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated)\nby EventSource, EventName, UserIdentityType, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\nAdditionalEventData, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\n| extend timestamp = StartTimeUtc\n",
@@ -3211,7 +3211,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NRT_AWS_ConsoleLogonWithoutMFA_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "NRT_AWS_ConsoleLogonWithoutMFA_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
@@ -3336,7 +3336,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_GuardDuty_template_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_GuardDuty_template_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]",
@@ -3417,17 +3417,17 @@
}
],
"customDetails": {
+ "ResourceTypeAffected": "ResourceTypeAffected",
+ "ThreatFamilyName": "ThreatFamilyName",
"Artifact": "Artifact",
"DetectionMechanism": "DetectionMechanism",
- "ThreatPurpose": "ThreatPurpose",
- "ResourceTypeAffected": "ResourceTypeAffected",
- "ThreatFamilyName": "ThreatFamilyName"
+ "ThreatPurpose": "ThreatPurpose"
},
"alertDetailsOverride": {
"alertSeverityColumnName": "Severity",
- "alertDescriptionFormat": "{{Description}}",
+ "alertDisplayNameFormat": "{{Title}}",
"alertTacticsColumnName": "ThreatPurpose",
- "alertDisplayNameFormat": "{{Title}}"
+ "alertDescriptionFormat": "{{Description}}"
}
}
},
@@ -3481,7 +3481,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ECRContainerHigh_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_ECRContainerHigh_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]",
@@ -3601,7 +3601,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_SuspiciousCommandEC2_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_SuspiciousCommandEC2_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]",
@@ -3721,7 +3721,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_APIfromTor_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_APIfromTor_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]",
@@ -3841,7 +3841,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_GuardDutyDisabled_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_GuardDutyDisabled_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]",
@@ -3961,7 +3961,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreatedCloudFormationPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_CreatedCloudFormationPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]",
@@ -4081,7 +4081,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreatedCRUDDyanmoDBPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_CreatedCRUDDyanmoDBPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]",
@@ -4201,7 +4201,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreatedCRUDIAMtoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_CreatedCRUDIAMtoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]",
@@ -4321,7 +4321,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreatedCRUDKMSPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_CreatedCRUDKMSPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]",
@@ -4441,7 +4441,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreatedCRUDS3PolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_CreatedCRUDS3PolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]",
@@ -4561,7 +4561,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreatedCURDLambdaPolicytoPrivilegEscalation_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_CreatedCURDLambdaPolicytoPrivilegEscalation_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]",
@@ -4681,7 +4681,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreatedDataPipelinePolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_CreatedDataPipelinePolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]",
@@ -4801,7 +4801,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreatedEC2PolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_CreatedEC2PolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]",
@@ -4921,7 +4921,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreatedGluePolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_CreatedGluePolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]",
@@ -5041,7 +5041,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreatedLambdaPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_CreatedLambdaPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]",
@@ -5161,7 +5161,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreatedSSMPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_CreatedSSMPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]",
@@ -5281,7 +5281,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreationofEncryptKeysWithoutMFA_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_CreationofEncryptKeysWithoutMFA_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]",
@@ -5401,7 +5401,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_EC2StartupShellScriptChanged_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_EC2StartupShellScriptChanged_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]",
@@ -5517,7 +5517,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_S3ObjectExfiltrationByAnonymousUser_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_S3ObjectExfiltrationByAnonymousUser_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]",
@@ -5633,7 +5633,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ECRImageScanningDisabled_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_ECRImageScanningDisabled_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]",
@@ -5753,7 +5753,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_LogTampering_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_LogTampering_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]",
@@ -5873,7 +5873,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_NetworkACLOpenToAllPorts_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_NetworkACLOpenToAllPorts_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]",
@@ -5993,7 +5993,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_OverlyPermessiveKMS_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_OverlyPermessiveKMS_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]",
@@ -6113,7 +6113,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationAdministratorAccessManagedPolicy_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_PrivilegeEscalationAdministratorAccessManagedPolicy_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]",
@@ -6233,7 +6233,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationAdminManagedPolicy_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_PrivilegeEscalationAdminManagedPolicy_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]",
@@ -6353,7 +6353,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationFullAccessManagedPolicy_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_PrivilegeEscalationFullAccessManagedPolicy_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]",
@@ -6473,7 +6473,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationViaCloudFormationPolicy_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_PrivilegeEscalationViaCloudFormationPolicy_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]",
@@ -6593,7 +6593,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationviaCRUDDynamoDB_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_PrivilegeEscalationviaCRUDDynamoDB_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]",
@@ -6713,7 +6713,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationViaCRUDIAMPolicy_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_PrivilegeEscalationViaCRUDIAMPolicy_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]",
@@ -6833,7 +6833,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationViaCRUDKMSPolicy_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_PrivilegeEscalationViaCRUDKMSPolicy_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]",
@@ -6953,7 +6953,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationViaCRUDLambdaPolicy_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_PrivilegeEscalationViaCRUDLambdaPolicy_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject41').analyticRuleVersion41]",
@@ -7073,7 +7073,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationViaCRUDS3Policy_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_PrivilegeEscalationViaCRUDS3Policy_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject42').analyticRuleVersion42]",
@@ -7193,7 +7193,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationViaDataPipeline_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_PrivilegeEscalationViaDataPipeline_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject43').analyticRuleVersion43]",
@@ -7313,7 +7313,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationViaEC2Policy_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_PrivilegeEscalationViaEC2Policy_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject44').analyticRuleVersion44]",
@@ -7433,7 +7433,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationViaGluePolicy_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_PrivilegeEscalationViaGluePolicy_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject45').analyticRuleVersion45]",
@@ -7553,7 +7553,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationViaLambdaPolicy_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_PrivilegeEscalationViaLambdaPolicy_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject46').analyticRuleVersion46]",
@@ -7673,7 +7673,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationViaSSM_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_PrivilegeEscalationViaSSM_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject47').analyticRuleVersion47]",
@@ -7793,7 +7793,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_RDSInstancePubliclyExposed_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_RDSInstancePubliclyExposed_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject48').analyticRuleVersion48]",
@@ -7913,7 +7913,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_S3BruteForce_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_S3BruteForce_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject49').analyticRuleVersion49]",
@@ -8033,7 +8033,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_S3BucketAccessPointExposed_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_S3BucketAccessPointExposed_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject50').analyticRuleVersion50]",
@@ -8153,7 +8153,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_S3BucketExposedviaACL_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_S3BucketExposedviaACL_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject51').analyticRuleVersion51]",
@@ -8273,7 +8273,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_S3BucketExposedviaPolicy_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_S3BucketExposedviaPolicy_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject52').analyticRuleVersion52]",
@@ -8393,7 +8393,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_S3ObjectPubliclyExposed_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_S3ObjectPubliclyExposed_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject53').analyticRuleVersion53]",
@@ -8513,7 +8513,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_S3Ransomware_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_S3Ransomware_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject54').analyticRuleVersion54]",
@@ -8633,7 +8633,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_SAMLUpdateIdentity_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_SAMLUpdateIdentity_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject55').analyticRuleVersion55]",
@@ -8753,7 +8753,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_SetDefaulyPolicyVersion_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_SetDefaulyPolicyVersion_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject56').analyticRuleVersion56]",
@@ -8873,7 +8873,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_SSMPubliclyExposed_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_SSMPubliclyExposed_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject57').analyticRuleVersion57]",
@@ -8993,7 +8993,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SuspiciousAWSCLICommandExecution_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "SuspiciousAWSCLICommandExecution_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject58').analyticRuleVersion58]",
@@ -9065,8 +9065,8 @@
],
"customDetails": {
"AWSUser": "UserIdentityUserName",
- "SuspiciousCommand": "commands",
- "AWSUserIp": "SourceIpAddress"
+ "AWSUserIp": "SourceIpAddress",
+ "SuspiciousCommand": "commands"
}
}
},
@@ -9120,7 +9120,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SuspiciousAWSEC2ComputeResourceDeployments_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "SuspiciousAWSEC2ComputeResourceDeployments_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject59').analyticRuleVersion59]",
@@ -9190,8 +9190,8 @@
],
"customDetails": {
"AWSUser": "UserIdentityArn",
- "UserAgent": "UserAgent",
- "SourceIpAddress": "SourceIpAddress"
+ "SourceIpAddress": "SourceIpAddress",
+ "UserAgent": "UserAgent"
}
}
},
@@ -9245,7 +9245,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_UserAccessKeyCreated_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_UserAccessKeyCreated_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject60').analyticRuleVersion60]",
@@ -9361,7 +9361,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_UserIAMEnumeration_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_UserIAMEnumeration_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject61').analyticRuleVersion61]",
@@ -9477,7 +9477,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_UnauthorizedInstanceSetUpAttempt_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "AWS_UnauthorizedInstanceSetUpAttempt_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject62').analyticRuleVersion62]",
@@ -9593,7 +9593,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_IAM_PolicyChange_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_IAM_PolicyChange_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -9677,7 +9677,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_IAM_PrivilegeEscalationbyAttachment_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_IAM_PrivilegeEscalationbyAttachment_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -9698,7 +9698,7 @@
"tags": [
{
"name": "description",
- "value": "An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance start.\nIdentifies when existing role is removed and new/existing high privileged role is added to instance profile. \nAny instance with this instance profile attached is able to perform privileged operations.\nAWS Instance Profile: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html \nand CloudGoat - IAM PrivilegeEscalation by Attachment: https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/scenarios/iam_privesc_by_attachment "
+ "value": "An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance start.\nIdentifies when existing role is removed and new/existing high privileged role is added to instance profile. \nAny instance with this instance profile attached is able to perform privileged operations.\nAWS Instance Profile: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html \nand CloudGoat - IAM PrivilegeEscalation by Attachment: https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/cloudgoat/scenarios/aws/iam_privesc_by_attachment "
},
{
"name": "tactics",
@@ -9761,7 +9761,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegedRoleAttachedToInstance_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_PrivilegedRoleAttachedToInstance_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -9845,7 +9845,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_SuspiciousCredentialTokenAccessOfValid_IAM_Roles_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_SuspiciousCredentialTokenAccessOfValid_IAM_Roles_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -9929,7 +9929,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_Unused_UnsupportedCloudRegions_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_Unused_UnsupportedCloudRegions_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -10013,7 +10013,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_EC2_WithoutKeyPair_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_EC2_WithoutKeyPair_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -10097,7 +10097,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_AssumeRoleBruteForce_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_AssumeRoleBruteForce_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -10181,7 +10181,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_BucketVersioningSuspended_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_BucketVersioningSuspended_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@@ -10265,7 +10265,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreateAccessKey_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_CreateAccessKey_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@@ -10349,7 +10349,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreateLoginProfile_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_CreateLoginProfile_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@@ -10433,7 +10433,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ECRContainerLow_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_ECRContainerLow_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject11').huntingQueryVersion11]",
@@ -10517,7 +10517,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ECRContainerMedium_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_ECRContainerMedium_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject12').huntingQueryVersion12]",
@@ -10601,7 +10601,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ExcessiveExecutionofDiscoveryEvents_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_ExcessiveExecutionofDiscoveryEvents_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject13').huntingQueryVersion13]",
@@ -10685,7 +10685,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_FailedBruteForceS3Bucket_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_FailedBruteForceS3Bucket_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject14').huntingQueryVersion14]",
@@ -10769,7 +10769,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_FailedBruteForceWithoutMFA_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_FailedBruteForceWithoutMFA_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject15').huntingQueryVersion15]",
@@ -10853,7 +10853,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_IAMAccsesDeniedDiscoveryEvents_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_IAMAccsesDeniedDiscoveryEvents_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject16').huntingQueryVersion16]",
@@ -10937,7 +10937,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_IAMUserGroupChanges_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_IAMUserGroupChanges_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject17').huntingQueryVersion17]",
@@ -11021,7 +11021,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_LambdaFunctionThrottled_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_LambdaFunctionThrottled_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject18').huntingQueryVersion18]",
@@ -11105,7 +11105,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_LambdaLayerImportedExternalAccount_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_LambdaLayerImportedExternalAccount_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject19').huntingQueryVersion19]",
@@ -11189,7 +11189,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_LambdaUpdateFunctionCode_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_LambdaUpdateFunctionCode_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject20').huntingQueryVersion20]",
@@ -11273,7 +11273,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_LoginProfileUpdated_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_LoginProfileUpdated_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject21').huntingQueryVersion21]",
@@ -11357,7 +11357,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ModificationofRouteTableAttributes_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_ModificationofRouteTableAttributes_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject22').huntingQueryVersion22]",
@@ -11441,7 +11441,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ModificationofSubnetAttributes_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_ModificationofSubnetAttributes_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject23').huntingQueryVersion23]",
@@ -11525,7 +11525,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ModificationofVPCAttributes_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_ModificationofVPCAttributes_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject24').huntingQueryVersion24]",
@@ -11609,7 +11609,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_NetworkACLDeleted_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_NetworkACLDeleted_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject25').huntingQueryVersion25]",
@@ -11693,7 +11693,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_NewRootAccessKey_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_NewRootAccessKey_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject26').huntingQueryVersion26]",
@@ -11777,7 +11777,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PolicywithExcessivePermissions_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_PolicywithExcessivePermissions_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject27').huntingQueryVersion27]",
@@ -11861,7 +11861,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_RDSMasterPasswordChanged_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_RDSMasterPasswordChanged_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject28').huntingQueryVersion28]",
@@ -11945,7 +11945,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_RiskyRoleName_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_RiskyRoleName_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject29').huntingQueryVersion29]",
@@ -12029,7 +12029,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_S3BucketDeleted_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_S3BucketDeleted_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject30').huntingQueryVersion30]",
@@ -12113,7 +12113,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_S3BucketEncryptionModified_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_S3BucketEncryptionModified_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject31').huntingQueryVersion31]",
@@ -12197,7 +12197,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_STStoEC2_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_STStoEC2_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject32').huntingQueryVersion32]",
@@ -12281,7 +12281,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_STStoECS_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_STStoECS_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject33').huntingQueryVersion33]",
@@ -12365,7 +12365,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_STStoGlue_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_STStoGlue_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject34').huntingQueryVersion34]",
@@ -12449,7 +12449,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_STStoKWN_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_STStoKWN_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject35').huntingQueryVersion35]",
@@ -12533,7 +12533,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_STStoLambda_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "AWS_STStoLambda_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject36').huntingQueryVersion36]",
@@ -12613,7 +12613,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.7",
+ "version": "3.0.8",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Amazon Web Services",
diff --git a/Solutions/Amazon Web Services/ReleaseNotes.md b/Solutions/Amazon Web Services/ReleaseNotes.md
index dc03b4ee016..7de22308108 100644
--- a/Solutions/Amazon Web Services/ReleaseNotes.md
+++ b/Solutions/Amazon Web Services/ReleaseNotes.md
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
+| 3.0.8 | 13-01-2026 | Updated non-functional links from **Analytic rules** and **Hunting query** |
| 3.0.7 | 28-07-2025 | Fix ChangeToVPC **Analytic Rule** to ensure it excludes changes to API Gateway |
| 3.0.6 | 13-06-2025 | Updated Amazon Web Services S3 Data connector to include details for the default output format. |
| 3.0.5 | 10-02-2025 | Repackaged to fix ccp grid showing only 1 record and rename of file |
diff --git a/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Package/3.1.1.zip b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Package/3.1.1.zip
new file mode 100644
index 00000000000..a25e3a46e8b
Binary files /dev/null and b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Package/3.1.1.zip differ
diff --git a/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Package/mainTemplate.json b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Package/mainTemplate.json
index fbfdccc70f3..5d0e2349895 100644
--- a/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Package/mainTemplate.json
+++ b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Package/mainTemplate.json
@@ -41,7 +41,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "CybersecurityMaturityModelCertification(CMMC)2.0",
- "_solutionVersion": "3.1.0",
+ "_solutionVersion": "3.1.1",
"solutionId": "azuresentinel.azure-sentinel-solution-cmmcv2",
"_solutionId": "[variables('solutionId')]",
"analyticRuleObject1": {
@@ -101,7 +101,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CMMC2.0Level1FoundationalPosture_AnalyticalRules Analytics Rule with template version 3.1.0",
+ "description": "CMMC2.0Level1FoundationalPosture_AnalyticalRules Analytics Rule with template version 3.1.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -127,7 +127,6 @@
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
- "requiredDataConnectors": [],
"tactics": [
"Discovery"
],
@@ -136,13 +135,13 @@
],
"entityMappings": [
{
+ "entityType": "URL",
"fieldMappings": [
{
- "columnName": "URLCustomEntity",
- "identifier": "Url"
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
}
- ],
- "entityType": "URL"
+ ]
}
]
}
@@ -198,7 +197,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CMMC2.0Level2AdvancedPosture_AnalyticalRules Analytics Rule with template version 3.1.0",
+ "description": "CMMC2.0Level2AdvancedPosture_AnalyticalRules Analytics Rule with template version 3.1.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -224,7 +223,6 @@
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
- "requiredDataConnectors": [],
"tactics": [
"Discovery"
],
@@ -233,13 +231,13 @@
],
"entityMappings": [
{
+ "entityType": "URL",
"fieldMappings": [
{
- "columnName": "URLCustomEntity",
- "identifier": "Url"
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
}
- ],
- "entityType": "URL"
+ ]
}
]
}
@@ -295,7 +293,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Notify-GovernanceComplianceTeam-CMMCV2 Playbook with template version 3.1.0",
+ "description": "Notify-GovernanceComplianceTeam-CMMCV2 Playbook with template version 3.1.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@@ -562,7 +560,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Create-AzureDevOpsTask-CMMCV2 Playbook with template version 3.1.0",
+ "description": "Create-AzureDevOpsTask-CMMCV2 Playbook with template version 3.1.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
@@ -786,7 +784,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CreateJiraIssue-CMMCV2 Playbook with template version 3.1.0",
+ "description": "CreateJiraIssue-CMMCV2 Playbook with template version 3.1.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
@@ -1001,7 +999,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CybersecurityMaturityModelCertification_CMMCV2 Workbook with template version 3.1.0",
+ "description": "CybersecurityMaturityModelCertification_CMMCV2 Workbook with template version 3.1.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -1019,7 +1017,7 @@
},
"properties": {
"displayName": "[parameters('workbook1-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Getting Started\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\",\"value\":\"No\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureLighthouse\",\"label\":\"🔦 Azure Lighthouse\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\",\"value\":\"No\",\"id\":\"2872d4c0-b938-4e7d-8722-e72df7f7c01e\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"314d02bf-4691-43fa-af59-d67073c8b8fa\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2592000000}],\"allowCustom\":true},\"value\":{\"durationMs\":604800000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\" Please take time to answer a quick survey,\\r\\n[ click here. ](https://forms.office.com/r/hK7zcBDNp8)\"},\"name\":\"Survey\"},{\"type\":1,\"content\":{\"json\":\"## Getting Started\\r\\nThis solution is designed to augment staffing through automation, query/alerting generation, and visualizations. This solution leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with Cybersecurity Maturity Model Certification 2.0 control requirements. A filter set is available for custom reporting by guides, subscriptions, workspaces, time-filtering, control family, and maturity level. This offering telemetry from 25+ Microsoft Security products, while only Microsoft Sentinel/Microsoft Defender for Cloud are required to get started, each offering provides additional enrichment for aligning with control requirements. Each CMMC 2.0 control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads. \\r\\n\\r\\n### [Recommended Microsoft Sentinel Roles](https://docs.microsoft.com/azure/sentinel/roles) / [Recommended Microsoft Defender for Cloud Roles](https://docs.microsoft.com/azure/defender-for-cloud/permissions#roles-and-allowed-actions)\\r\\n| Roles | Rights | \\r\\n|:--|:--|\\r\\n|Security Reader | View Workbooks, Analytics, Hunting, Security Recommendations |\\r\\n|Security Contributor| Deploy/Modify Workbooks, Analytics, Hunting Queries, Apply Security Recommendations |\\r\\n|Owner| Assign Regulatory Compliance Initiatives|\\r\\n\\r\\n### Onboarding Prerequisites \\r\\n1️⃣ [Access Microsoft 365 Compliance Manager: Assessments](https://compliance.microsoft.com/compliancemanager?viewid=Assessments) \\r\\n2️⃣ [Planning: Review Microsoft Product Placemat for CMMC 2.0](https://aka.ms/cmmc/productplacemat) \\r\\n3️⃣ [Onboard Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard) \\r\\n4️⃣ [Onboard Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-get-started) \\r\\n5️⃣ [Add the Microsoft Defender for Cloud: NIST SP 800 171 R2 Assessment to Your Dashboard](https://docs.microsoft.com/azure/security-center/update-regulatory-compliance-packages#add-a-regulatory-standard-to-your-dashboard) \\r\\n6️⃣ [Continuously Export Security Center Data to Log Analytics Workspace](https://docs.microsoft.com/azure/security-center/continuous-export) \\r\\n7️⃣ [Extend Microsoft Sentinel Across Workspaces and Tenants](https://docs.microsoft.com/azure/sentinel/extend-sentinel-across-workspaces-tenants) \\r\\n8️⃣ [Review Microsoft Service Trust Portal](https://servicetrust.microsoft.com/) \\r\\n\\r\\n### Print/Export Report\\r\\n1️⃣ Set Background Theme: Settings > Appearance > Theme: Azure > Apply \\r\\n2️⃣ Print/Export Report: More Content Actions (...) > Print Content \\r\\n3️⃣ Settings: Layout (Landscape), Pages (All), Print (One Sided), Scale (60), Pages Per Sheet (1), Quality (1,200 DPI), Margins (None) > Print \\r\\n4️⃣ Executive Summary: Microsoft Defender for Cloud > Regulatory Compliance > Download Report > Report Standard (NIST SP 800 171 R2), Format (PDF)\\r\\n\\r\\nThe Microsoft Sentinel CMMC 2.0 Solution demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. The solution outlines controls across Levels 1-2. All accreditation requirements and decisions are governed by the 💡[CMMC Accreditation Body](https://www.cmmcab.org/c3pao-lp). This solution provides visibility and situational awareness for control requirements delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations and query modification for operation. Recommendations should be considered a starting point for planning full or partial coverage of respective control requirements. \",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"56\",\"name\":\"Help\"},{\"type\":1,\"content\":{\"json\":\" \\r\\nFor more information, see the💡[CMMC Model](https://www.acq.osd.mil/cmmc/index.html)\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"43.6\",\"name\":\"text - 29\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"managedservicesresources\\r\\n| where type == \\\"microsoft.managedservices/registrationassignments\\\"\\r\\n| where properties.provisioningState == \\\"Succeeded\\\"\\r\\n| extend ManageeTenantName = properties.registrationDefinition.properties.manageeTenantName\\r\\n| extend ManageeTenantId = properties.registrationDefinition.properties.manageeTenantId\\r\\n| extend ManagedByTenantName = properties.registrationDefinition.properties.managedByTenantName\\r\\n| extend ManagedByTenantId = properties.registrationDefinition.properties.managedByTenantId\\r\\n| extend PermanentAccess = properties.registrationDefinition.properties.authorizations\\r\\n| extend JITAccess = properties.registrationDefinition.properties.eligibleAuthorizations\\r\\n| extend AddedDate = properties.registrationDefinition.systemData.createdAt\\r\\n| extend CreatedBy = systemData.createdBy\\r\\n| project ManageeTenantName, ManageeTenantId, ManagedByTenantName, ManagedByTenantId, AddedDate, CreatedBy\",\"size\":1,\"showAnalytics\":true,\"title\":\"Azure Lighthouse Delegations\",\"noDataMessage\":\"No Azure Lighthouse Delegations/Customers Detected\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ManageeTenantName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Download\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ManagedByTenantName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Upload\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AddedDate\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Clock\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"PermanentAccess\",\"formatter\":1},{\"columnMatch\":\"JITAccess\",\"formatter\":1}],\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"AzureLighthouse\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 21 - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Cybersecurity Maturity Model Certification (CMMC) 2.0](https://www.acq.osd.mil/cmmc/index.html)\\n---\\n\\nThis solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This solution includes (1) Workbook for build/design/assessment/reporting, (2) Analytics rules for monitoring and (3) Playbooks for response/remediation. CMMC 2.0 is the next iteration of the Department’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity – Foundational, Advanced and Expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.\\n\"},\"name\":\"Workbook Overview\"}]},\"name\":\"group - 29\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-cybersecurity-maturity-model/ba-p/3295095\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/-_a5HxJgriE\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"customWidth\":\"50\",\"name\":\"links - 29\"}]},\"customWidth\":\"78.8\",\"name\":\"group - 27\"},{\"type\":1,\"content\":{\"json\":\" \"},\"customWidth\":\"20\",\"name\":\"Microsoft Sentinel Logo\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Executive Summary\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AS\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Controls Crosswalk\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"RCA\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Access Control\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Awareness & Training\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AT\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Audit & Accountability\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AU\\\\\\\" },\\\\r\\\\n { \\\\\\\"Control Family\\\\\\\": \\\\\\\"Configuration Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Identification & Authentication\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IA\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Incident Response\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IR\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"tab2\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"Control Family \",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7b682fc9-cb6b-4475-a24c-41dcb43d0cef\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isASVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AS\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"086e8f81-2a72-4e52-acab-40631bb21ed5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRCAVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"RCA\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b2d05502-68c5-4d0c-8caa-d5e439a2b9ac\"},{\"id\":\"c01e6494-1f74-4194-88b3-c98bbabdf84f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAUVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AU\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"696bf441-12c0-45db-918c-215a1170f18e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isATVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AT\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"02596750-83d0-48ad-b9e0-2897e262ab29\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCMVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"a932ee8a-1039-4482-9fc8-ed79fe6f2ebb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IA\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"2822f61e-a9f8-4419-87b6-f7b06a032cc2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIRVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IR\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Maintenance\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MA\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Media Protection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MP\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Personnel Security\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"PS\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Physical Protection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"PE\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Risk Assessment\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"RM\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Security Assessment\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CA\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"System & Communications Protection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"System & Information Integrity\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SI\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"Control Family - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"308bde5a-386f-4674-a712-26e31436b12e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMAVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MA\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMPVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MP\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"24021387-ba53-41a3-80ff-a3c23429d82d\"},{\"id\":\"e18bc9ef-6479-4eda-807a-b47f58f5f2f1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPSVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"PS\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"401a85db-1c90-45b4-86d2-3e5439784818\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPEVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"PE\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRMVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"RM\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"0af0cea9-8f28-4850-b48e-93a195efa02b\"},{\"id\":\"e9fdb883-980a-4147-b494-43f7137f7131\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCAVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CA\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"c16d4f92-ce1a-4ff0-9576-23b39836e95d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSIVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SI\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9637281c-861a-4ba6-90cd-6650f187f00c\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Executive Summary](https://docs.microsoft.com/azure/defender-for-cloud/regulatory-compliance-dashboard)\\r\\n---\\r\\n\\r\\nThis section leverages Microsoft Defender for Cloud: Regulatory Compliance for policy assessments. Find, fix, and resolve CMMC 2.0 recommendations aligned to the NIST SP 800-171 Regulatory Compliance Initiative. A selector provides capability to filter by all, specific, or groups of controls by level. Upon selection, subordinate panels will summarize recommendations by control family, status over time, recommendations, and resources identified.\"},\"customWidth\":\"40\",\"name\":\"NS Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 11\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"99a47f97-1aa4-4840-91ee-119aad6d6217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Level\",\"label\":\"CMMC 2.0 Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityRegulatoryCompliance\\r\\n| where ComplianceStandard == \\\"NIST-SP-800-171-R2\\\"\\r\\n| extend Level=iff(ComplianceControl in (\\\"3.1.1\\\",\\\"3.1.2\\\",\\\"3.1.20\\\",\\\"3.1.22\\\",\\\"3.4.1\\\",\\\"3.5.2\\\",\\\"3.5.2\\\",\\\"3.8.3\\\",\\\"3.13.1\\\",\\\"3.13.5\\\",\\\"3.14.1\\\",\\\"3.14.2\\\",\\\"3.14.4\\\",\\\"3.14.5\\\"), \\\"Level 1: Foundational\\\",\\\"Level 2: Advanced\\\")\\r\\n| summarize count() by Level\\r\\n| project-away count_\\r\\n| sort by Level asc\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"40\",\"name\":\"parameters - 26\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend TimeGenerated = tostring(properties1.status.statusChangeDate)\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n| join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName\\r\\n| extend Level=iff(controlId in (\\\"3.1.1\\\",\\\"3.1.2\\\",\\\"3.1.20\\\",\\\"3.1.22\\\",\\\"3.4.1\\\",\\\"3.5.2\\\",\\\"3.5.2\\\",\\\"3.8.3\\\",\\\"3.13.1\\\",\\\"3.13.5\\\",\\\"3.14.1\\\",\\\"3.14.2\\\",\\\"3.14.4\\\",\\\"3.14.5\\\"), \\\"Level 1: Foundational\\\",\\\"Level 2: Advanced\\\")\\r\\n| where Level in ({Level})\\r\\n | summarize arg_max(TimeGenerated, *) by RecommendationName, Level, tostring(RecommendationLink), tostring(state), tostring(complianceState)\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\") by Level\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | project Level, Total, PassedControls, Passed, Failed\\r\\n | sort by Total, Passed desc\\r\\n \",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations by Level\",\"noDataMessage\":\"Confirm the Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is Enabled. See https://docs.microsoft.com/azure/defender-for-cloud/update-regulatory-compliance-packages\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Total\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\") by RecommendationName, ControlID = controlId\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink, name) on RecommendationName\\r\\n | extend Level=iff(ControlID in (\\\"3.1.1\\\",\\\"3.1.2\\\",\\\"3.1.20\\\",\\\"3.1.22\\\",\\\"3.4.1\\\",\\\"3.5.2\\\",\\\"3.5.2\\\",\\\"3.8.3\\\",\\\"3.13.1\\\",\\\"3.13.5\\\",\\\"3.14.1\\\",\\\"3.14.2\\\",\\\"3.14.4\\\",\\\"3.14.5\\\"), \\\"Level 1: Foundational\\\",\\\"Level 2: Advanced\\\")\\r\\n | where Level in ({Level})\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, name\\r\\n | sort by Total, Passed desc\\r\\n | limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations \",\"noDataMessage\":\"Confirm the Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is Enabled. See https://docs.microsoft.com/azure/defender-for-cloud/update-regulatory-compliance-packages\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Total\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"name\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"name\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend TimeGenerated = tostring(properties1.status.statusChangeDate)\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend Level=iff(controlId in (\\\"3.1.1\\\",\\\"3.1.2\\\",\\\"3.1.20\\\",\\\"3.1.22\\\",\\\"3.4.1\\\",\\\"3.5.2\\\",\\\"3.5.2\\\",\\\"3.8.3\\\",\\\"3.13.1\\\",\\\"3.13.5\\\",\\\"3.14.1\\\",\\\"3.14.2\\\",\\\"3.14.4\\\",\\\"3.14.5\\\"), \\\"Level 1: Foundational\\\",\\\"Level 2: Advanced\\\")\\r\\n | where Level in ({Level})\\r\\n| summarize arg_max(TimeGenerated, *) by RecommendationName, Level, tostring(RecommendationLink), tostring(state), tostring(complianceState)\\r\\n| distinct RecommendationName, resourceId, tostring(state), tostring(complianceState)\\r\\n| summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by resourceId\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| where Failed > 0\\r\\n| project AssessedResourceId=resourceId, Total, PassedControls, Passed, Failed\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations by Asset\",\"noDataMessage\":\"No Recommendations Observed Within These Thresholds. Confirm the Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is Enabled\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AssessedResourceId\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Total\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"resourceId\",\"formatter\":13,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Remediate >>\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRegulatoryCompliance\\r\\n| where ComplianceStandard == \\\"NIST-SP-800-171-R2\\\"\\r\\n| extend Level=iff(ComplianceControl in (\\\"3.1.1\\\",\\\"3.1.2\\\",\\\"3.1.20\\\",\\\"3.1.22\\\",\\\"3.4.1\\\",\\\"3.5.2\\\",\\\"3.5.2\\\",\\\"3.8.3\\\",\\\"3.13.1\\\",\\\"3.13.5\\\",\\\"3.14.1\\\",\\\"3.14.2\\\",\\\"3.14.4\\\",\\\"3.14.5\\\"), \\\"Level 1: Foundational\\\",\\\"Level 2: Advanced\\\")\\r\\n| where Level in ({Level})\\r\\n| where State == \\\"Failed\\\"\\r\\n| make-series count() default=0 on TimeGenerated from startofday({TimeRange:start}) to startofday({TimeRange:end}) step 1d by Level\\r\\n| render timechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations over Time\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: SecurityRegulatoryCompliance and SecurityRecommendation Data Tables are Onboarded to Your Microsoft Sentinel Workspace. See https://docs.microsoft.com/azure/defender-for-cloud/continuous-export\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":1},{\"columnMatch\":\"ControlID\",\"formatter\":1},{\"columnMatch\":\"Recommendation\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend TimeGenerated = tostring(properties1.status.statusChangeDate)\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend Level=iff(controlId in (\\\"3.1.1\\\",\\\"3.1.2\\\",\\\"3.1.20\\\",\\\"3.1.22\\\",\\\"3.4.1\\\",\\\"3.5.2\\\",\\\"3.5.2\\\",\\\"3.8.3\\\",\\\"3.13.1\\\",\\\"3.13.5\\\",\\\"3.14.1\\\",\\\"3.14.2\\\",\\\"3.14.4\\\",\\\"3.14.5\\\"), \\\"Level 1: Foundational\\\",\\\"Level 2: Advanced\\\")\\r\\n | where Level in ({Level})\\r\\n| summarize arg_max(TimeGenerated, *) by RecommendationName, Level, tostring(RecommendationLink), tostring(state), controlId, tostring(severity)\\r\\n| where resourceId <> \\\"\\\"\\r\\n| project ResourceID=resourceId, RecommendationName, Severity=tostring(severity), CurrentState=tostring(state), RecommendationLink=tostring(RecommendationLink), name, FirstObserved=TimeGenerated\\r\\n| distinct ResourceID, RecommendationName, Severity, CurrentState, RecommendationLink, FirstObserved, name\\r\\n| where CurrentState == \\\"Unhealthy\\\"\\r\\n| extend Rank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, 0)))\\r\\n| sort by Rank desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Current Recommendation Details\",\"noDataMessage\":\"Confirm the Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is Enabled. See https://docs.microsoft.com/azure/defender-for-cloud/update-regulatory-compliance-packages\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ResourceID\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Level\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlID\",\"formatter\":1},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":1},{\"columnMatch\":\"Recommendation\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"name\"}]}}},{\"columnMatch\":\"name\",\"formatter\":5},{\"columnMatch\":\"FirstObserved\",\"formatter\":6},{\"columnMatch\":\"Rank\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"name\":\"query - 8\"}]},\"conditionalVisibility\":{\"parameterName\":\"isASVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Assessment\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Regulatory Compliance Alignment](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-171-r2)\\r\\n---\\r\\nControls crosswalk provides a mapping of CMMC 2.0 controls across additional compliance frameworks. This provides free-text search capabilities mapping numerous frameworks including NIST SP 800-171 R2 and NIST SP 800-53 R4. There is also a mapping for primary and secondary services which aligns with the Microsoft Technical Reference Guide for CMMC 2.0.\"},\"customWidth\":\"40\",\"name\":\"Controls Mapping\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Crosswalk = datatable([\\\"Control Name\\\"]: string, [\\\"Control Number\\\"]: string, [\\\"Control Family\\\"]: string, [\\\"NIST SP 800-171 R2\\\"]: string, [\\\"NIST SP 800-53 R4\\\"]: string, [\\\"Primary Services\\\"]: string, [\\\"Secondary Services\\\"]: string) [\\r\\n\\\"Authorized Access Control\\\",\\t\\\"AC.L1-3.1.1\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.1\\\",\\t\\\"AC-2 | AC-3 | AC-17\\\",\\t\\\"Microsoft Defender for Cloud | Azure Active Directory | Microsoft Endpoint Manager\\\",\\t\\\"Conditional Access | Customer Lockbox | Azure AD Privileged Identity Management | Microsoft Defender for Office 365\\\",\\r\\n\\\"Transaction & Function Control\\\",\\t\\\"AC.L1-3.1.2\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.2\\\",\\t\\\"AC-2 | AC-3 | AC-17\\\",\\t\\\"Microsoft Defender for Cloud | Azure Active Directory | Azure AD Privileged Identity Management\\\",\\t\\\"Network Security Groups | Conditional Access | GitHub Enterprise Cloud | GitHub AE\\\",\\r\\n\\\"External Connections\\\",\\t\\\"AC.L1-3.1.20\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.20\\\",\\t\\\"AC-20 | AC-20(1)\\\",\\t\\\"Microsoft Defender for Cloud | Azure Active Directory\\\",\\t\\\"Microsoft Azure Portal | Azure Firewall | Network Security Groups | Conditional Access | Microsoft Endpoint Manager\\\",\\r\\n\\\"Control Public Information\\\",\\t\\\"AC.L1-3.1.22\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.22\\\",\\t\\\"AC-22\\\",\\t\\\"Microsoft Endpoint Manager\\\",\\t\\\"Microsoft Sentinel\\\",\\r\\n\\\"Control CUI Flow\\\",\\t\\\"AC.L2-3.1.3\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.3\\\",\\t\\\"AC-4\\\",\\t\\\"Azure Web Application Firewall | Azure Information Protection | Microsoft 365 Compliance Manager | Microsoft Defender for Cloud\\\",\\t\\\"Network Security Groups | Microsoft Endpoint Manager | Microsoft Defender for Cloud Apps | Microsoft Defender for Identity\\\",\\r\\n\\\"Separation of Duties\\\",\\t\\\"AC.L2-3.1.4\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.4\\\",\\t\\\"AC-5\\\",\\t\\\"Azure Active Directory | Microsoft Defender for Cloud\\\",\\t\\\"Azure AD Privileged Identity Management\\\",\\r\\n\\\"Least Privilege\\\",\\t\\\"AC.L2-3.1.5\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.5\\\",\\t\\\"AC-6 | AC-6(1) | AC-6(5)\\\",\\t\\\"Azure AD Privileged Identity Management | Microsoft Defender for Cloud\\\",\\t\\\"Azure Active Directory | GitHub Enterprise Cloud | GitHub AE\\\",\\r\\n\\\"Non-Privileged Account Use\\\",\\t\\\"AC.L2-3.1.6\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.6\\\",\\t\\\"AC-6(2)\\\",\\t\\\"Azure Active Directory | Microsoft Defender for Cloud\\\",\\t\\\"Azure AD Privileged Identity Management\\\",\\r\\n\\\"Privileged Functions\\\",\\t\\\"AC.L2-3.1.7\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.7\\\",\\t\\\"AC-6(9) | AC-6(10)\\\",\\t\\\"Azure Active Directory | Azure AD Privileged Identity Management | Microsoft Defender for Cloud\\\",\\t\\\"Microsoft Endpoint Manager | Microsoft Defender for Office 365 | Microsoft 365 Compliance Manager\\\",\\r\\n\\\"Unsuccessful Logon Attempts\\\",\\t\\\"AC.L2-3.1.8\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.8\\\",\\t\\\"AC-7\\\",\\t\\\"Azure Active Directory | Microsoft Defender for Identity | Microsoft Sentinel\\\",\\t\\\"Password Protection for Azure AD\\\",\\r\\n\\\"Privacy & Security Notices\\\",\\t\\\"AC.L2-3.1.9\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.9\\\",\\t\\\"AC-8\\\",\\t\\\"Microsoft Azure Portal | Virtual Machines\\\",\\t\\\"Azure Active Directory\\\",\\r\\n\\\"Session Lock\\\",\\t\\\"AC.L2-3.1.10\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.10\\\",\\t\\\"AC-11 | AC-11(1)\\\",\\t\\\"Microsoft Azure Portal | Virtual Machines | Microsoft Endpoint Manager\\\",\\t\\\"NA\\\",\\r\\n\\\"Session Termination\\\",\\t\\\"AC.L2-3.1.11\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.11\\\",\\t\\\"AC-12\\\",\\t\\\"Microsoft Azure Portal | Azure AD Privileged Identity Management\\\",\\t\\\"Application Gateway | Azure Bastion\\\",\\r\\n\\\"Control Remote Access\\\",\\t\\\"AC.L2-3.1.12\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.12\\\",\\t\\\"AC-17(1)\\\",\\t\\\"Azure Active Directory | Microsoft Defender for Cloud | Microsoft Sentinel | Azure Bastion\\\",\\t\\\"Microsoft Azure Portal | Azure ExpressRoute | Network Security Groups | Conditional Access | Intune/Microsoft Endpoint Manager | Microsoft Defender for Office 365\\\",\\r\\n\\\"Remote Access Confidentiality\\\",\\t\\\"AC.L2-3.1.13\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.13\\\",\\t\\\"AC-17(2)\\\",\\t\\\"Microsoft Azure Portal | Azure Active Directory\\\",\\t\\\"Load Balancer | Azure Multi-Factor Authentication\\\",\\r\\n\\\"Remote Access Routing\\\",\\t\\\"AC.L2-3.1.14\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.14\\\",\\t\\\"AC-17(3)\\\",\\t\\\"Azure Bastion | VPN Gateway | Intune/Microsoft Endpoint Manager\\\",\\t\\\"Azure ExpressRoute | Azure Front Door | Named Locations | Network Security Groups | Azure Web Application Firewall | Conditional Access\\\",\\r\\n\\\"Privileged Remote Access\\\",\\t\\\"AC.L2-3.1.15\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.15\\\",\\t\\\"AC-17(4)\\\",\\t\\\"Azure Active Directory | Azure AD Privileged Identity Management\\\",\\t\\\"Named Locations | Azure Virtual Machines | Conditional Access | Intune/Microsoft Endpoint Manager\\\",\\r\\n\\\"Wireless Access Authorization\\\",\\t\\\"AC.L2-3.1.16\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.16\\\",\\t\\\"AC-18\\\",\\t\\\"Intune/Microsoft Endpoint Manager\\\",\\t\\\"NA\\\",\\r\\n\\\"Wireless Access Protection\\\",\\t\\\"AC.L2-3.1.17\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.17\\\",\\t\\\"AC-18(1)\\\",\\t\\\"Intune/Microsoft Endpoint Manager\\\",\\t\\\"NA\\\",\\r\\n\\\"Mobile Device Connection\\\",\\t\\\"AC.L2-3.1.18\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.18\\\",\\t\\\"AC-19\\\",\\t\\\"Intune/Microsoft Endpoint Manager\\\",\\t\\\"NA\\\",\\r\\n\\\"Encrypt CUI on Mobile\\\",\\t\\\"AC.L2-3.1.19\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.19\\\",\\t\\\"AC-19(5)\\\",\\t\\\"Conditional Access | Intune/Microsoft Endpoint Manager\\\",\\t\\\"NA\\\",\\r\\n\\\"Portable Storage Use\\\",\\t\\\"AC.L2-3.1.21\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.21\\\",\\t\\\"AC-20(2)\\\",\\t\\\"Intune/Microsoft Endpoint Manager\\\",\\t\\\"Named Locations\\\",\\r\\n\\\"Role-Based Risk Awareness\\\",\\t\\\"AT.L2-3.2.1\\\",\\t\\\"Awareness & Training\\\",\\t\\\"3.2.1\\\",\\t\\\"AT-2 | AT-3\\\",\\t\\\"NA\\\",\\t\\\"Microsoft Learn\\\",\\r\\n\\\"Role-Based Training\\\",\\t\\\"AT.L2-3.2.2\\\",\\t\\\"Awareness & Training\\\",\\t\\\"3.2.2\\\",\\t\\\"AT-2 | AT-4\\\",\\t\\\"NA\\\",\\t\\\"Microsoft Learn\\\",\\r\\n\\\"Insider Threat Awareness\\\",\\t\\\"AT.L2-3.2.3\\\",\\t\\\"Awareness & Training\\\",\\t\\\"3.2.3\\\",\\t\\\"AT-2(2)\\\",\\t\\\"NA\\\",\\t\\\"Microsoft Learn\\\",\\r\\n\\\"User Accountability\\\",\\t\\\"AU.L2-3.3.2\\\",\\t\\\"Audit & Accountability\\\",\\t\\\"3.3.2\\\",\\t\\\"AU-2 | AU-3 | AU-3(1) | AU-6 | AU-11 | AU-12\\\",\\t\\\"Microsoft Sentinel\\\",\\t\\\"Intune/Microsoft Endpoint Manager | O365 Security and Compliance\\\",\\r\\n\\\"Event Review\\\",\\t\\\"AU.L2-3.3.3\\\",\\t\\\"Audit & Accountability\\\",\\t\\\"3.3.3\\\",\\t\\\"AU-2(3)\\\",\\t\\\"NA\\\",\\t\\\"Microsoft Sentinel | Azure Active Directory | Intune/Microsoft Endpoint Manager | Microsoft Defender for Cloud Apps | O365 Security and Compliance\\\",\\r\\n\\\"Audit Failure Alerting\\\",\\t\\\"AU.L2-3.3.4\\\",\\t\\\"Audit & Accountability\\\",\\t\\\"3.3.4\\\",\\t\\\"AU-5\\\",\\t\\\"Microsoft Sentinel\\\",\\t\\\"Azure Active Directory | Intune/Microsoft Endpoint Manager\\\",\\r\\n\\\"Audit Correlation\\\",\\t\\\"AU.L2-3.3.5\\\",\\t\\\"Audit & Accountability\\\",\\t\\\"3.3.5\\\",\\t\\\"AU-6(3)\\\",\\t\\\"Microsoft Sentinel | Microsoft Defender for Cloud Apps | Microsoft 365 Defender\\\",\\t\\\"Log Analytics Workspace | Microsoft Defender for Cloud Apps | Microsoft Defender for Identity | O365 Security and Compliance | Microsoft Defender for Cloud\\\",\\r\\n\\\"Reduction & Reporting\\\",\\t\\\"AU.L2-3.3.6\\\",\\t\\\"Audit & Accountability\\\",\\t\\\"3.3.6\\\",\\t\\\"AU-7\\\",\\t\\\"Microsoft Defender for Cloud | Microsoft Sentinel\\\",\\t\\\"Log Analytics Workspace | Azure Active Directory | O365 Security and Compliance\\\",\\r\\n\\\"Authoritative Time Source\\\",\\t\\\"AU.L2-3.3.7\\\",\\t\\\"Audit & Accountability\\\",\\t\\\"3.3.7\\\",\\t\\\"AU-8 | AU-8(1)\\\",\\t\\\"Azure Active Directory\\\",\\t\\\"NA\\\",\\r\\n\\\"Audit Protection\\\",\\t\\\"AU.L2-3.3.8\\\",\\t\\\"Audit & Accountability\\\",\\t\\\"3.3.8\\\",\\t\\\"AU-6(7) | AU-9\\\",\\t\\\"Log Analytics Workspace | Azure Active Directory | O365 Security and Compliance\\\",\\t\\\"Conditional Access\\\",\\r\\n\\\"Audit Management\\\",\\t\\\"AU.L2-3.3.9\\\",\\t\\\"Audit & Accountability\\\",\\t\\\"3.3.9\\\",\\t\\\"AU-6(7) | AU-9\\\",\\t\\\"Log Analytics Workspace | Azure Active Directory\\\",\\t\\\"Conditional Access | O365 Security and Compliance\\\",\\r\\n\\\"System Baselining\\\",\\t\\\"CM.L2-3.4.1\\\",\\t\\\"Configuration Management\\\",\\t\\\"3.4.1\\\",\\t\\\"CM-2 | CM-6 | CM-8 | CM-8(1)\\\",\\t\\\"Microsoft Defender for Cloud | Intune/Microsoft Endpoint Manager | Microsoft Defender for Endpoint | GitHub Enterprise Cloud | GitHub AE\\\",\\t\\\"Azure Virtual Machines\\\",\\r\\n\\\"Security Configuration Enforcement\\\",\\t\\\"CM.L2-3.4.2\\\",\\t\\\"Configuration Management\\\",\\t\\\"3.4.2\\\",\\t\\\"CM-2 | CM-6 | CM-8 | CM-8(1)\\\",\\t\\\"Azure Active Directory | Intune/Microsoft Endpoint Manager\\\",\\t\\\"NA\\\",\\r\\n\\\"System Change Management\\\",\\t\\\"CM.L2-3.4.3\\\",\\t\\\"Configuration Management\\\",\\t\\\"3.4.3\\\",\\t\\\"CM-3\\\",\\t\\\"Microsoft Defender for Cloud | GitHub Enterprise Cloud | GitHub AE\\\",\\t\\\"Log Analytics Workspace | Azure Active Directory | Intune/Microsoft Endpoint Manager\\\",\\r\\n\\\"Security Impact Analysis\\\",\\t\\\"CM.L2-3.4.4\\\",\\t\\\"Configuration Management\\\",\\t\\\"3.4.4\\\",\\t\\\"CM-4\\\",\\t\\\"GitHub Enterprise Cloud | GitHub AE\\\",\\t\\\"Intune/Microsoft Endpoint Manager | Microsoft Defender Endpoint\\\",\\r\\n\\\"Access Restrictions for Change\\\",\\t\\\"CM.L2-3.4.5\\\",\\t\\\"Configuration Management\\\",\\t\\\"3.4.5\\\",\\t\\\"CM-5\\\",\\t\\\"Azure Active Directory\\\",\\t\\\"Azure Firewall | Network Security Groups | Azure Web Application Firewall | Virtual Network | Conditional Access | Intune/Microsoft Endpoint Manager | GitHub Enterprise Cloud | GitHub AE\\\",\\r\\n\\\"Least Functionality\\\",\\t\\\"CM.L2-3.4.6\\\",\\t\\\"Configuration Management\\\",\\t\\\"3.4.6\\\",\\t\\\"CM-7\\\",\\t\\\"Azure Active Directory | Intune/ Microsoft Endpoint Manager\\\",\\t\\\"Microsoft 365 Defender\\\",\\r\\n\\\"Nonessential Functionality\\\",\\t\\\"CM.L2-3.4.7\\\",\\t\\\"Configuration Management\\\",\\t\\\"3.4.7\\\",\\t\\\"CM-7(1) | CM-7(2)\\\",\\t\\\"Network Security Groups\\\",\\t\\\"Microsoft Defender for Cloud | Azure Firewall | Azure Web Application Firewall | Intune/Microsoft Endpoint Manager\\\",\\r\\n\\\"Application Execution Policy\\\",\\t\\\"CM.L2-3.4.8\\\",\\t\\\"Configuration Management\\\",\\t\\\"3.4.8\\\",\\t\\\"CM-7(4) | CM-7(5)\\\",\\t\\\"Azure Virtual Machines | Intune/Microsoft Endpoint Manager | Microsoft Defender for Cloud Apps\\\",\\t\\\"Azure Firewall | Network Security Groups | Azure Web Application Firewall | Conditional Access | Microsoft Defender for Endpoint | GitHub Enterprise Cloud | GitHub AE\\\",\\r\\n\\\"User-Installed Software\\\",\\t\\\"CM.L2-3.4.9\\\",\\t\\\"Configuration Management\\\",\\t\\\"3.4.9\\\",\\t\\\"CM-11\\\",\\t\\\"Microsoft Sentinel | Intune/Microsoft Endpoint Manager\\\",\\t\\\"Azure Active Directory | Microsoft Defender for Cloud Apps | Microsoft Defender for Endpoint | Microsoft Defender for Identity | GitHub Enterprise Cloud\\\",\\r\\n\\\"Authentication\\\",\\t\\\"IA.L1-3.5.2\\\",\\t\\\"Identification & Authentication\\\",\\t\\\"3.5.2\\\",\\t\\\"IA-2 | IA-3 | IA-5\\\",\\t\\\"Azure Active Directory | Azure Multi-Factor Authentication | Conditional Access | Intune/Microsoft Endpoint Manager\\\",\\t\\\"Customer Lockbox\\\",\\r\\n\\\"Replay-Resistant Authentication\\\",\\t\\\"IA.L2-3.5.4\\\",\\t\\\"Identification & Authentication\\\",\\t\\\"3.5.4\\\",\\t\\\"IA-2(8) | IA-2(9)\\\",\\t\\\"Microsoft Azure Portal | Azure Active Directory | Azure Multi-Factor Authentication | Intune/Microsoft Endpoint Manager\\\",\\t\\\"NA\\\",\\r\\n\\\"Identifier Reuse\\\",\\t\\\"IA.L2-3.5.5\\\",\\t\\\"Identification & Authentication\\\",\\t\\\"3.5.5\\\",\\t\\\"IA-4\\\",\\t\\\"Azure Active Directory\\\",\\t\\\"Intune/Microsoft Endpoint Manager | O365 Security and Compliance\\\",\\r\\n\\\"Identifier Handling\\\",\\t\\\"IA.L2-3.5.6\\\",\\t\\\"Identification & Authentication\\\",\\t\\\"3.5.6\\\",\\t\\\"IA-4\\\",\\t\\\"Azure Active Directory | Microsoft Defender for Identity\\\",\\t\\\"NA\\\",\\r\\n\\\"Password Complexity\\\",\\t\\\"IA.L2-3.5.7\\\",\\t\\\"Identification & Authentication\\\",\\t\\\"3.5.7\\\",\\t\\\"IA-5(1)\\\",\\t\\\"Azure Active Directory\\\",\\t\\\"Intune/Microsoft Endpoint Manager | Password Protection for Azure AD\\\",\\r\\n\\\"Password Reuse\\\",\\t\\\"IA.L2-3.5.8\\\",\\t\\\"Identification & Authentication\\\",\\t\\\"3.5.8\\\",\\t\\\"IA-5(1)\\\",\\t\\\"Azure Active Directory\\\",\\t\\\"Intune/Microsoft Endpoint Manager | Password Protection for Azure AD\\\",\\r\\n\\\"Temporary Passwords\\\",\\t\\\"IA.L2-3.5.9\\\",\\t\\\"Identification & Authentication\\\",\\t\\\"3.5.9\\\",\\t\\\"IA-5(1)\\\",\\t\\\"Azure Active Directory\\\",\\t\\\"NA\\\",\\r\\n\\\"Cryptographically-Protected Passwords\\\",\\t\\\"IA.L2-3.5.10\\\",\\t\\\"Identification & Authentication\\\",\\t\\\"3.5.10\\\",\\t\\\"IA-5(1)\\\",\\t\\\"Microsoft Azure Portal | Azure Key Vault | Azure Virtual Machines | Azure Active Directory | Intune/Microsoft Endpoint Manager\\\",\\t\\\"NA\\\",\\r\\n\\\"Obscure Feedback\\\",\\t\\\"IA.L2-3.5.11\\\",\\t\\\"Identification & Authentication\\\",\\t\\\"3.5.11\\\",\\t\\\"IA-6\\\",\\t\\\"Microsoft Azure Portal | Intune/Microsoft Endpoint Manager\\\",\\t\\\"Azure Bastion | Azure Virtual Machines\\\",\\r\\n\\\"Incident Handling\\\",\\t\\\"IR.L2-3.6.1\\\",\\t\\\"Incident Response\\\",\\t\\\"3.6.1\\\",\\t\\\"IR-2 | IR-4 | IR-5 | IR-6 | IR-7\\\",\\t\\\"Microsoft Sentinel\\\",\\t\\\"Microsoft Defender for Endpoint | Microsoft Defender for Office 365\\\",\\r\\n\\\"Incident Reporting\\\",\\t\\\"IR.L2-3.6.2\\\",\\t\\\"Incident Response\\\",\\t\\\"3.6.2\\\",\\t\\\"IR-2 | IR-4 | IR-5 | IR-6 | IR-7\\\",\\t\\\"Microsoft Sentinel\\\",\\t\\\"NA\\\",\\r\\n\\\"Incident Response Testing\\\",\\t\\\"IR.L2-3.6.3\\\",\\t\\\"Incident Response\\\",\\t\\\"3.6.3\\\",\\t\\\"IR-3\\\",\\t\\\"NA\\\",\\t\\\"Microsoft Sentinel\\\",\\r\\n\\\"Perform Maintenance\\\",\\t\\\"MA.L2-3.7.1\\\",\\t\\\"Maintenance\\\",\\t\\\"3.7.1\\\",\\t\\\"MA-2 | MA-3 | MA-3(1) | MA-3(2)\\\",\\t\\\"NA\\\",\\t\\\"Microsoft Azure Portal | Azure Virtual Machines | Intune/Microsoft Endpoint Manager | Microsoft Defender for Endpoint\\\",\\r\\n\\\"System Maintenance Control\\\",\\t\\\"MA.L2-3.7.2\\\",\\t\\\"Maintenance\\\",\\t\\\"3.7.2\\\",\\t\\\"MA-2 | MA-3 | MA-3(1) | MA-3(2)\\\",\\t\\\"Network Security Groups | Azure Active Directory\\\",\\t\\\"Azure Bastion | Intune/Microsoft Endpoint Manager\\\",\\r\\n\\\"Equipment Sanitization\\\",\\t\\\"MA.L2-3.7.3\\\",\\t\\\"Maintenance\\\",\\t\\\"3.7.3\\\",\\t\\\"MA-2\\\",\\t\\\"NA\\\",\\t\\\"NA\\\",\\r\\n\\\"Media Inspection\\\",\\t\\\"MA.L2-3.7.4\\\",\\t\\\"Maintenance\\\",\\t\\\"3.7.4\\\",\\t\\\"MA-3(2)\\\",\\t\\\"NA\\\",\\t\\\"NA\\\",\\r\\n\\\"Nonlocal Maintenance\\\",\\t\\\"MA.L2-3.7.5\\\",\\t\\\"Maintenance\\\",\\t\\\"3.7.5\\\",\\t\\\"MA-4\\\",\\t\\\"Microsoft Azure Portal | Azure Active Directory | Azure Multi-Factor Authentication\\\",\\t\\\"Intune/Microsoft Endpoint Manager\\\",\\r\\n\\\"Maintenance Personnel\\\",\\t\\\"MA.L2-3.7.6\\\",\\t\\\"Maintenance\\\",\\t\\\"3.7.6\\\",\\t\\\"MA-5\\\",\\t\\\"NA\\\",\\t\\\"Customer Lockbox\\\",\\r\\n\\\"Media Disposal\\\",\\t\\\"MP.L1-3.8.3\\\",\\t\\\"Media Protection\\\",\\t\\\"3.8.3\\\",\\t\\\"MP-2 | MP-4 | MP-6\\\",\\t\\\"Azure Key Vault\\\",\\t\\\"Azure Information Protection\\\",\\r\\n\\\"Media Protection\\\",\\t\\\"MP.L2-3.8.1\\\",\\t\\\"Media Protection\\\",\\t\\\"3.8.1\\\",\\t\\\"MP-2 | MP-4 | MP-6\\\",\\t\\\"Azure Key Vault | Azure Information Protection | Intune/Microsoft Endpoint Manager\\\",\\t\\\"Azure Virtual Machines\\\",\\r\\n\\\"Media Access\\\",\\t\\\"MP.L2-3.8.2\\\",\\t\\\"Media Protection\\\",\\t\\\"3.8.2\\\",\\t\\\"MP-2 | MP-4 | MP-6\\\",\\t\\\"Azure Active Directory | Azure Information Protection | Conditional Access | Intune/Microsoft Endpoint Manager\\\",\\t\\\"Network Security Groups\\\",\\r\\n\\\"Media Markings\\\",\\t\\\"MP.L2-3.8.4\\\",\\t\\\"Media Protection\\\",\\t\\\"3.8.4\\\",\\t\\\"MP-2 | MP-4 | MP-6\\\",\\t\\\"Azure Key Vault\\\",\\t\\\"Azure Information Protection\\\",\\r\\n\\\"Media Accountability\\\",\\t\\\"MP.L2-3.8.5\\\",\\t\\\"Media Protection\\\",\\t\\\"3.8.5\\\",\\t\\\"MP-5\\\",\\t\\\"Azure Key Vault\\\",\\t\\\"Azure Information Protection | Intune/Microsoft Endpoint Manager\\\",\\r\\n\\\"Portable Storage Encryption\\\",\\t\\\"MP.L2-3.8.6\\\",\\t\\\"Media Protection\\\",\\t\\\"3.8.6\\\",\\t\\\"MP-5(4)\\\",\\t\\\"Azure Key Vault | Intune/Microsoft Endpoint Manager\\\",\\t\\\"Azure Information Protection\\\",\\r\\n\\\"Removable Media\\\",\\t\\\"MP.L2-3.8.7\\\",\\t\\\"Media Protection\\\",\\t\\\"3.8.7\\\",\\t\\\"MP-7\\\",\\t\\\"Intune/Microsoft Endpoint Manager\\\",\\t\\\"Azure Information Protection\\\",\\r\\n\\\"Shared Media\\\",\\t\\\"MP.L2-3.8.8\\\",\\t\\\"Media Protection\\\",\\t\\\"3.8.8\\\",\\t\\\"MP-7(1)\\\",\\t\\\"Intune/Microsoft Endpoint Manager\\\",\\t\\\"Conditional Access\\\",\\r\\n\\\"Protect Backups\\\",\\t\\\"MP.L2-3.8.9\\\",\\t\\\"Media Protection\\\",\\t\\\"3.8.9\\\",\\t\\\"CP-9\\\",\\t\\\"Microsoft Azure Portal\\\",\\t\\\"Azure Key Vault\\\",\\r\\n\\\"Screen Individuals\\\",\\t\\\"PS.L2-3.9.1\\\",\\t\\\"Personnel Security\\\",\\t\\\"3.9.1\\\",\\t\\\"PS-3 | PS-4 | PS-5\\\",\\t\\\"NA\\\",\\t\\\"NA\\\",\\r\\n\\\"Personnel Actions\\\",\\t\\\"PS.L2-3.9.2\\\",\\t\\\"Personnel Security\\\",\\t\\\"3.9.2\\\",\\t\\\"PS-3 | PS-4 | PS-5\\\",\\t\\\"Azure Active Directory\\\",\\t\\\"Azure Information Protection | Intune/Microsoft Endpoint Manager | Microsoft Defender for Cloud Apps | Microsoft 365 Insider Risk Management\\\",\\r\\n\\\"Limit Physical Access\\\",\\t\\\"PE.L1-3.10.1\\\",\\t\\\"Physical Protection\\\",\\t\\\"3.10.1\\\",\\t\\\"PE\\\",\\t\\\"Azure Datacenter\\\",\\t\\\"NA\\\",\\r\\n\\\"Escort Visitors\\\",\\t\\\"PE.L1-3.10.3\\\",\\t\\\"Physical Protection\\\",\\t\\\"3.10.3\\\",\\t\\\"PE\\\",\\t\\\"Azure Datacenter\\\",\\t\\\"NA\\\",\\r\\n\\\"Physical Access Logs\\\",\\t\\\"PE.L1-3.10.4\\\",\\t\\\"Physical Protection\\\",\\t\\\"3.10.4\\\",\\t\\\"PE\\\",\\t\\\"Azure Datacenter\\\",\\t\\\"NA\\\",\\r\\n\\\"Manage Physical Access\\\",\\t\\\"PE.L1-3.10.5\\\",\\t\\\"Physical Protection\\\",\\t\\\"3.10.5\\\",\\t\\\"PE\\\",\\t\\\"Azure Datacenter\\\",\\t\\\"NA\\\",\\r\\n\\\"Monitor Facility\\\",\\t\\\"PE.L2-3.10.2\\\",\\t\\\"Physical Protection\\\",\\t\\\"3.10.2\\\",\\t\\\"PE\\\",\\t\\\"Azure Datacenter\\\",\\t\\\"NA\\\",\\r\\n\\\"Alternative Work Sites\\\",\\t\\\"PE.L2-3.10.6\\\",\\t\\\"Physical Protection\\\",\\t\\\"3.10.6\\\",\\t\\\"PE-17\\\",\\t\\\"Azure Datacenter | Intune/Microsoft Endpoint Manager\\\",\\t\\\"Named Locations | Azure Information Protection | Conditional Access\\\",\\r\\n\\\"Risk Assessments\\\",\\t\\\"RA.L2-3.11.1\\\",\\t\\\"Risk Assessment\\\",\\t\\\"3.11.1\\\",\\t\\\"RA-3\\\",\\t\\\"Microsoft Defender for Cloud\\\",\\t\\\"Microsoft Sentinel | Intune/Microsoft Endpoint Manager | Microsoft Defender for Cloud Apps | Microsoft Defender for Endpoint\\\",\\r\\n\\\"Vulnerability Scan\\\",\\t\\\"RA.L2-3.11.2\\\",\\t\\\"Risk Assessment\\\",\\t\\\"3.11.2\\\",\\t\\\"RA-5 | RA-5(5)\\\",\\t\\\"Microsoft Defender for Cloud | GitHub Enterprise Cloud | GitHub AE | GitHub Advanced Security (Add-On)\\\",\\t\\\"Azure DNS | Intune/Microsoft Endpoint Manager | Microsoft Defender for Endpoint | Microsoft Defender for Office 365\\\",\\r\\n\\\"Vulnerability Remediation\\\",\\t\\\"RA.L2-3.11.3\\\",\\t\\\"Risk Assessment\\\",\\t\\\"3.11.3\\\",\\t\\\"RA-5\\\",\\t\\\"GitHub Advanced Security (Add-On)\\\",\\t\\\"Microsoft Defender for Cloud | Intune/Microsoft Endpoint Manager | Microsoft Defender for Endpoint | GitHub Enterprise Cloud | GitHub AE\\\",\\r\\n\\\"Security Control Assessment\\\",\\t\\\"CA.L2-3.12.1\\\",\\t\\\"Security Assessment\\\",\\t\\\"3.12.1\\\",\\t\\\"CA-2 | CA-5 | CA-7 | PL-2\\\",\\t\\\"Microsoft Defender for Cloud\\\",\\t\\\"Microsoft Sentinel | Intune/Microsoft Endpoint Manager | Microsoft Defender for Cloud Apps | Microsoft Defender for Endpoint\\\",\\r\\n\\\"Plan of Action\\\",\\t\\\"CA.L2-3.12.2\\\",\\t\\\"Security Assessment\\\",\\t\\\"3.12.2\\\",\\t\\\"CA-2 | CA-5 | CA-7 | PL-2\\\",\\t\\\"Microsoft Defender for Endpoint\\\",\\t\\\"NA\\\",\\r\\n\\\"Security Control Monitoring\\\",\\t\\\"CA.L2-3.12.3\\\",\\t\\\"Security Assessment\\\",\\t\\\"3.12.3\\\",\\t\\\"CA-2 | CA-5 | CA-7 | PL-2\\\",\\t\\\"NA\\\",\\t\\\"Microsoft Sentinel | Intune/Microsoft Endpoint Manager | Microsoft Defender for Cloud Apps | Microsoft Defender for Endpoint | O365 Security and Compliance\\\",\\r\\n\\\"System Security Plan\\\",\\t\\\"CA.L2-3.12.4\\\",\\t\\\"Security Assessment\\\",\\t\\\"3.12.4\\\",\\t\\\"CA-2 | CA-5 | CA-7 | PL-2\\\",\\t\\\"NA\\\",\\t\\\"Microsoft Defender for Cloud\\\",\\r\\n\\\"Boundary Protection\\\",\\t\\\"SC.L1-3.13.1\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.1\\\",\\t\\\"SC-15\\\",\\t\\\"NA\\\",\\t\\\"Intune/Microsoft Endpoint Manager\\\",\\r\\n\\\"Public-Access System Separation\\\",\\t\\\"SC.L1-3.13.5\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.5\\\",\\t\\\"SC-7\\\",\\t\\\"NA\\\",\\t\\\"Azure Bastion | Azure Firewall | Load Balancer | Network Security Groups | Azure Web Application Firewall | Virtual Network\\\",\\r\\n\\\"Security Engineering\\\",\\t\\\"SC.L2-3.13.2\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.2\\\",\\t\\\"SC-7 | SA-8\\\",\\t\\\"NA\\\",\\t\\\"Microsoft Defender for Cloud\\\",\\r\\n\\\"Role Separation\\\",\\t\\\"SC.L2-3.13.3\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.3\\\",\\t\\\"SC-2\\\",\\t\\\"Azure Active Directory\\\",\\t\\\"Conditional Access | Azure AD Privileged Identity Management\\\",\\r\\n\\\"Shared Resource Control\\\",\\t\\\"SC.L2-3.13.4\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.4\\\",\\t\\\"SC-4\\\",\\t\\\"Azure Information Protection\\\",\\t\\\"Network Security Groups | Azure Web Application Firewall | Azure Virtual Machines | Virtual Network | Intune/Microsoft Endpoint Manager | Microsoft Defender for Office 365\\\",\\r\\n\\\"Network Communication by Exception\\\",\\t\\\"SC.L2-3.13.6\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.6\\\",\\t\\\"SC-7(5)\\\",\\t\\\"Azure Firewall\\\",\\t\\\"Microsoft Defender for Cloud | Load Balancer | Network Security Groups | Azure Web Application Firewall | Virtual Network | Intune/Microsoft Endpoint Manager\\\",\\r\\n\\\"Split Tunneling\\\",\\t\\\"SC.L2-3.13.7\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.7\\\",\\t\\\"SC-7(7)\\\",\\t\\\"NA\\\",\\t\\\"NA\\\",\\r\\n\\\"Data in Transit\\\",\\t\\\"SC.L2-3.13.8\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.8\\\",\\t\\\"SC-8 | SC-8(1)\\\",\\t\\\"Microsoft Azure Portal\\\",\\t\\\"Azure ExpressRoute | Azure Key Vault | Load Balancer | Network Security Groups | Azure Virtual Machines | Virtual Network | VPN Gateway | Azure Information Protection\\\",\\r\\n\\\"Connections Termination\\\",\\t\\\"SC.L2-3.13.9\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.9\\\",\\t\\\"SC-10\\\",\\t\\\"NA\\\",\\t\\\"Microsoft Azure Portal | Azure Virtual Machines | VPN Gateway | Azure Active Directory\\\",\\r\\n\\\"Key Management\\\",\\t\\\"SC.L2-3.13.10\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.10\\\",\\t\\\"SC-12\\\",\\t\\\"Azure Key Vault | Azure Information Protection | GitHub Enterprise Cloud | GitHub AE\\\",\\t\\\"Azure Active Directory\\\",\\r\\n\\\"CUI Encryption\\\",\\t\\\"SC.L2-3.13.11\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.11\\\",\\t\\\"SC-13\\\",\\t\\\"Azure Key Vault\\\",\\t\\\"Microsoft Azure Portal | Azure Firewall | Azure Virtual Machines | Azure Information Protection | Intune/Microsoft Endpoint Manager | GitHub AE\\\",\\r\\n\\\"Collaborative Device Control\\\",\\t\\\"SC.L2-3.13.12\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.12\\\",\\t\\\"SC-15\\\",\\t\\\"NA\\\",\\t\\\"Intune/Microsoft Endpoint Manager\\\",\\r\\n\\\"Mobile Code\\\",\\t\\\"SC.L2-3.13.13\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.13\\\",\\t\\\"SC-18\\\",\\t\\\"Microsoft Sentinel | Intune/Microsoft Endpoint Manager\\\",\\t\\\"Azure Virtual Machines\\\",\\r\\n\\\"Voice over Internet Protocol\\\",\\t\\\"SC.L2-3.13.14\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.14\\\",\\t\\\"SC-19\\\",\\t\\\"Microsoft Teams\\\",\\t\\\"Microsoft Defender for Cloud\\\",\\r\\n\\\"Communications Authenticity\\\",\\t\\\"SC.L2-3.13.15\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.15\\\",\\t\\\"SC-23\\\",\\t\\\"Microsoft Azure Portal\\\",\\t\\\"Azure ExpressRoute | Azure Key Vault | Load Balancer | Network Security Groups | Azure Virtual Machines | Virtual Network | VPN Gateway | Azure Information Protection | Intune/Microsoft Endpoint Manager | Microsoft Cloud App Security\\\",\\r\\n\\\"Data at Rest\\\",\\t\\\"SC.L2-3.13.16\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.16\\\",\\t\\\"SC-28\\\",\\t\\\"Azure Key Vault\\\",\\t\\\"Azure ExpressRoute | Azure Key Vault | Load Balancer | Network Security Groups | Azure Virtual Machines | Virtual Network | VPN Gateway | Azure Information Protection | Intune/Microsoft Endpoint Manager | Microsoft Defender for Cloud Apps\\\",\\r\\n\\\"Flaw Remediation\\\",\\t\\\"SI.L1-3.14.1\\\",\\t\\\"System & Information Integrity\\\",\\t\\\"3.14.1\\\",\\t\\\"SI-2 | SI-3 | SI-5\\\",\\t\\\"Microsoft Defender for Cloud | Microsoft Sentinel\\\",\\t\\\"Intune/Microsoft Endpoint Manager | Microsoft Defender for Endpoint\\\",\\r\\n\\\"Malicious Code Protection\\\",\\t\\\"SI.L1-3.14.2\\\",\\t\\\"System & Information Integrity\\\",\\t\\\"3.14.2\\\",\\t\\\"SI-2 | SI-3 | SI-5\\\",\\t\\\"Azure Web Application Firewall | Intune/Microsoft Endpoint Manager | Microsoft Defender for Endpoint\\\",\\t\\\"Azure DNS | Azure Virtual Machines | Microsoft Defender for Office 365\\\",\\r\\n\\\"Update Malicious Code Protection\\\",\\t\\\"SI.L1-3.14.4\\\",\\t\\\"System & Information Integrity\\\",\\t\\\"3.14.4\\\",\\t\\\"SI-3\\\",\\t\\\"Intune/Microsoft Endpoint Manager\\\",\\t\\\"Azure Virtual Machines | Microsoft Defender for Endpoint | Microsoft Defender for Office 365\\\",\\r\\n\\\"System & File Scanning\\\",\\t\\\"SI.L1-3.14.5\\\",\\t\\\"System & Information Integrity\\\",\\t\\\"3.14.5\\\",\\t\\\"SI-3\\\",\\t\\\"Intune/Microsoft Endpoint Manager\\\",\\t\\\"Azure DNS | Azure Virtual Machines | Microsoft Defender for Cloud Apps | Microsoft Defender for Endpoint | Microsoft Defender for Office 365\\\",\\r\\n\\\"Security Alerts & Advisories\\\",\\t\\\"SI.L2-3.14.3\\\",\\t\\\"System & Information Integrity\\\",\\t\\\"3.14.3\\\",\\t\\\"SI-2 | SI-3 | SI-5\\\",\\t\\\"Microsoft Defender for Cloud | Microsoft Sentinel\\\",\\t\\\"Azure Active Directory | Microsoft Defender for Cloud Apps | Microsoft Defender for Endpoint\\\",\\r\\n\\\"Monitor Communications for Attacks\\\",\\t\\\"SI.L2-3.14.6\\\",\\t\\\"System & Information Integrity\\\",\\t\\\"3.14.6\\\",\\t\\\"AU-2 | AU-2(3) | AU-6 | SI-4 | SI-4(4)\\\",\\t\\\"Microsoft Sentinel | Microsoft 365 Defender | Microsoft Defender for Cloud | Microsoft Defender for Cloud Apps \\\",\\t\\\"Azure DNS | Azure Firewall | Azure Key Vault | Network Security Groups | Azure Web Application Firewall | Virtual Network | Conditional Access | Microsoft Defender for Endpoint | Microsoft Defender for Identity | Microsoft Defender for Office 365\\\",\\r\\n\\\"Identify Unauthorized Use\\\",\\t\\\"SI.L2-3.14.7\\\",\\t\\\"System & Information Integrity\\\",\\t\\\"3.14.7\\\",\\t\\\"SI-4\\\",\\t\\\"Microsoft Sentinel | Microsoft Defender for Cloud Apps\\\",\\t\\\"Azure Bastion | Load Balancer | Network Security Groups | Azure Virtual Machines | VPN Gateway | Azure Active Directory | Microsoft Defender for Endpoint | Azure AD Privileged Identity Management | Microsoft Defender for Office 365\\\"\\r\\n];\\r\\nCrosswalk\\r\\n| project [\\\"Control Name\\\"],[\\\"Control Number\\\"],[\\\"Control Family\\\"],[\\\"NIST SP 800-171 R2\\\"],[\\\"NIST SP 800-53 R4\\\"],[\\\"Primary Services\\\"],[\\\"Secondary Services\\\"]\",\"size\":0,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Control Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Primary Services\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Secondary Services\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isRCAVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Controls Mapping\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control](https://www.acq.osd.mil/cmmc/index.html) \\r\\n---\\r\\nAccess Control is the process of authorizing users, groups, and computers to access objects on a network, asset, and/or cloud. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Authorized Access Control (AC.L1-3.1.1) \\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL1311.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Transaction & Function Control (AC.L1-3.1.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL1312.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"External Connections (AC.L1-3.1.20)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL13120.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Control Public Information (AC.L1-3.1.22)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL13122.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 1: Foundational\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL1311Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL1311.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL1312Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL1312.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"2d395ae1-35fa-47b7-96fd-3c9b038a7226\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL13120Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL13120.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9ebfa70c-22df-4445-8b1c-7112129c7be8\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL13122Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL13122.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"0df1cfb7-2b39-45bd-adde-5ea8d922ccdc\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Authorized Access Control (AC.L1-3.1.1)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-171-r2#limit-system-access-to-authorized-users-processes-acting-on-behalf-of-authorized-users-and-devices-including-other-systems)\\r\\n\\r\\nLimit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️[Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Customer Lockbox](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview) 🔀[Customer Lockbox](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview) \\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n\\r\\n## Recommended Logs \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 2\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| project UserPrincipalName, SignInCount=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Access Control\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":1000,\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"Implemented\"},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL1311Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L1-3.1.1\",\"styleSettings\":{\"margin\":\"3\",\"padding\":\"3\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Transaction & Function Control (AC.L1-3.1.2)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#limit-information-system-access-to-the-types-of-transactions-and-functions-that-authorized-users-are-permitted-to-execute)\\r\\n\\r\\nLimit information system access to the types of transactions and functions that authorized users are permitted to execute. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\",\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| extend UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\",UserPrincipalName)\\r\\n| summarize Runs = count(), Success = countif(Result == 'success'), Fails = countif(Result != 'success') by UserPrincipalName, OperationName, UserProfile // Summarize the total, successful and failed operations by name\\r\\n| extend SuccessRate = (Success * 100 / Runs) // Calculate the percentage of successful operations against the total\\r\\n| join (SigninLogs | project UserPrincipalName, UserId) on UserPrincipalName\\r\\n| summarize count() by UserPrincipalName, UserProfile, OperationName, UserId\\r\\n| project UserPrincipalName, ActionCount=count_, OperationName, UserProfile, UserId\\r\\n| where UserPrincipalName <> \\\"\\\"\\r\\n| sort by ActionCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActionCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL1312Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L1-3.1.2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [External Connections (AC.L1-3.1.20)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#verify-and-controllimit-connections-to-and-use-of-external-information-systems)\\r\\n\\r\\nVerify and control/limit connections to and use of external information systems. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\",\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where Location <> \\\"\\\"\\r\\n| where ResultType == 0\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\",UserId)\\r\\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude)\\r\\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| summarize count() by City, Location\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Sign-In Summary by Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"City\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Location\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go To AAD User Profile >\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where Location <> \\\"\\\"\\r\\n| where ResultType == 0\\r\\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude)\\r\\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)\\r\\n| extend city_ = tostring(LocationDetails.city)\\r\\n\",\"size\":2,\"title\":\"User Sign-Ins by Geolocation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":12,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\",\"heatmapMax\":100},\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}}},\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL13120Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L1-3.1.20\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Control Public Information (AC.L1-3.1.22)\\r\\n\\r\\nControl information posted or processed on publicly accessible information systems.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"sensitive\\\" or Title contains \\\"data\\\" or Title contains \\\"leak\\\" or Tactics contains \\\"exfil\\\" or Title contains \\\"PII\\\" or Title contains \\\"intellectual\\\" or Title contains \\\"confidential\\\" or Title contains \\\"spill\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Data Loss\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL13122Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L1-3.1.22\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 1: Foundational\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Control CUI Flow (AC.L2-3.1.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL2313.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Separation of Duties (AC.L2-3.1.4)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL2314.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Least Privilege (AC.L2-3.1.5)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL2315.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Non-Privileged Account Use (AC.L2-3.1.6)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL2316.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Privileged Functions (AC.L2-3.1.7)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL2317.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Unsuccessful Logon Attempts (AC.L2-3.1.8)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL2318.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Privacy & Security Notices (AC.L2-3.1.9)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL2319.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Session Lock (AC.L2-3.1.10)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL23110.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Session Termination (AC.L2-3.1.11)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL23111.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL2313Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL2313.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL2314Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL2314.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"34825a5b-616a-43e6-86f7-dfaaec89f6c5\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL2315Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL2315.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"f8eec0a4-8207-40a4-b2e5-5d3a3c3f43ff\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL2316Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL2316.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"901b782d-9d5f-4496-acff-14eba10dfdcc\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL2317Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL2317.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e7504687-2c9a-4821-8073-10ee5e23023a\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL2318Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL2318.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"21b09f0f-6ebb-437f-b8dc-0bb14bebd757\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL2319Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL2319.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"607fb3ad-cdea-44d8-b578-07a2749629ab\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL23110Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL23110.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4e0b74e2-8db0-47b9-ba59-33663592db04\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL23111Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL23111.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"370d2451-c722-4bed-9124-50016092da87\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Control Remote Access (AC.L2-3.1.12)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL23112.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Remote Access Confidentiality (AC.L2-3.1.13)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL23113.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Remote Access Routing (AC.L2-3.1.14)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL23114.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Privileged Remote Access (AC.L2-3.1.15)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL23115.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Wireless Access Authorization (AC.L2-3.1.16)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL23116.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Wireless Access Protection (AC.L2-3.1.17)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL23117.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Mobile Device Connection (AC.L2-3.1.18)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL23118.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Encrypt CUI on Mobile (AC.L2-3.1.19)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL23119.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Portable Storage Use (AC.L2-3.1.21)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL23121.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"30560f02-4a96-4628-8600-bccdd3728ad5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL23112Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL23112.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL23113Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL23113.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e5c99657-f0a4-4e90-abc2-7c5c27b30f58\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL23114Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL23114.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9d45c4e1-9609-48af-8e1b-f7303ce8b698\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL23115Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL23115.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b461aaf0-2be5-4930-9feb-d287c4cb7327\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL23116Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL23116.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a689497a-5981-48dd-b928-179500bbb146\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL23117Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL23117.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b34f76b2-5540-4ecb-b51c-175ed759105f\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL23118Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL23118.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"651933a2-04a4-4f48-a5f8-3c26dc8be4f8\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL23119Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL23119.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"6acb347d-36a1-4aab-a3f2-08122beb8ad2\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL23121Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL23121.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"d282094f-2bbd-421f-a8d8-90e104966e11\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Control CUI Flow (AC.L2-3.1.3)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#control-the-flow-of-cui-in-accordance-with-approved-authorizations)\\r\\n\\r\\nControl the flow of CUI in accordance with approved authorizations. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies) \\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Microsoft Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Microsoft 365 Compliance Manager](https://compliance.microsoft.com/informationprotection) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) 🔀[Microsoft Defender for Identity](https://portal.atp.azure.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"customWidth\":\"50\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\",\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| project UserId_s, Computer, ContentId_g, LabelName_s, ApplicationName_s, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Information Protection Details\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL2313Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Separation of Duties (AC.L2-3.1.4)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#separate-the-duties-of-individuals-to-reduce-the-risk-of-malevolent-activity-without-collusion)\\r\\n\\r\\nSeparate the duties of individuals to reduce the risk of malevolent activity without collusion.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"name\":\"text - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"member\\\" or RecommendationName contains \\\"owner\\\" or RecommendationName contains \\\"group\\\"\\r\\n| where RecommendationName !contains \\\"security group\\\"\\r\\n| where RecommendationName !contains \\\"Email\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| join (IdentityInfo| extend UserPrincipalName = AccountUPN | project UserPrincipalName, GroupMembership, AssignedRoles) on UserPrincipalName\\r\\n| project UserPrincipalName, SignInCount=count_, UserProfile, GroupMembership, AssignedRoles, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review User Group Membership & Assigned Roles\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL2314Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Least Privilege (AC.L2-3.1.5)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#employ-the-principle-of-least-privilege-including-for-specific-security-functions-and-privileged-accounts)\\r\\n\\r\\nEmploy the principle of least privilege, including for specific security functions and privileged accounts.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| where OperationName contains \\\"PIM\\\"\\r\\n| distinct OperationName, Identity, AADOperationType, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Privileged Identity Management (PIM) Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"GrantedTo\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go To: AAD Profile >\"}},{\"columnMatch\":\"OperationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isACL2315Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Non-Privileged Account Use (AC.L2-3.1.6)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#use-non-privileged-accounts-or-roles-when-accessing-nonsecurity-functions)\\r\\n\\r\\nUse non-privileged accounts or roles when accessing non-security functions.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"user\\\" or RecommendationName contains \\\"account\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL2316Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Privileged Functions (AC.L2-3.1.7)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#prevent-non-privileged-users-from-executing-privileged-functions-and-capture-the-execution-of-such-functions-in-audit-logs)\\r\\n\\r\\nPrevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"audit\\\" or RecommendationName contains \\\"priv\\\" or RecommendationName contains \\\"log\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL2317Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Unsuccessful Logon Attempts (AC.L2-3.1.8)\\r\\n\\r\\nLimit unsuccessful logon attempts. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) 🔀[Microsoft Defender for Identity](https://portal.atp.azure.com/) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n\\r\\n\\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Password Protection for Azure AD](https://docs.microsoft.com/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy) 🔀[Azure AD Password Protection](https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordProtectionBlade) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType <> 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| project UserPrincipalName, FailedSignInAttempt=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by FailedSignInAttempt desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Unsuccessful Logon Attempts \",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"FailedSignInAttempt\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"sign\\\" or Title contains \\\"brute\\\" or Title contains \\\"account\\\" or Title contains \\\"access\\\" or Title contains \\\"cred\\\" or Title contains \\\"logon\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Logon Attempts\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL2318Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Privacy & Security Notices (AC.L2-3.1.9)\\r\\n\\r\\nProvide privacy and security notices consistent with applicable CUI rules.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Recommended Configuration\\r\\n💡 [Add Terms of Use](https://docs.microsoft.com/azure/active-directory/conditional-access/terms-of-use#add-terms-of-use) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\",\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"banner\\\" or Description contains \\\"agree\\\" or Description contains \\\"notification\\\" or Description contains \\\"terms\\\" or Description contains \\\"privacy\\\" or Description contains \\\"notice\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"banner\\\" or Description contains \\\"agree\\\" or Description contains \\\"notification\\\" or Description contains \\\"terms\\\" or Description contains \\\"privacy\\\" or Description contains \\\"notice\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"banner\\\" or Description contains \\\"agree\\\" or Description contains \\\"notification\\\" or Description contains \\\"terms\\\" or Description contains \\\"privacy\\\" or Description contains \\\"notice\\\"\\r\\n| summarize\\r\\n Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL2319Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Session Lock (AC.L2-3.1.10) \\r\\n\\r\\nUse session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Recommended Configuration\\r\\n💡 [Configure screen lock settings using Intune](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#locked-screen-experience) \\r\\n💡 [Grant access to resources if devices are marked as compliant](https://docs.microsoft.com/azure/active-directory/conditional-access/require-managed-devices#require-device-to-be-marked-as-compliant) \\r\\n💡 [Conceal Passwords with Password Box](https://docs.microsoft.com/windows/uwp/design/controls-and-patterns/password-box) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"name\":\"text - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"lock\\\" or Description contains \\\"pattern\\\" or Description contains \\\"screen\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"lock\\\" or Description contains \\\"pattern\\\" or Description contains \\\"screen\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"lock\\\" or Description contains \\\"pattern\\\" or Description contains \\\"screen\\\"\\r\\n| summarize\\r\\n Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL23110Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.10\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Session Termination (AC.L2-3.1.11) \\r\\n\\r\\nTerminate (automatically) a user session after a defined condition.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Application Gateway](https://azure.microsoft.com/services/application-gateway/) 🔀 [Application Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) \\r\\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) 🔷 [AADUserRiskEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/AADUserRiskEvents) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"name\":\"text - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"IdentityInfo\\r\\n| summarize arg_max(TimeGenerated,*) by AccountUPN\\r\\n| join kind=inner(\\r\\nSigninLogs) on $left.AccountUPN==$right.UserPrincipalName\\r\\n| project SigninTime=TimeGenerated1, UserPrincipalName, AppDisplayName, ResultType, AssignedRoles, Location, UserAgent, AuthenticationRequirement, Country, City, CorrelationId\\r\\n| join kind=inner (\\r\\nAADUserRiskEvents) on CorrelationId\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId), AssignedRoles=strcat(AssignedRoles)\\r\\n| distinct UserPrincipalName, UserProfile, RiskState, RiskLevel, AppDisplayName, ResultType, DetectionTimingType, Location, AssignedRoles, UserAgent, AuthenticationRequirement, Country, City, SigninTime, UserId\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review/Terminate User Session Risk Events\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"RiskLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AppDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL23111Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.11\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Control Remote Access (AC.L2-3.1.12)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#monitor-and-control-remote-access-sessions)\\r\\n\\r\\nMonitor and control remote access sessions.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Azure ExpressRoute]( https://azure.microsoft.com/services/expressroute/) 🔀[ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"customWidth\":\"50\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\",\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where Location <> \\\"\\\"\\r\\n| where ResultType == 0\\r\\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude)\\r\\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)\\r\\n| extend city_ = tostring(LocationDetails.city)\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Sign-Ins by Geolocation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":10,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"},\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL23112Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Remote Access Confidentiality (AC.L2-3.1.13)\\r\\n\\r\\nEmploy cryptographic mechanisms to protect the confidentiality of remote access sessions.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Multi-Factor Authentication](https://azure.microsoft.com/services/active-directory/) 🔀[Multi-Factor Authentication](https://portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/GettingStarted) \\r\\n✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) 🔀[Load Balancers](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers) \\r\\n\\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\",\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"crypt\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL23113Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.13\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Privileged Remote Access (AC.L2-3.1.14)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#route-remote-access-via-managed-access-control-points)\\r\\n\\r\\nRoute remote access via managed access control points.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts) \\r\\n✳️ [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) 🔀[Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure ExpressRoute]( https://azure.microsoft.com/services/expressroute/) 🔀[ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits) \\r\\n✳️ [Named Locations](https://docs.microsoft.com/azure/active-directory/conditional-access/location-condition) 🔀[Azure AD Named Locations](https://portal.azure.com/#blade/Microsoft_AAD_IAM/NamedNetworksWithCountryBlade) \\r\\n✳️ [Azure Front Door](https://azure.microsoft.com/services/frontdoor/) 🔀[Front Doors](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/frontdoors) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/) \\r\\n\\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"customWidth\":\"50\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\",\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"where type contains \\\"network\\\" \\r\\n| project id,type,resourceGroup\\r\\n| order by type asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Rule\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL23114Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Privileged Remote Access (AC.L2-3.1.15)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#authorize-remote-execution-of-privileged-commands-and-remote-access-to-security-relevant-information)\\r\\n\\r\\nAuthorize remote execution of privileged commands and remote access to security-relevant information. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Named Locations](https://docs.microsoft.com/azure/active-directory/conditional-access/location-condition) 🔀[Azure AD Named Locations](https://portal.azure.com/#blade/Microsoft_AAD_IAM/NamedNetworksWithCountryBlade) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo)🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"customWidth\":\"50\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\",\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SigninCount = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName\\r\\n| project UserPrincipalName, SignInCount=count_;\\r\\nlet LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nIdentityInfo\\r\\n| extend Roles = strcat(AssignedRoles)\\r\\n| extend Groups = strcat(GroupMembership)\\r\\n| where Roles contains \\\"security\\\" or Groups contains \\\"security\\\" or Roles contains \\\"admin\\\" or Groups contains \\\"admin\\\"\\r\\n| extend UserPrincipalName = MailAddress\\r\\n| join (SigninLogs) on UserPrincipalName\\r\\n// where Location <> \\\"US\\\" // Exempt Non Remote Locations\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\",UserPrincipalName)\\r\\n| distinct UserPrincipalName, UserProfile, Roles, Groups, UserType, Location, TimeGenerated, UserId\\r\\n| sort by TimeGenerated desc\\r\\n| summarize count() by UserPrincipalName, UserProfile, Roles, Groups, UserType, Location, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| project UserPrincipalName, UserProfile, Roles, Groups, UserType, Location, LastSignIn, UserId\\r\\n| join (SigninCount) on UserPrincipalName\\r\\n| project UserPrincipalName, SignInCount, UserProfile, Roles, Groups, UserType, Location, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Admin User SignIns by Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL23115Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.15\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Wireless Access Authorization (AC.L2-3.1.16) \\r\\n\\r\\nAuthorize wireless access prior to allowing such connections.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Recommended Configuration\\r\\n💡 [Network Access Control (NAC)](https://docs.microsoft.com/mem/intune/protect/network-access-control-integrate) \\r\\n💡 [Grant access to resources if devices are marked as compliant](https://docs.microsoft.com/azure/active-directory/conditional-access/) \\r\\n💡 [Conditional Access with Intune](https://docs.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use)\\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"customWidth\":\"50\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\",\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"wire\\\" or Description contains \\\"wifi\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"wire\\\" or Description contains \\\"wifi\\\" \\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"wire\\\" or Description contains \\\"wifi\\\" \\r\\n| summarize\\r\\n Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL23116Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.16\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Wireless Access Protection (AC.L2-3.1.17) \\r\\n\\r\\nProtect wireless access using authentication and encryption. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Recommended Configuration\\r\\n💡 [Use a Custom Device Profile to Create a WiFi Profile with a Pre-Shared Key in Intune](https://docs.microsoft.com/mem/intune/configuration/wi-fi-profile-shared-key) \\r\\n💡 [Using NAC with Conditional Access & Intune](https://docs.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use)\\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"wire\\\" or Description contains \\\"wifi\\\" or Description contains \\\"auth\\\" or Description contains \\\"encrypt\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"wire\\\" or Description contains \\\"wifi\\\" or Description contains \\\"auth\\\" or Description contains \\\"encrypt\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"wire\\\" or Description contains \\\"wifi\\\" or Description contains \\\"auth\\\" or Description contains \\\"encrypt\\\"\\r\\n| summarize\\r\\n Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL23117Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.17\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Mobile Device Connection (AC.L2-3.1.18) \\r\\n\\r\\nControl connection of mobile devices.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where ResultType == 0\\r\\n| extend OperatingSystem = tostring(DeviceDetail.operatingSystem)\\r\\n| extend Browser = tostring(DeviceDetail.browser)\\r\\n| where OperatingSystem contains \\\"Android\\\" or OperatingSystem contains \\\"iOS\\\"\\r\\n| summarize count() by OperatingSystem, Browser, AppDisplayName\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor Mobile Device Access\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL23118Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.18\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Encrypt CUI on Mobile (AC.L2-3.1.19) \\r\\n\\r\\nEncrypt CUI on mobile devices and mobile computing platforms. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Recommended Configurations\\r\\n💡 [How to Create and Assign App Protection Policies](https://docs.microsoft.com/mem/intune/apps/app-protection-policies) \\r\\n💡 [App Protection Policies Overview](https://docs.microsoft.com/mem/intune/apps/app-protection-policy) \\r\\n💡 [Microsoft Intune Protected Apps](https://docs.microsoft.com/mem/intune/apps/apps-supported-intune-apps) \\r\\n💡 [Data Protection Framework Using App Protection Policies](https://docs.microsoft.com/mem/intune/apps/app-protection-framework) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\",\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|extend CAStatus = case(ConditionalAccessStatus == \\\"failure\\\", \\\"Failed\\\", \\r\\n ConditionalAccessStatus == \\\"notApplied\\\", \\\"Not applied\\\", \\r\\n isempty(ConditionalAccessStatus), \\\"Not applied\\\", \\r\\n \\\"Disabled\\\")\\r\\n|mvexpand ConditionalAccessPolicies\\r\\n| extend Conditional_AccessPolicies = strcat(ConditionalAccessPolicies.displayName)\\r\\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0]);\\r\\ndata\\r\\n| where CAGrantControlName <> \\\"\\\"\\r\\n| where ResultType == 0\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\",UserPrincipalName)\\r\\n| summarize count() by AppDisplayName, Conditional_AccessPolicies, ConditionalAccessStatus\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configure App Protection Policy and Monitor Conditional Access Policy Compliance\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ConditionalAccessStatus\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"success\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"failure\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"1\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go To: AAD User Profile >\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL23119Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.19\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Portable Storage Use (AC.L2-3.1.21) \\r\\n\\r\\nLimit use of portable storage devices on external systems.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Named Locations](https://docs.microsoft.com/azure/active-directory/conditional-access/location-condition) 🔀[Azure AD Named Locations](https://portal.azure.com/#blade/Microsoft_AAD_IAM/NamedNetworksWithCountryBlade) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [DeviceEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceevents) 🔷 [DeviceFileEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/devicefileevents) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender) \\r\\n\\r\\n## Recommended Configuration\\r\\n💡 [How to Control USB Devices and Other Removable Media Using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/device-control/control-usb-devices-using-intune) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceEvents\\r\\n| project TimeGenerated, ActionType, AdditionalFields, DeviceId, FileName\\r\\n| where ActionType == \\\"UsbDriveMounted\\\"\\r\\n| extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)\\r\\n| join kind=inner (DeviceFileEvents\\r\\n | project TimeGenerated, ActionType, FolderPath, DeviceId, FileName, FileSize\\r\\n | extend FileCopyTime = TimeGenerated\\r\\n | where ActionType == \\\"FileCreated\\\"\\r\\n | parse FolderPath with DriveLetter '\\\\\\\\' *\\r\\n | extend DriveLetter = tostring(DriveLetter)\\r\\n )\\r\\n on DeviceId, DriveLetter\\r\\n| distinct FileCopyTime, FileName1, FileSize\\r\\n| summarize DataCopiedinGB=sum(FileSize / 1024 / 1024 / 1024) by startofday(FileCopyTime)\\r\\n| render columnchart\\r\\n with (\\r\\n kind=unstacked,\\r\\n xtitle=\\\"Data Copied in GB\\\",\\r\\n ytitle=\\\"Day\\\",\\r\\n title=\\\"Data Copied to USB per day\\\")\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor Portable Storage Devices\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DeviceName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AccountName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"is Empty\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isACL23121Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.21\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Access Control Group\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Awareness & Training](https://www.acq.osd.mil/cmmc/index.html)\\r\\n---\\r\\nAwareness & Training is focused on controlling human access to systems, networks, and assets. Personnel Security includes considerations for screening individuals with access to Controlled Unclassified Information (CUI) and protection of such data after personnel actions such as terminations or transfers.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Role-Based Risk Awareness (AT.L2-3.2.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ATL2321.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Role-Based Training (AT.L2-3.2.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ATL2321.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Insider Threat Awareness (AT.L2-3.2.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ATL2321.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isATL2321Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ATL2321.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"5\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Role-Based Risk Awareness (AT.L2-3.2.1) \\r\\n\\r\\nEnsure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.\\r\\n\\r\\n## Role-Based Training (AT.L2-3.2.2) \\r\\n\\r\\nEnsure that personnel are trained to carry out their assigned information security-related duties and responsibilities. \\r\\n\\r\\n## Insider Threat Awareness (AT.L2-3.2.3) \\r\\n\\r\\nProvide security awareness training on recognizing and reporting potential indicators of insider threat.\\r\\n\\r\\n## Recommended Resources\\r\\n💡 [Microsoft Certified: Security Operations Analyst Associate](https://docs.microsoft.com/learn/certifications/security-operations-analyst) \\r\\n💡 [Learning with the Microsoft Sentinel Training Lab](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/learning-with-the-microsoft-sentinel-training-lab/ba-p/2953403) \\r\\n💡 [Learn Microsoft Sentinel on Microsoft Learn](https://techcommunity.microsoft.com/t5/itops-talk-blog/learn-azure-sentinel-on-microsoft-learn/ba-p/2006346) \\r\\n💡 [Microsoft Sentinel Ninja Training Knowledge Check](https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-ninja-training-knowledge-check/ba-p/2677696) \\r\\n💡 [Manage Insider Risk](https://docs.microsoft.com/learn/modules/m365-compliance-insider-manage-insider-risk/) \\r\\n💡 [Get Started Using Attack Simulation Training](https://docs.microsoft.com/microsoft-365/security/office-365-security/attack-simulation-training-get-started) \\r\\n💡 [SimuLand: Understand adversary tradecraft and improve detection strategies](https://www.microsoft.com/security/blog/2021/05/20/simuland-understand-adversary-tradecraft-and-improve-detection-strategies/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide) \\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":1,\"content\":{\"json\":\"### [Leverage Microsoft Learn for Role-Based Training for Security Professionals](https://docs.microsoft.com/learn/)\\r\\n \\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 1\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isATL2321Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AT.L2-3.2.1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isATVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Awareness & Training Group\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Audit & Accountability](https://www.acq.osd.mil/cmmc/index.html)\\r\\n---\\r\\nAudit & Accountability involves the evaluation of configurable security and logging options to help identify gaps in security policies and mechanisms. \"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"System Auditing (AU.L2-3.3.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AUL2331.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"User Accountability (AU.L2-3.3.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AUL2332.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Event Review (AU.L2-3.3.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AUL2333.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Audit Failure Alerting (AU.L2-3.3.4)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AUL2334.\\\\\\\" },\\\\t\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Audit Correlation (AU.L2-3.3.5)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AUL2335.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAUL2331Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AUL2331.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAUL2332Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AUL2332.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"d19637ad-09c9-4a1b-8987-ee2348384fed\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAUL2333Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AUL2333.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"ede6dc18-910b-45e4-97a6-ac014c9d397d\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAUL2334Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AUL2334.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"bdbc3a5c-37f6-4a1f-9d67-62dd6f8782a5\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAUL2335Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AUL2335.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"96e61cfa-f86e-44e7-b7c8-b5450ee00d53\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Reduction & Reporting (AU.L2-3.3.6)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AUL2336.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Authoritative Time Source (AU.L2-3.3.7) \\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AUL2337.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Audit Protection (AU.L2-3.3.8)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AUL2338.\\\\\\\" },\\\\t\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Audit Management (AU.L2-3.3.9)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AUL2339.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"24e2c8b9-34c1-4559-aaee-0414d9b98420\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAUL2336Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AUL2336.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"b7b6fd63-9a21-4122-8f7d-6fbcc265a2d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAUL2337Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AUL2337.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"eecb3728-3783-4f86-9074-da005a39a679\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAUL2338Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AUL2338.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"ce3ab9b5-a1bd-4b29-ae20-63e8c3da2ec2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAUL2339Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AUL2339.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [System Auditing (AU.L2-3.3.1)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#create-and-retain-system-audit-logs-and-records-to-the-extent-needed-to-enable-the-monitoring-analysis-investigation-and-reporting-of-unlawful-or-unauthorized-system-activity)\\r\\n\\r\\nCreate and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) \\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union withsource=_TableName *\\r\\n| summarize Entries = count(), Size = sum(_BilledSize), last_log = datetime_diff(\\\"second\\\",now(), max(TimeGenerated)), estimate = sumif(_BilledSize, _IsBillable==true) by _TableName, _IsBillable\\r\\n| project ['Table Name'] = _TableName, ['Table Size'] = Size, ['Table Entries'] = Entries,\\r\\n ['Size per Entry'] = 1.0 * Size / Entries, ['IsBillable'] = _IsBillable\\r\\n| order by ['Table Size'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Log Table Management\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Microsoft Sentinel Workspace • Adjust the Time Parameter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Microsoft Defender for Cloud Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Party Tooling Requirements\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Table Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Table Size\",\"formatter\":8,\"formatOptions\":{\"palette\":\"purple\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"Table Entries\",\"formatter\":8,\"formatOptions\":{\"palette\":\"turquoise\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"Size per Entry\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"IsBillable\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"True\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"False\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Important\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_IsBillable_4\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_IsBillable_4\",\"sortOrder\":2}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAUL2331Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU.L2-3.3.1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [User Accountability (AU.L2-3.3.2)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#ensure-that-the-actions-of-individual-system-users-can-be-uniquely-traced-to-those-users-so-they-can-be-held-accountable-for-their-actions)\\r\\n\\r\\nEnsure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| where Caller <> \\\"\\\"\\r\\n| extend UserPrincipalName = Caller\\r\\n| join (SigninLogs) on UserPrincipalName\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\",UserId)\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Action Count by User\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAUL2332Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU.L2-3.3.2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Event Review (AU.L2-3.3.3) \\r\\n\\r\\nReview and update logged events.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/) \\r\\n\\r\\n## Recommended Configurations\\r\\n💡 [Connect Data Sources](https://docs.microsoft.com/azure/sentinel/connect-data-sources)\\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Usage\\r\\n| summarize count() by DataType\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Log Events Count by Log Type\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAUL2333Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU.L2-3.3.3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Audit Failure Alerting (AU.L2-3.3.4)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#alert-in-the-event-of-an-audit-logging-process-failure)\\r\\n\\r\\nAlert in the event of an audit logging process failure. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union withsource = _TableName *\\r\\n| summarize last_log = datetime_diff(\\\"second\\\",now(), max(TimeGenerated)) by _TableName\\r\\n| where last_log > 0\\r\\n| where _TableName !contains \\\"_SRCH\\\"\\r\\n| project ['Table Name'] = _TableName, ['Last Record Received'] = last_log\\r\\n| order by ['Last Record Received'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor Log Source Health \",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. • Confirm Log Source is Onboarded to Microsoft Sentinel Workspace • Adjust Query Time Thresholds for a Larger Data-Set\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Table Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Backlog\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Last Record Received\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orangeRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\"}}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAUL2334Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU.L2-3.3.4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Audit Correlation (AU.L2-3.3.5) \\r\\n\\r\\nCorrelate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview) \\r\\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/) \\r\\n✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) 🔀[Microsoft Defender for Identity](https://portal.atp.azure.com/) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [BehaviorAnalytics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/behavioranalytics) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AnomalousSigninActivity = BehaviorAnalytics\\r\\n | where ActionType == \\\"Sign-in\\\"\\r\\n | where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\\r\\n ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\\r\\n or ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\\r\\n | join (\\r\\n SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \\\"none\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indicaiton from AAD\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3', 'c4e39bd9-1100-46d3-8c65-fb160da0071f', '158c047a-c907-4556-b7ef-446551a6b5f7', '62e90394-69f5-4237-9190-012177145e10', 'd29b2b05-8046-44ba-8758-1e26182fcf32', '729827e3-9c14-49f7-bb1b-9608f156bbb8', '966707d0-3269-4727-9be2-8c3a10f19b9d', '194ae4cb-b126-40b2-bd5b-6091b380977d', 'fe930be7-5e62-47db-91af-98c3a49a38b1']);\\r\\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c', '7495fdc4-34c4-4d15-a289-98788ce399fd', 'aaf43236-0c0d-4d5f-883a-6955382ac081', '3edaf663-341e-4475-9f94-5c398ef6c070', '7698a772-787b-4ac8-901f-60d6b08affd2', 'b1be1c3e-b65d-4f19-8427-f6fa0d97feb9', '9f06204d-73c1-4d4c-880a-6edb90606fd8', '29232cdf-9323-42fd-ade2-1d097af3e4de', 'be2f45a1-457d-42af-a067-6ec1fa63bc45', '7be44c8a-adaf-4e2a-84d6-ab2649e08a13', 'e8611ab8-c189-46e8-94e1-60213ab1f814']);//witdstomstl\\r\\nlet AnomalousRoleAssignment = AuditLogs\\r\\n | where TimeGenerated > ago(28d)\\r\\n | where OperationName == \\\"Add member to role\\\"\\r\\n | mv-expand TargetResources\\r\\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n | where isnotempty(RoleName)\\r\\n | extend TargetId = tostring(TargetResources.id)\\r\\n | extend Target = tostring(TargetResources.userPrincipalName)\\r\\n | join kind=inner (\\r\\n BehaviorAnalytics\\r\\n | where ActionType == \\\"Add member to role\\\"\\r\\n | where UsersInsights.BlasrRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n )\\r\\n on $left._ItemId == $right.SourceRecordId\\r\\n | extend AnomalyName = \\\"Anomalous Role Assignemt\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Account Manipulation\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing Add member to priveleged role, or ones that add users for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let LogOns=materialize(\\r\\n BehaviorAnalytics\\r\\n | where ActivityType == \\\"LogOn\\\");\\r\\nlet AnomalousResourceAccess = LogOns\\r\\n | where ActionType == \\\"ResourceAccess\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | extend AnomalyName = \\\"Anomalous Resource Access\\\",\\r\\n Tactic = \\\"Lateral Movement\\\",\\r\\n Technique = \\\"\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousRDPActivity = LogOns\\r\\n | where ActionType == \\\"RemoteInteractiveLogon\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | extend AnomalyName = \\\"Anomalous RDP Activity\\\",\\r\\n Tactic = \\\"Lateral Movement\\\",\\r\\n Technique = \\\"\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousLogintoDevices = LogOns\\r\\n | where ActionType == \\\"InteractiveLogon\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\\r\\n | extend AnomalyName = \\\"Anomalous Login To Devices\\\",\\r\\n Tactic = \\\"Privilege Escalation\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administator users performing an interactive logon (4624:2) to a device for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousPasswordReset = BehaviorAnalytics\\r\\n | where ActionType == \\\"Reset user password\\\"\\r\\n | where ActivityInsights.FirstTimeUserPerformedAction == \\\"True\\\"\\r\\n | join (\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Reset user password\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | mv-expand TargetResources\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Password Reset\\\",\\r\\n Tactic = \\\"Impact\\\",\\r\\n Technique = \\\"Account Access Removal\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n | sort by TimeGenerated desc;\\r\\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\\r\\n | where ActionType == \\\"Sign-in\\\"\\r\\n | where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\\r\\n | join (\\r\\n SigninLogs\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n Tactic = \\\"Initial Access\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousFailedLogon = BehaviorAnalytics\\r\\n | where ActivityType == \\\"LogOn\\\"\\r\\n | where UsersInsights.BlastRadius == \\\"High\\\"\\r\\n | join (\\r\\n SigninLogs \\r\\n | where Status.errorCode == 50126\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Failed Logon\\\",\\r\\n Tactic = \\\"Credential Access\\\",\\r\\n Technique = \\\"Brute Force\\\",\\r\\n SubTechnique = \\\"Password Guessing\\\",\\r\\n Description = \\\"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousAADAccountManipulation = AuditLogs\\r\\n | where OperationName == \\\"Update user\\\"\\r\\n | mv-expand AdditionalDetails\\r\\n | where AdditionalDetails.key == \\\"UserPrincipalName\\\"\\r\\n | mv-expand TargetResources\\r\\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n | where isnotempty(RoleName)\\r\\n | extend TargetId = tostring(TargetResources.id)\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | join kind=inner ( \\r\\n BehaviorAnalytics\\r\\n | where ActionType == \\\"Update user\\\"\\r\\n | where UsersInsights.BlasrRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n )\\r\\n on $left._ItemId == $right.SourceRecordId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName) \\r\\n | extend AnomalyName = \\\"Anomalous Account Manipulation\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Account Manipulation\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to priveleged role, or ones that changed users for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\\r\\n | where ActionType == \\\"Add user\\\"\\r\\n | where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\\r\\n | join(\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Add user\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | mv-expand TargetResources\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | extend DisplayName = tostring(UsersInsights.AccountDisplayName),\\r\\n UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Account Creation\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Create Account\\\",\\r\\n SubTechnique = \\\"Cloud Account\\\",\\r\\n Description = \\\"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\\\"\\t\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n | sort by TimeGenerated desc;\\r\\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\\r\\nlet TopUsersByAnomalies = AnomalyTable\\r\\n | summarize hint.strategy = shuffle AnomalyCount=count() by UserName, UserPrincipalName, tostring(UsersInsights.OnPremSid), tostring(UsersInsights.AccountObjectId)\\r\\n | project Name=tolower(UserName), UPN=tolower(UserPrincipalName), AadUserId=UsersInsights_AccountObjectId, Sid=UsersInsights_OnPremSid, AnomalyCount\\r\\n | sort by AnomalyCount desc;\\r\\nlet TopUsersByIncidents = SecurityIncident\\r\\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\\r\\n | where Status == \\\"New\\\" or Status == \\\"Active\\\"\\r\\n | mv-expand AlertIds\\r\\n | extend AlertId = tostring(AlertIds)\\r\\n | join kind= innerunique ( \\r\\n SecurityAlert \\r\\n )\\r\\n on $left.AlertId == $right.SystemAlertId\\r\\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n | mv-expand todynamic(Entities)\\r\\n | where Entities[\\\"Type\\\"] =~ \\\"account\\\"\\r\\n | extend Name = tostring(tolower(Entities[\\\"Name\\\"])), NTDomain = tostring(Entities[\\\"NTDomain\\\"]), UPNSuffix = tostring(Entities[\\\"UPNSuffix\\\"]), AadUserId = tostring(Entities[\\\"AadUserId\\\"]), AadTenantId = tostring(Entities[\\\"AadTenantId\\\"]), \\r\\n Sid = tostring(Entities[\\\"Sid\\\"]), IsDomainJoined = tobool(Entities[\\\"IsDomainJoined\\\"]), Host = tostring(Entities[\\\"Host\\\"])\\r\\n | extend UPN = iff(Name != \\\"\\\" and UPNSuffix != \\\"\\\", strcat(Name, \\\"@\\\", UPNSuffix), \\\"\\\")\\r\\n | union TopUsersByAnomalies\\r\\n | extend \\r\\n AadPivot = iff(isempty(AadUserId), iff(isempty(Sid), Name, Sid), AadUserId),\\r\\n SidPivot = iff(isempty(Sid), iff(isempty(AadUserId), Name, AadUserId), Sid),\\r\\n UPNExists = iff(isempty(UPN), false, true),\\r\\n NameExists = iff(isempty(Name), false, true),\\r\\n SidExists = iff(isempty(Sid), false, true),\\r\\n AADExists = iff(isempty(AadUserId), false, true)\\r\\n | summarize hint.strategy = shuffle IncidentCount=dcount(IncidentNumber, 4), AlertCount=dcountif(AlertId, isnotempty(AlertId), 4), AnomalyCount=sum(AnomalyCount), any(Title, Severity, Status, StartTime, IncidentNumber, IncidentUrl, Owner), UPNAnchor=anyif(UPN, UPNExists == true), NameAnchor=anyif(Name, NameExists == true), AadAnchor=anyif(AadUserId, AADExists == true), SidAnchor=anyif(Sid, SidExists == true), any(SidPivot) by AadPivot\\r\\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), NameAnchor=anyif(NameAnchor, isempty(NameAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_Title, any_Severity, any_StartTime, any_IncidentNumber, any_IncidentUrl) by any_SidPivot\\r\\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_any_Title, any_any_Severity, any_any_StartTime, any_any_IncidentNumber, any_any_IncidentUrl) by NameAnchor\\r\\n | project [\\\"UserName\\\"]=NameAnchor, IncidentCount, AlertCount, AnomalyCount, [\\\"AadUserId\\\"]=AadAnchor, [\\\"OnPremSid\\\"]=SidAnchor, [\\\"UserPrincipalName\\\"]=UPNAnchor;\\r\\nTopUsersByIncidents\\r\\n| project UserPrincipalName, IncidentCount, AlertCount, AnomalyCount\\r\\n| where UserPrincipalName <> \\\"\\\"\\r\\n| sort by AlertCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Entity Behavior Analytics Alerts\",\"noDataMessage\":\"There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_heatmap_AlertCount_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_heatmap_AlertCount_2\",\"sortOrder\":2}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAUL2335Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU.L2-3.3.5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Reduction & Reporting (AU.L2-3.3.6)\\r\\n\\r\\nProvide audit record reduction and report generation to support on-demand analysis and reporting.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview) \\r\\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Correlate/Aggregate Logging via Security Incidents\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAUL2336Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU.L2-3.3.6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Authoritative Time Source (AU.L2-3.3.7) \\r\\n\\r\\nProvide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Recommended Configurations\\r\\n💡 [Time sync for Windows VMs in Azure](https://docs.microsoft.com/azure/virtual-machines/windows/time-sync)\\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityBaseline\\r\\n| where Description contains \\\"NTP\\\" or Description contains \\\"clock\\\" or Description contains \\\"time\\\" or Description contains \\\"sync\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by Description, _ResourceId\\r\\n| summarize\\r\\n Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| project Description, Total, PassedControls, Passed, Failed\\r\\n| sort by Total desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines for Time Synchronization\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Caller\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"DataType\"},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAUL2337Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU.L2-3.3.7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Audit Protection (AU.L2-3.3.8)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#protect-audit-information-and-audit-logging-tools-from-unauthorized-access-modification-and-deletion)\\r\\n\\r\\nProtect audit information and audit logging tools from unauthorized access, modification, and deletion.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview) \\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| where OperationNameValue contains \\\"Insights\\\" or OperationName contains \\\"Log\\\" or OperationName contains \\\"Audit\\\" or OperationName contains \\\"Monitor\\\"\\r\\n| where OperationName contains \\\"Create\\\" or OperationName contains \\\"Audit\\\" or OperationName contains \\\"Update\\\" or OperationName contains \\\"Add\\\" or OperationName contains \\\"Change\\\" or OperationName contains \\\"Remove\\\" or OperationName contains \\\"Delete\\\" or OperationName contains \\\"Write\\\"\\r\\n| where OperationName <> \\\"\\\"\\r\\n| summarize count() by UserPrincipalName=Caller, OperationName, OperationNameValue, ResourceId\\r\\n| project OperationName, ActionCount=count_, UserPrincipalName, OperationNameValue, ResourceId\\r\\n| sort by ActionCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor User Audit Logging Tool Access, Modification, and Deletion\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OperationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActionCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAUL2338Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU.L2-3.3.8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Audit Management (AU.L2-3.3.9) \\r\\n\\r\\nLimit management of audit logging functionality to a subset of privileged users. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| join (IdentityInfo| extend UserPrincipalName = AccountUPN | project UserPrincipalName, AssignedRoles) on UserPrincipalName\\r\\n| where AssignedRoles contains \\\"Security Administrator\\\" or AssignedRoles contains \\\"Security Contributor\\\" or AssignedRoles contains \\\"Admin\\\" or AssignedRoles contains \\\"Owner\\\"\\r\\n| project UserPrincipalName, SignInCount=count_, UserProfile, AssignedRoles, LastSignIn, UserId\\r\\n| extend AssignedRoles=strcat(AssignedRoles)\\r\\n| distinct UserPrincipalName, SignInCount, UserProfile, AssignedRoles, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Users with Management of Audit Logging Functionality Privileges\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAUL2339Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU.L2-3.3.9\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAUVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Audit and Accountability Group\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Configuration Management](https://www.acq.osd.mil/cmmc/index.html)\\r\\n---\\r\\nConfiguration Management establishes security baselines and measuresdeviations provides the basis for tracking the security posture of cloud assets.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"System Baselining (CM.L2-3.4.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CML2341.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Configuration Enforcement (CM.L2-3.4.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CML2342.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"System Change Management (CM.L2-3.4.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CML2343.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Impact Analysis (CM.L2-3.4.4)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CML2344.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Access Restrictions for Change (CM.L2-3.4.5)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CML2345.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCML2341Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CML2341.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCML2342Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CML2342.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"42705b8e-69c8-4f05-a32a-c2c71a12baa8\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCML2343Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CML2343.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"ea4ee9e3-7b47-4c7b-8a91-68b3c4303ca0\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCML2344Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CML2344.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"7a56b689-3e07-47c0-bf76-257ea083159f\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCML2345Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CML2345.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"35e995e3-5225-4bbb-b02d-b7987b637015\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Least Functionality (CM.L2-3.4.6)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CML2346.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Nonessential Functionality (CM.L2-3.4.7)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CML2347.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Application Execution Policy (CM.L2-3.4.8)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CML2348.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"User-Installed Software (CM.L2-3.4.9)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CML2349.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8a50cd3f-b3e9-4587-80e6-c52b2cfec5aa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCML2346Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CML2346.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"34719c4e-8f19-455e-b644-8c1fd62f7f1a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCML2347Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CML2347.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"33298753-7f88-41fd-b019-1bd801001f66\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCML2348Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CML2348.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"f4c18a08-dc34-40f2-bfd2-372935857c4b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCML2349Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CML2349.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [System Baselining (CM.L2-3.4.1)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#establish-and-maintain-baseline-configurations-and-inventories-of-organizational-systems-including-hardware-software-firmware-and-documentation-throughout-the-respective-system-development-life-cycles)\\r\\n\\r\\nEstablish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Azure Blueprints](https://docs.microsoft.com/azure/governance/blueprints/) 🔀[Blueprints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/BlueprintsMenuBlade/GetStarted) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/) \\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n💡 [Quickstart: Define and assign a blueprint in the portal](https://docs.microsoft.com/azure/governance/blueprints/create-blueprint-portal) \\r\\n💡 [Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| extend Azure_Inventory=location\\r\\n| extend M365_Inventory=strcat(\\\"https://security.microsoft.com/machines\\\")\\r\\n| project AssetID=id,AssetType=type, Azure_Inventory, M365_Inventory\\r\\n| sort by AssetType desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Asset Inventory\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Azure_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Inventory >>\",\"bladeOpenContext\":{\"bladeName\":\"InventoryBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"\",\"source\":\"static\",\"value\":\"25\"}]}}},{\"columnMatch\":\"M365_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"M365 Inventory >>\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| summarize\\r\\n Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCML2341Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM.L2-3.4.1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Configuration Enforcement (CM.L2-3.4.2) ](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#establish-and-enforce-security-configuration-settings-for-information-technology-products-employed-in-organizational-systems)\\r\\n\\r\\nEstablish and enforce security configuration settings for information technology products employed in organizational systems.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"config\\\"\\r\\n| where RecommendationName !contains \\\"security group\\\"\\r\\n| where RecommendationName !contains \\\"Email\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCML2342Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM.L2-3.4.2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [System Change Management (CM.L2-3.4.3)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#track-review-approve-or-disapprove-and-log-changes-to-organizational-systems)\\r\\n\\r\\nTrack, review, approve or disapprove, and log changes to organizational systems. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Recommended Configurations\\r\\n💡 [Enable Change Tracking and Inventory From an Automation Account](https://docs.microsoft.com/azure/automation/change-tracking/enable-from-automation-account)\\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"log\\\" or RecommendationName contains \\\"audit\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCML2343Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM.L2-3.4.3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Security Impact Analysis (CM.L2-3.4.4) \\r\\n\\r\\nAnalyze the security impact of changes prior to implementation. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) 🔷 [SecureScore](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securescore) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName, tostring(severity)\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | where severity == \\\"High\\\"\\r\\n | distinct ControlID, RecommendationName, Total, severity, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | extend Severity=tostring(severity)\\r\\n | distinct RecommendationName, Severity, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n | sort by Total desc\\r\\n | limit 25\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Recommendations Impacting Security Posture\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCML2344Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM.L2-3.4.4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Access Restrictions for Change (CM.L2-3.4.5) \\r\\n\\r\\nDefine, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [ConfigurationChange](https://docs.microsoft.com/azure/azure-monitor/reference/tables/configurationchange) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ConfigurationChange\\r\\n| summarize count() by _ResourceId, ConfigChangeType\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor System Configuration Changes\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 65\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCML2345Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM.L2-3.4.5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Least Functionality (CM.L2-3.4.6)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#employ-the-principle-of-least-functionality-by-configuring-organizational-systems-to-provide-only-essential-capabilities)\\r\\n\\r\\nEmploy the principle of least functionality by configuring organizational systems to provide only essential capabilities. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)\\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"priv\\\" or RecommendationName contains \\\"access\\\"\\r\\n| where RecommendationName !contains \\\"security group\\\"\\r\\n| where RecommendationName !contains \\\"Email\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCML2346Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM.L2-3.4.6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Nonessential Functionality (CM.L2-3.4.7)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#restrict-disable-or-prevent-the-use-of-nonessential-programs-functions-ports-protocols-and-services)\\r\\n\\r\\nRestrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) \\r\\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"disable\\\" or RecommendationName contains \\\"port\\\"\\r\\n| where RecommendationName !contains \\\"security group\\\"\\r\\n| where RecommendationName !contains \\\"Email\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCML2347Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM.L2-3.4.7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Application Execution Policy (CM.L2-3.4.8)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#apply-deny-by-exception-blacklisting-policy-to-prevent-the-use-of-unauthorized-software-or-deny-all-permit-by-exception-whitelisting-policy-to-allow-the-execution-of-authorized-software)\\r\\n\\r\\nApply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"ware\\\" or Title contains \\\"deny\\\" or Title contains \\\"execution\\\" or Title contains \\\"software\\\" or Title contains \\\"restricted\\\" or Title contains \\\"tool\\\" or Title contains \\\"backdoor\\\" or Title contains \\\"file\\\" or Title contains \\\"exploit\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Restricted Software & Applications\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCML2348Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM.L2-3.4.8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [User-Installed Software (CM.L2-3.4.9)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#control-and-monitor-user-installed-software)\\r\\n\\r\\nControl and monitor user-installed software.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) 🔀[Microsoft Defender for Identity](https://portal.atp.azure.com/) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | where ControlID == \\\"3.4.9\\\"\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCML2349Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM.L2-3.4.9\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCMVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Configuration Management\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Identification & Authentication](https://www.acq.osd.mil/cmmc/index.html) \\r\\n---\\r\\nIdentification & Authentication Management is the process of managing user, system, asset identities and controlling access to authorized resources.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Identification (IA.L1-3.5.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IAL1351.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Authentication (IA.L1-3.5.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IAL1352.\\\\\\\" }\\\\r\\\\n]\\\\r\\\\n\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 1: Foundational\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAL1351Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IAL1351.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAL1352Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IAL1352.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4e13ea02-4a93-4b87-86a1-67c2d1088501\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Identification (IA.L1-3.5.1) \\r\\n\\r\\nIdentify information system users, processes acting on behalf of users, or devices.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Azure AD Identity Governance](https://docs.microsoft.com/azure/active-directory/governance/identity-governance-overview) 🔀[Identity Governance](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/GettingStarted) \\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [AADManagedIdentitySignInLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/aadmanagedidentitysigninlogs) 🔷 [AADServicePrincipalSignInLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/aadserviceprincipalsigninlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AADManagedIdentitySignInLogs\\r\\n| summarize count() by ServicePrincipalName, ResourceGroup\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Managed Identity Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ServicePrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"Managed Identity Actions\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AADServicePrincipalSignInLogs \\r\\n| summarize count() by ServicePrincipalName, ResourceGroup\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Service Principal Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ServicePrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"Service Principal Actions\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isIAL1351Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA.L1-3.5.1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Authentication (IA.L1-3.5.2)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#authenticate-or-verify-the-identities-of-those-users-processes-or-devices-as-a-prerequisite-to-allowing-access-to-organizational-information-systems)\\r\\n\\r\\nAuthenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Multi-Factor Authentication](https://azure.microsoft.com/services/active-directory/) 🔀[Multi-Factor Authentication](https://portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/GettingStarted) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Customer Lockbox](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview) 🔀[Customer Lockbox](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview) \\r\\n\\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 2\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|extend errorCode = Status.errorCode\\r\\n|extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\");\\r\\ndata\\r\\n| where IsInteractive == true\\r\\n| summarize Count = count() by SigninStatus\\r\\n| join kind = fullouter (datatable(SigninStatus:string)['Success', 'Pending action (Interrupts)', 'Failure']) on SigninStatus\\r\\n| project SigninStatus = iff(SigninStatus == '', SigninStatus1, SigninStatus), Count = iff(SigninStatus == '', 0, Count)\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SigninStatus)\\r\\n on SigninStatus\\r\\n| project-away SigninStatus1, TimeGenerated\\r\\n| extend Status = SigninStatus\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count()\\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend SigninStatus = 'All Sign-ins', Status = '*' \\r\\n)\\r\\n| where SigninStatus <> \\\"All Sign-ins\\\"\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Authentication Details\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"info\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Activities\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where ResultType == 0 and AppDisplayName != \\\"\\\"\\r\\n| summarize count() by AppDisplayName\\r\\n| join (\\r\\nSigninLogs\\r\\n| make-series TrendList = count() on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, 4h) by AppDisplayName \\r\\n) on AppDisplayName\\r\\n| top 25 by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Sign-Ins By Application\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"info\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Activities\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"AppDisplayName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"TrendList\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"AppDisplayName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIAL1352Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA.L1-3.5.2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 1: Foundational\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Multifactor Authentication (IA.L2-3.5.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IAL2353.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Replay-Resistant Authentication (IA.L2-3.5.4)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IAL2354.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Identifier Reuse (IA.L2-3.5.5)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IAL2355.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Identifier Handling (IA.L2-3.5.6)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IAL2356.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Password Complexity (IA.L2-3.5.7)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IAL2357.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAL2353Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IAL2353.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAL2354Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IAL2354.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a03661c7-1410-4410-89be-fffff2c4e0aa\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAL2355Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IAL2355.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"d0924f3b-66a9-451e-9314-9fac037c6f87\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAL2356Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IAL2356.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9d02dc73-6456-42d4-ad74-8f62da23d5c8\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAL2357Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IAL2357.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"c6b28a87-f463-4185-bb2b-536834bb2efb\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Password Reuse (IA.L2-3.5.8)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IAL2358.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Temporary Passwords (IA.L2-3.5.9)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IAL2359.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Cryptographically-Protected Passwords (IA.L2-3.5.10)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IAL23510.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Obscure Feedback (IA.L2-3.5.11)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IAL23511.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"f032b00a-cd79-4156-b773-9f5bf4873bfa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAL2358Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IAL2358.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"2d24fe30-f95d-4b56-a629-267d40ee4034\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAL2359Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IAL2359.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"95baeb0b-a97d-4408-a55a-3721e16cd12b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAL23510Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IAL23510.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"d7d7de6a-bbec-491d-bcf0-d21a0dfbcd3d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAL23511Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IAL23511.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Multifactor Authentication (IA.L2-3.5.3)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#use-multifactor-authentication-for-local-and-network-access-to-privileged-accounts-and-for-network-access-to-non-privileged-accounts)\\r\\n\\r\\nUse multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) 🔀[Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Multi-Factor Authentication](https://azure.microsoft.com/services/active-directory/) 🔀[Multi-Factor Authentication](https://portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/GettingStarted) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MFAFailures = SigninLogs\\r\\n| where AuthenticationRequirement == \\\"multiFactorAuthentication\\\"\\r\\n| where ResultType <> 0\\r\\n| extend FailureReason = tostring(Status.failureReason)\\r\\n| where FailureReason contains \\\"User did not pass the MFA\\\"\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| summarize count() by UserPrincipalName, UserId, UserProfile\\r\\n| extend FailedMFACount=count_;\\r\\nlet LastObserved = SigninLogs\\r\\n| where ResultType <> 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastFailedSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| where AuthenticationRequirement == \\\"multiFactorAuthentication\\\"\\r\\n| where ResultType <> 0\\r\\n| extend FailureReason = tostring(Status.failureReason)\\r\\n| where FailureReason contains \\\"User did not pass the MFA\\\"\\r\\n| make-series Trend = dcount(FailureReason) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by UserPrincipalName\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| join (MFAFailures) on UserPrincipalName\\r\\n| project UserPrincipalName, UserProfile, FailedMFACount, Trend, LastFailedSignIn, UserId\\r\\n| sort by FailedMFACount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor User MFA Failures\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"FailedMFACount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"MFA\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIAL2353Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA.L2-3.5.3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Replay-Resistant Authentication (IA.L2-3.5.4)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#employ-replay-resistant-authentication-mechanisms-for-network-access-to-privileged-and-nonprivileged-accounts)\\r\\n\\r\\nEmploy replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Multi-Factor Authentication](https://azure.microsoft.com/services/active-directory/) 🔀[Multi-Factor Authentication](https://portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/GettingStarted) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs \\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"accessible\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIAL2354Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA.L2-3.5.4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Identifier Reuse (IA.L2-3.5.5) \\r\\n\\r\\nPrevent reuse of identifiers for a defined period. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/) \\r\\n\\r\\n## Recommended Configurations\\r\\n💡 [Restore or Remove a Recently Deleted User Using Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-restore)\\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"reuse\\\" or Description contains \\\"without password\\\" or Description contains \\\"unneccessary account\\\" or Description contains \\\"blank password\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"reuse\\\" or Description contains \\\"without password\\\" or Description contains \\\"unneccessary account\\\" or Description contains \\\"blank password\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"reuse\\\" or Description contains \\\"without password\\\" or Description contains \\\"unneccessary account\\\" or Description contains \\\"blank password\\\"\\r\\n| summarize\\r\\n Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIAL2355Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA.L2-3.5.5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Identifier Handling (IA.L2-3.5.6) \\r\\n\\r\\nDisable identifiers after a defined period of inactivity. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) 🔀[Microsoft Defender for Identity](https://portal.atp.azure.com/) \\r\\n\\r\\n## Recommended Configurations\\r\\n💡 [Report on Azure AD Stale Users](https://gallery.technet.microsoft.com/scriptcenter/Report-on-Azure-AD-Stale-8e64c1c5)\\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastSignIn = SigninLogs\\r\\n| where ResultType == \\\"0\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nlet CurrentUsers = SigninLogs\\r\\n| where ResultType == \\\"0\\\"\\r\\n| where TimeGenerated > ago(90d)\\r\\n| summarize HistoricUsers = makeset(UserPrincipalName);\\r\\nSigninLogs\\r\\n| where ResultType == \\\"0\\\"\\r\\n| where TimeGenerated between (ago(90d)..ago(30d))\\r\\n| where UserPrincipalName !in (CurrentUsers)\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\",UserId)\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| join (LastSignIn) on UserPrincipalName\\r\\n| sort by count_ desc\\r\\n| extend SignInsBeforeInactive = count_\\r\\n| project UserPrincipalName, UserProfile, SignInsBeforeInactive, LastSignIn, UserId\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Inactive AAD Accounts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"SignInsBeforeInactive\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIAL2356Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA.L2-3.5.6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Password Complexity (IA.L2-3.5.7)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#enforce-a-minimum-password-complexity-and-change-of-characters-when-new-passwords-are-created)\\r\\n\\r\\nEnforce a minimum password complexity and change of characters when new passwords are created.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Azure AD Password Protection](https://docs.microsoft.com/azure/active-directory/governance/identity-governance-overview) 🔀[Azure AD Password Protection](https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordProtectionBlade) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"password\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIAL2357Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA.L2-3.5.7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Password Reuse (IA.L2-3.5.8)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#prohibit-password-reuse-for-a-specified-number-of-generations)\\r\\n\\r\\nProhibit password reuse for a specified number of generations.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Azure AD Password Protection](https://docs.microsoft.com/azure/active-directory/governance/identity-governance-overview) 🔀[Azure AD Password Protection](https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordProtectionBlade) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityBaseline\\r\\n| where Description contains \\\"reuse\\\" or Description contains \\\"password\\\" \\r\\n| summarize arg_max(TimeGenerated, *) by Description, _ResourceId\\r\\n| summarize\\r\\n Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| project Description, Total, PassedControls, Passed, Failed\\r\\n| sort by Total desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines for Password Reuse\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIAL2358Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA.L2-3.5.8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Temporary Passwords (IA.L2-3.5.9) \\r\\n\\r\\nAllow temporary password use for system logons with an immediate change to a permanent password. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) 🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Recommended Configurations\\r\\n💡 [Reset a User's Password Using Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-reset-password-azure-portal)\\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let PasswordReset = AuditLogs\\r\\n| where OperationName contains \\\"reset\\\"\\r\\n| extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\r\\n| summarize count() by UserPrincipalName\\r\\n| project UserPrincipalName, PasswordResetCount=count_;\\r\\nlet LastObserved = AuditLogs\\r\\n| where OperationName contains \\\"reset\\\"\\r\\n| extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastPasswordReset=TimeGenerated;\\r\\nlet UserProfiles = SigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| summarize count() by UserPrincipalName, UserId, UserProfile;\\r\\nAuditLogs\\r\\n| where OperationName contains \\\"reset\\\"\\r\\n| extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\r\\n| make-series Trend = dcount(OperationName) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by UserPrincipalName\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| join (PasswordReset) on UserPrincipalName\\r\\n| join (UserProfiles) on UserPrincipalName\\r\\n| project UserPrincipalName, UserProfile, PasswordResetCount, Trend, LastPasswordReset, UserId\\r\\n| sort by PasswordResetCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor Temporary Passwords via Password Resets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"PasswordResetCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIAL2359Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA.L2-3.5.9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Cryptographically-Protected Passwords (IA.L2-3.5.10)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#store-and-transmit-only-cryptographically-protected-passwords)\\r\\n\\r\\nStore and transmit only cryptographically-protected passwords. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"hash\\\" or Description contains \\\"sha\\\"\\r\\n| where Description !contains \\\"network\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"hash\\\" or Description contains \\\"sha\\\"\\r\\n| where Description !contains \\\"network\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"hash\\\" or Description contains \\\"sha\\\"\\r\\n| where Description !contains \\\"network\\\"\\r\\n| summarize\\r\\n Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIAL23510Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA.L2-3.5.10\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Obscure Feedback (IA.L2-3.5.11) \\r\\n\\r\\nObscure feedback of authentication information. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"reveal\\\" or Description contains \\\"hiding\\\" or Description contains \\\"display\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"reveal\\\" or Description contains \\\"hiding\\\" or Description contains \\\"display\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"reveal\\\" or Description contains \\\"hiding\\\" or Description contains \\\"display\\\"\\r\\n| summarize\\r\\n Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| where Description !contains \\\"Firewall\\\"\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIAL23511Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA.L2-3.5.11\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIAVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Identification & Authentication Group\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Incident Response](https://www.acq.osd.mil/cmmc/index.html)\\r\\n---\\r\\nIncident Response is the process of responding to cybersecurity incidents and events. Incident Response includes preparation, identification, containment, eradication, recovery, and lessons learned phases.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Incident Handling (IR.L2-3.6.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IRL2361.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Incident Reporting (IR.L2-3.6.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IRL2362.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Incident Response Testing (IR.L2-3.6.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IRL2363.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIRL2361Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IRL2361.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIRL2362Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IRL2362.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"37671c36-7877-4f01-ac24-572c1bdee4a8\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIRL2363Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IRL2363.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"c3921efe-053c-42c8-8dac-825e5f012447\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Incident Handling (IR.L2-3.6.1)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#establish-an-operational-incident-handling-capability-for-organizational-systems-that-includes-preparation-detection-analysis-containment-recovery-and-user-response-activities)\\r\\n\\r\\nEstablish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\" Incidents Summary\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where Severity == \\\"High\\\"\\n| summarize kwSum=count(TenantId)\\n\\n\\n\\n\",\"size\":3,\"title\":\"CRITICAL\",\"noDataMessage\":\"No unauthorized devices making config changes\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"kwSum\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"24\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| summarize kwSum=count(TenantId)\\n\\n\\n\\n\",\"size\":0,\"title\":\"OPEN\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"kwSum\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where Status == \\\"Closed\\\"\\n| summarize kwSum=count(TenantId)\\n\\n\\n\\n\",\"size\":0,\"title\":\"CLOSED\",\"noDataMessage\":\"No unauthorized devices making config changes\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"kwSum\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"24\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where TimeGenerated > ago(1d)\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| distinct IncidentNumber\\n| summarize count()\\n\\n\\n\\n\\n\",\"size\":0,\"title\":\"NEW TODAY\",\"noDataMessage\":\"No unauthorized devices making config changes\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"24\",\"name\":\"query - 10\"}]},\"customWidth\":\"50\",\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber\\r\\n| where Status == \\\"Closed\\\"\\r\\n| extend TimeToRespond = (CreatedTime - FirstActivityTime)/1d \\r\\n| extend TimeToResolve = (ClosedTime - CreatedTime)/1d\\r\\n| extend AssignedAnalyst = tostring(Owner.assignedTo)\\r\\n| extend [\\\"MITRE ATT&CK Tactics\\\"] = tostring(parse_json(tostring(AdditionalData.tactics))[0])\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, ClosedTime desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, [\\\"MITRE ATT&CK Tactics\\\"], AssignedAnalyst, Classification, ClassificationComment, ClassificationReason, Description, TimeToRespond, TimeToResolve, IncidentStartTime=CreatedTime, IncidentClosedTime=ClosedTime, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Closure Reports\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"TimeToRespond\",\"formatter\":0,\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"TimeToResolve\",\"formatter\":0,\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIRL2361Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IR.L2-3.6.1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Incident Reporting (IR.L2-3.6.2) \\r\\n\\r\\nTrack, document, and report incidents to designated officials and/or authorities both internal and external to the organization.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Severity\\r\\n| render areachart \\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIRL2362Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IR.L2-3.6.2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Incident Response Testing (IR.L2-3.6.3) \\r\\n\\r\\nTest the organizational incident response capability.\\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Recommended Resources\\r\\n💡 [Learning with the Microsoft Sentinel Training Lab](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/learning-with-the-microsoft-sentinel-training-lab/ba-p/2953403) \\r\\n💡 [Microsoft Sentinel - SOC Process Framework Workbook](https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-soc-process-framework-workbook/ba-p/2339315) \\r\\n💡 [Sentinel ATT&CK](https://github.com/BlueTeamLabs/sentinel-attack) \\r\\n💡 [SimuLand: Understand adversary tradecraft and improve detection strategies](https://www.microsoft.com/security/blog/2021/05/20/simuland-understand-adversary-tradecraft-and-improve-detection-strategies/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"test\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Test\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIRL2363Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IR.L2-3.6.3\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIRVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Incident Response Group\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Maintenance](https://www.acq.osd.mil/cmmc/index.html)\\r\\n---\\r\\nMaintenance includes processes such as system updates, patching, and configuration changes which are required for the overall functionality of the information system. \"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Perform Maintenance (MA.L2-3.7.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MAL2371.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"System Maintenance Control (MA.L2-3.7.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MAL2372.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Equipment Sanitization (MA.L2-3.7.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MAL2373.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Media Inspection (MA.L2-3.7.4)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MAL2374.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Nonlocal Maintenance (MA.L2-3.7.5)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MAL2375.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Maintenance Personnel (MA.L2-3.7.6)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MAL2376.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMAL2371Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MAL2371.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMAL2372Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MAL2372.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"5855b78f-147b-4bb6-9a86-4776ceabcd30\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMAL2373Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MAL2373.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"043a4584-dcf6-49b7-98a7-7bc4a279fa17\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMAL2374Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MAL2374.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4398eb19-df64-4d8e-b839-c8f215a38a72\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMAL2375Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MAL2375.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"8cef5081-ba3a-4fd7-a6c8-2db221eb7287\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMAL2376Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MAL2376.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"abcb0f11-bfa3-47e4-aaf5-f4b0487f632b\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Perform Maintenance (MA.L2-3.7.1) \\r\\n\\r\\nPerform maintenance on organizational systems.\\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Recommended Resources\\r\\n💡 [Handling Planned Maintenance Notifications Using the Azure Portal](https://docs.microsoft.com/azure/virtual-machines/maintenance-notifications-portal) \\r\\n💡 [Managing Platform Updates with Maintenance Control](https://docs.microsoft.com/azure/virtual-machines/maintenance-control) \\r\\n💡 [Scheduling Maintenance Updates with Maintenance Control and Azure Functions](https://github.com/Azure/azure-docs-powershell-samples/tree/master/maintenance-auto-scheduler) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"update\\\" or RecommendationName contains \\\"upgrade\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMAL2371Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MA.L2-3.7.1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# System Maintenance Control (MA.L2-3.7.2)\\r\\n\\r\\nProvide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Resources\\r\\n💡 [Privileged Access Workstations](https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstations)\\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"identity\\\" or type contains \\\"networksecuritygroups\\\" or type contains \\\"bastion\\\" or type contains \\\"lock\\\" or type contains \\\"endpoint\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Control Maintenance Activities via Security Controls (Identity, Network, Endpoint)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMAL2372Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MA.L2-3.7.2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Equipment Sanitization (MA.L2-3.7.3) \\r\\n\\r\\nEnsure equipment removed for off-site maintenance is sanitized of any CUI. \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) \\r\\n\\r\\n## Recommended Resources\\r\\n💡 [Data destruction in Microsoft 365](https://docs.microsoft.com/compliance/assurance/assurance-data-destruction) \\r\\n💡 [Azure customer data protection](https://docs.microsoft.com/azure/security/fundamentals/protection-customer-data) \\r\\n💡 [Configure encryption with customer-managed keys stored in Azure Key Vault](https://docs.microsoft.com/azure/storage/common/customer-managed-keys-configure-key-vault) \\r\\n💡 [NIST SP 800-88: Guidelines for Media Sanitization](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"key\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Leverage Key Vaults for Cryptographic Erasure\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMAL2373Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MA.L2-3.7.3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Media Inspection (MA.L2-3.7.4) \\r\\n\\r\\nCheck media containing diagnostic and test programs for malicious code before the media are used in organizational systems. \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Recommended Resources\\r\\n💡 [Use Microsoft Endpoint Configuration Manager to Run a Scan](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus#use-microsoft-endpoint-configuration-manager-to-run-a-scan) \\r\\n💡 [Custom Scan a USB Drive](https://gallery.technet.microsoft.com/Custom-scan-a-USB-drive-17b9be2a) \\r\\n💡 [Configure Microsoft Defender Antivirus scanning options](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"usb\\\" or Title contains \\\"drive\\\" or Title contains \\\"media\\\" or Title contains \\\"removable\\\" or Title contains \\\"tool\\\" or Title contains \\\"ware\\\" or Title contains \\\"software\\\" or Title contains \\\"virus\\\" or Title contains \\\"trojan\\\" or Title contains \\\"c2\\\" or Title contains \\\"beacon\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Media Inspection\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMAL2374Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MA.L2-3.7.4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Nonlocal Maintenance (MA.L2-3.7.5)\\r\\n\\r\\nRequire multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Multi-Factor Authentication](https://azure.microsoft.com/services/active-directory/) 🔀[Multi-Factor Authentication](https://portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/GettingStarted) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MFAFailures = SigninLogs\\r\\n| where AuthenticationRequirement == \\\"multiFactorAuthentication\\\"\\r\\n| where ResultType <> 0\\r\\n| extend FailureReason = tostring(Status.failureReason)\\r\\n| where FailureReason contains \\\"User did not pass the MFA\\\"\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| summarize count() by UserPrincipalName, UserId, UserProfile\\r\\n| extend FailedMFACount=count_;\\r\\nlet LastObserved = SigninLogs\\r\\n| where ResultType <> 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| extend Country = tostring(LocationDetails.countryOrRegion)\\r\\n| extend State = tostring(LocationDetails.state)\\r\\n| project UserPrincipalName, LastFailedSignIn=TimeGenerated, City, State, Country;\\r\\nSigninLogs\\r\\n| where AuthenticationRequirement == \\\"multiFactorAuthentication\\\"\\r\\n| where ResultType <> 0\\r\\n| extend FailureReason = tostring(Status.failureReason)\\r\\n| where FailureReason contains \\\"User did not pass the MFA\\\"\\r\\n| join kind=inner (LastObserved) on UserPrincipalName\\r\\n| join kind=inner (MFAFailures) on UserPrincipalName\\r\\n| join kind=inner (IdentityInfo| extend AssignedRoles = strcat(AssignedRoles)| extend UserPrincipalName=AccountUPN| where AssignedRoles contains \\\"admin\\\" or AssignedRoles contains \\\"owner\\\"| project UserPrincipalName, AssignedRoles) on UserPrincipalName\\r\\n| distinct UserPrincipalName, UserProfile, FailedMFACount, LastFailedSignIn, AssignedRoles, City, State, Country, UserId\\r\\n| join (SigninLogs | where AuthenticationRequirement == \\\"multiFactorAuthentication\\\"| where ResultType <> 0| extend FailureReason = tostring(Status.failureReason)| where FailureReason contains \\\"User did not pass the MFA\\\"| make-series Trend = dcount(FailureReason) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by UserPrincipalName) on UserPrincipalName\\r\\n| project UserPrincipalName, UserProfile, FailedMFACount, Trend, LastFailedSignIn, AssignedRoles, City, State, Country, UserId\\r\\n| sort by FailedMFACount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor Admin MFA Failures by Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"FailedMFACount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"City\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Country\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMAL2375Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MA.L2-3.7.5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Maintenance Personnel (MA.L2-3.7.6)\\r\\n\\r\\nSupervise the maintenance activities of maintenance personnel without required access authorization.\\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Customer Lockbox](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview) 🔀[Customer Lockbox](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview) \\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| where OperationName contains \\\"PIM\\\"\\r\\n| distinct OperationName, Identity, AADOperationType, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| project OperationName, AADOperationType, Identity, TimeGenerated\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Implement/Monitor Privileged Identity Management for Maintenance\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"OperationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Identity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMAL2376Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MA.L2-3.7.6\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMAVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Maintenance\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Media Protection](https://www.acq.osd.mil/cmmc/index.html)\\r\\n---\\r\\nMedia protection includes physical, logical, and administrative controls over sensitive data.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Media Disposal (MP.L1-3.8.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MPL1383.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 1: Foundational\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMPL1383Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MPL1383.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Media Disposal (MP.L1-3.8.3) \\r\\n\\r\\nSanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [DeviceEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceevents) 🔷 [DeviceFileEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/devicefileevents) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender) \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) \\r\\n🔷 [InformationProtectionEvents](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) \\r\\n\\r\\n## Recommended Resources\\r\\n💡 [Data destruction in Microsoft 365](https://docs.microsoft.com/compliance/assurance/assurance-data-destruction) \\r\\n💡 [NIST SP 800-88: Guidelines for Media Sanitization](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf) \\r\\n💡 [Purge Process](https://docs.microsoft.com/azure/data-explorer/kusto/concepts/data-purge#purge-process) \\r\\n💡 [Configure encryption with customer-managed keys stored in Azure Key Vault](https://docs.microsoft.com/azure/storage/common/customer-managed-keys-configure-key-vault) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionEvents\\r\\n| project DLPEventTime=Time, User, File=ItemName\\r\\n| join kind=inner (\\r\\n DeviceEvents\\r\\n | where ActionType == \\\"UsbDriveMounted\\\"\\r\\n | extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)\\r\\n | join kind=inner (DeviceFileEvents\\r\\n | project TimeGenerated, ActionType, FileName, FolderPath, DeviceId, DeviceName\\r\\n | extend FileCopyTime = TimeGenerated\\r\\n | where ActionType == \\\"FileCreated\\\"\\r\\n | extend FileCopyName = FileName\\r\\n | parse FolderPath with DriveLetter '\\\\\\\\' *\\r\\n | extend DriveLetter = tostring(DriveLetter)\\r\\n )\\r\\n on DeviceId, DriveLetter) \\r\\n on $left.File == $right.FileCopyName\\r\\n| project DLPEventTime, FileCopyTime, File, DeviceName, AccountName\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor/Sanitize Media Containing Sensitive Data (Sensitive Data Added to External Media)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"key\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Leverage Key Vaults for Cryptographic Erasure\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMPL1383Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP.L1-3.8.3\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 1: Foundational\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Media Protection (MP.L2-3.8.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MPL2381.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Media Access (MP.L2-3.8.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MPL2382.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Media Markings (MP.L2-3.8.4) \\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MPL2384.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Media Accountability (MP.L2-3.8.5)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MPL2385.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMPL2381Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MPL2381.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMPL2382Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MPL2382.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4c991fcc-ad60-4a85-8a81-8a1eca81b84f\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMPL2384Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MPL2384.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"382d8b6b-1535-4cd8-9bdb-15f36c4da757\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMPL2385Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MPL2385.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"75d66cd9-912d-461f-af51-d4d4cd613e66\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Portable Storage Encryption (MP.L2-3.8.6)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MPL2386.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Removable Storage Encryption (MP.L2-3.8.7)\\\\\\\" , \\\\\\\"tab\\\\\\\": \\\\\\\"MPL2387.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Shared Media (MP.L2-3.8.8)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MPL2388.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Protect Backups (MP.L2-3.8.9)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MPL2389.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"82671455-a6cd-456f-920d-60907f37b25a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMPL2386Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MPL2386.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"2dfdf645-b545-4f9f-a669-ef11d46eb8d5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMPL2387Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MPL2387.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"0078f793-27e8-4ff8-af11-81da3138422e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMPL2388Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MPL2388.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"4a59d8b9-e013-4034-a92b-49f9ea316b67\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMPL2389Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MPL2389.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Media Protection (MP.L2-3.8.1) \\r\\n\\r\\nProtect (i.e., physically control and securely store) system media containing CUI, both paper and digital. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [InformationProtectionEvents](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) \\r\\n\\r\\n## Recommended Resources\\r\\n💡 [Physical Security](https://docs.microsoft.com/azure/security/fundamentals/physical-security) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionEvents\\r\\n| where LabelName <> \\\"\\\"\\r\\n| extend AIP = strcat(\\\"https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/ActivityLogsBlade\\\")\\r\\n| summarize count() by LabelName, AIP, User, ItemName, ItemPath\\r\\n| sort by count_ desc\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Inventory / Secure Sensitive Data\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AIP\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Information Protection >>\",\"bladeOpenContext\":{\"bladeName\":\"DataClassGroupEditBlade\",\"extensionName\":\"Microsoft_Azure_InformationProtection\"}}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMPL2381Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP.L2-3.8.1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Media Access (MP.L2-3.8.2)\\r\\n\\r\\nLimit access to CUI on system media to authorized users.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Storage Accounts](https://azure.microsoft.com/product-categories/storage/) 🔀[Storage accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"access\\\" or Title contains \\\"data\\\" or Title contains \\\"loss\\\" or Title contains \\\"exfil\\\" or Title contains \\\"USB\\\" or Title contains \\\"drive\\\" or Title contains \\\"storage\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Data Access\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMPL2382Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP.L2-3.8.2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Media Markings (MP.L2-3.8.4)\\r\\n\\r\\nMark media with necessary CUI markings and distribution limitations.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [InformationProtectionEvents](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionEvents\\r\\n| where LabelName <> \\\"\\\"\\r\\n| extend AIP = strcat(\\\"https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/ActivityLogsBlade\\\")\\r\\n| summarize count() by LabelName, AIP\\r\\n| sort by count_ desc\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sensitive Data Labels in Use\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AIP\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Information Protection >>\",\"bladeOpenContext\":{\"bladeName\":\"DataClassGroupEditBlade\",\"extensionName\":\"Microsoft_Azure_InformationProtection\"}}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"chartSettings\":{\"showLegend\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMPL2384Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP.L2-3.8.4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Media Accountability (MP.L2-3.8.5) \\r\\n\\r\\nControl access to media containing CUI and maintain accountability for media during transport outside of controlled areas. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"521d368e-c46e-41b5-bea0-fd07dc96b511\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Review Azure Information Protection Logs\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataClassGroupEditBlade\",\"extensionName\":\"Microsoft_Azure_InformationProtection\"}}]},\"customWidth\":\"50\",\"name\":\"links - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMPL2385Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP.L2-3.8.5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Portable Storage Encryption (MP.L2-3.8.6)\\r\\n\\r\\nImplement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"crypt\\\" or RecommendationName contains \\\"transit\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMPL2386Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP.L2-3.8.6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Removable Media (MP.L2-3.8.7) \\r\\n\\r\\nControl the use of removable media on system components.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [DeviceEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceevents) 🔷 [DeviceFileEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/devicefileevents) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" DeviceEvents\\r\\n | where ActionType == \\\"UsbDriveMounted\\\"\\r\\n | extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)\\r\\n | join kind=inner (DeviceFileEvents\\r\\n | project TimeGenerated, ActionType, FileName, FolderPath, DeviceId, DeviceName\\r\\n | extend FileCopyTime = TimeGenerated\\r\\n | where ActionType == \\\"FileCreated\\\"\\r\\n | extend FileCopyName = FileName\\r\\n | parse FolderPath with DriveLetter '\\\\\\\\' *\\r\\n | extend DriveLetter = tostring(DriveLetter)\\r\\n )\\r\\n on DeviceId, DriveLetter\\r\\n| project FileName, DeviceName, AccountName, TimeGenerated\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor/Control Removeable Media Usage\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMPL2387Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP.L2-3.8.7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Shared Media (MP.L2-3.8.8) \\r\\n\\r\\nProhibit the use of portable storage devices when such devices have no identifiable owner.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n\\r\\n## Implementation Guidance\\r\\n💡 [Microsoft Defender for Endpoint Device Control Device Installation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/mde-device-control-device-installation#allow-or-block-removable-devices) \\r\\n💡 [Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":1,\"content\":{\"json\":\"### [Prohibit Rogue USB Devices >>](https://endpoint.microsoft.com/#blade/Microsoft_Intune_Workflows/SecurityManagementMenu/asr)\\r\\n![Image Name](https://docs.microsoft.com/windows/security/threat-protection/device-control/images/baselines.png \\\"Rogue USB\\\") \\r\\n\"},\"customWidth\":\"45\",\"name\":\"text - 1\",\"styleSettings\":{\"maxWidth\":\"45\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isMPL2388Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP.L2-3.8.8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Protect Backups (MP.L2-3.8.9) \\r\\n\\r\\nProtect the confidentiality of backup CUI at storage locations. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"back\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMPL2389Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP.L2-3.8.9\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMPVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Media Protection\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Personnel Security](https://www.acq.osd.mil/cmmc/index.html)\\r\\n---\\r\\nPersonnel Security is focused on controlling human access to systems, networks, and assets. Personnel Security includes considerations for screening individuals with access to Controlled Unclassified Information (CUI) and protection of such data after personnel actions such as terminations or transfers. \"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Screen Individuals (PS.L2-3.9.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"PSL2391.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Personnel Actions (PS.L2-3.9.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"PSL2391.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPSL2391Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"PSL2391.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Screen Individuals (PS.L2-3.9.1) \\r\\n\\r\\nScreen individuals prior to authorizing access to organizational systems containing CUI.\\r\\n\\r\\n# Personnel Actions (PS.L2-3.9.2) \\r\\n\\r\\nEnsure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.\\r\\n\\r\\n## Implementation Statement\\r\\nPersonnel security screening (vetting) activities involve the evaluation/assessment of individual’s conduct, integrity, judgment, loyalty, reliability, and stability (i.e., the trustworthiness of the individual) prior to authorizing access to organizational systems containing CUI. The screening activities reflect applicable federal laws, Executive Orders, directives, policies, regulations, and specific criteria established for the level of access required for assigned positions.\\r\\nYou can ensure all employees who need access to CUI undergo organization-defined screening before being granted access based on the types of screening requirements for a given position and role. Clearly define positions and roles within your organization. Implement roles using 💡 [Azure RBAC](https://docs.microsoft.com/azure/role-based-access-control) and 💡 [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview). For example, administrators with access to CUI and specific roles with permissions to view CUI should follow an organizationally defined screening process. \\r\\n\\r\\n## Customer Responsibility\\r\\n Screening individuals prior to authorizing access to customer-deployed resources.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Microsoft 365 Compliance: Insider Risk Management](https://www.microsoft.com/microsoft-365/business/compliance-solutions) 🔀[Insider Risk Management](https://compliance.microsoft.com/insiderriskmgmt?viewid=overview) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft 365 Compliance: Insider Risk Management](https://www.microsoft.com/microsoft-365/business/compliance-solutions) \\r\\n\\r\\n## Recommended Configurations\\r\\n💡 [Insider Risk Management: Setup a Connector to import HR Data & Track Last Working Dates](https://docs.microsoft.com/microsoft-365/compliance/import-hr-data)\\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV1\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"5\",\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Role Based Access Control](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators) / [Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)\\r\\n \\r\\n\\r\\n\\r\\n\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProductName == \\\"Microsoft 365 Insider Risk Management\\\"\\r\\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n | mv-expand todynamic(Entities)\\r\\n | where Entities[\\\"Type\\\"] =~ \\\"account\\\"\\r\\n | extend Name = tostring(tolower(Entities[\\\"Name\\\"])), NTDomain = tostring(Entities[\\\"NTDomain\\\"]), UPNSuffix = tostring(Entities[\\\"UPNSuffix\\\"]), AadUserId = tostring(Entities[\\\"AadUserId\\\"]), AadTenantId = tostring(Entities[\\\"AadTenantId\\\"]), \\r\\n Sid = tostring(Entities[\\\"Sid\\\"]), IsDomainJoined = tobool(Entities[\\\"IsDomainJoined\\\"]), Host = tostring(Entities[\\\"Host\\\"])\\r\\n | extend UPN = iff(Name != \\\"\\\" and UPNSuffix != \\\"\\\", strcat(Name, \\\"@\\\", UPNSuffix), \\\"\\\")\\r\\n| extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\\r\\n| extend UserPrincipalName = UPN\\r\\n| distinct AlertName, ProductName, Status, AlertLink, UserPrincipalName, Tactics, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Enable the HR Connector & Monitor Microsoft 365: Insider Risk Management Alert Details\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"name\":\"query - 2\"}]},\"customWidth\":\"40\",\"name\":\"OV\"}]},\"conditionalVisibility\":{\"parameterName\":\"isPSL2391Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"PS.L2-3.9.1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isPSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Personnel Security\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Physical Protection](https://www.acq.osd.mil/cmmc/index.html)\\r\\n---\\r\\nPhysical Protections are focused on protecting direct access to systems, networks, and assets. Physical protection includes considerations for limiting physical access, escorting visitors, maintaining visit audit logs, monitoring infrastructure, and protecting Controlled Unclassified Information (CUI).\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Limit Physical Access (PE.L1-3.10.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"PEL13101.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Escort Visitors (PE.L1-3.10.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"PEL13101.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Physical Access Logs (PE.L1-3.10.4)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"PEL13101.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Manage Physical Access (PE.L1-3.10.5)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"PEL13101.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 1: Foundational\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPEL13101Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"PEL13101.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Limit Physical Access (PE.L1-3.10.1) \\r\\nLimit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. \\r\\n# Escort Visitors (PE.L1-3.10.3) \\r\\nEscort visitors and monitor visitor activity. \\r\\n# Physical Access Logs (PE.L1-3.10.4) \\r\\nMaintain audit logs of physical access.\\r\\n# Manage Physical Access (PE.L1-3.10.5) \\r\\nControl and manage physical access devices. \\r\\n## Recommended References\\r\\n💡 [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/) \\r\\n💡 [Datacenter physical access security](https://docs.microsoft.com/compliance/assurance/assurance-datacenter-physical-access-security) \\r\\n💡 [Azure Facilities, Premises, and Physical Security](https://docs.microsoft.com/azure/security/fundamentals/physical-security) \\r\\n💡 [Management and Operation of the Azure Production Network](https://docs.microsoft.com/azure/security/fundamentals/infrastructure-operations) \\r\\n💡 [Azure Infrastructure Availability](https://docs.microsoft.com/azure/security/fundamentals/infrastructure-availability) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"45\",\"name\":\"text - 4\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"5\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"## [Azure Datacenters: Physical Security](https://docs.microsoft.com/azure/security/fundamentals/physical-security) \\r\\n![Image Name](https://stp-api-cdn-prod.azureedge.net/api/Images/e5724a10-491a-11e8-9fe5-75d16dd56b03?hash=7AC632B242A298BFB2E2CFF3968117CFDA3A33AB0A50B1FCBD565C0F6D1DBCB6 \\\"Physical Security Controls\\\")\\r\\n\"},\"customWidth\":\"45\",\"name\":\"text - 2\",\"styleSettings\":{\"maxWidth\":\"45\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isPEL13101Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"PE.L1-3.10.1-PE.L1-3.10.5\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 1: Foundational\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Monitor Facility (PE.L2-3.10.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"PEL23102.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Alternate Work Sites (PE.L2-3.10.6) \\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"PEL23102.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPEL23102Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"PEL23102.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Monitor Facility (PE.L2-3.10.2) \\r\\nProtect and monitor the physical facility and support infrastructure for organizational systems.\\r\\n\\r\\n# Alternate Work Sites (PE.L2-3.10.6) \\r\\n\\r\\nEnforce safeguarding measures for CUI at alternate work sites.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Azure Global Infrastructure](https://azure.microsoft.com/global-infrastructure/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Named Locations](https://docs.microsoft.com/azure/active-directory/conditional-access/location-condition) 🔀[Azure AD Named Locations](https://portal.azure.com/#blade/Microsoft_AAD_IAM/NamedNetworksWithCountryBlade) \\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) \\r\\n\\r\\n## Recommended References\\r\\n💡 [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/) \\r\\n💡 [Datacenter physical access security](https://docs.microsoft.com/compliance/assurance/assurance-datacenter-physical-access-security) \\r\\n💡 [Azure Facilities, Premises, and Physical Security](https://docs.microsoft.com/azure/security/fundamentals/physical-security) \\r\\n💡 [Management and Operation of the Azure Production Network](https://docs.microsoft.com/azure/security/fundamentals/infrastructure-operations) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| extend UserPrincipalName = UserId_s\\r\\n| where LabelName_s <> \\\"\\\"\\r\\n| join (SigninLogs) on UserPrincipalName\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor Geolocation of Sensitive Data Access\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Activity_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"City\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Country_Region\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"orange\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isPEL23102Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"PE.L2-3.10.2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isPEVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Physical Protection\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Risk Assessment](https://www.acq.osd.mil/cmmc/index.html)\\r\\n---\\r\\nRisk Assessment ensures a consistent approach to the identification, mitigation, and response to security risks.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Risk Assessments (RA.L2-3.11.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"RAL23111.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Vulnerability Scan (RA.L2-3.11.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"RAL23112.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Vulnerability Remediation (RA.L2-3.11.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"RAL23113.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRAL23111Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"RAL23111.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRAL23112Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"RAL23112.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"80e03675-0c89-4b00-9429-5bbdddcc99be\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRAL23113Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"RAL23113.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a8b29546-b1b5-4787-bc4c-16c98e5b8424\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Risk Assessments (RA.L2-3.11.1)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#periodically-assess-the-risk-to-organizational-operations-including-mission-functions-image-or-reputation-organizational-assets-and-individuals-resulting-from-the-operation-of-organizational-systems-and-the-associated-processing-storage-or-transmission-of-cui)\\r\\n\\r\\nPeriodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n💡[Secure Score: Microsoft Defender for Cloud](https://docs.microsoft.com/azure/defender-for-cloud/secure-score-security-controls) \\r\\n💡[Microsoft Secure Score: Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/defender/microsoft-secure-score) \\r\\n💡[Identity Secure Score: Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/identity-secure-score) \\r\\n💡[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| make-series count() default=0 on DiscoveredTimeUTC from {TimeRange:start} to {TimeRange:end} step 1d by RecommendationSeverity\",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsoft Defender for Cloud: Recommendations over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Medium\",\"color\":\"yellow\"},{\"seriesName\":\"High\",\"color\":\"redBright\"},{\"seriesName\":\"Low\",\"color\":\"blueDark\"}]}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isRAL23111Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"RA.L2-3.11.1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Vulnerability Scan (RA.L2-3.11.2)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#scan-for-vulnerabilities-in-organizational-systems-and-applications-periodically-and-when-new-vulnerabilities-affecting-those-systems-and-applications-are-identified)\\r\\n\\r\\nScan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n✳️ [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure DNS](https://azure.microsoft.com/services/dns/) 🔀[DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityNestedRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitynestedrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n| where type == \\\"microsoft.security/assessments/subassessments\\\"\\r\\n| extend assessmentKey = extract(\\\".*assessments/(.+?)/.*\\\",1, id)\\r\\n| where assessmentKey == \\\"1195afff-c881-495e-9bc5-1486211ae03f\\\"\\r\\n | project Resource = tolower(extract(\\\"([\\\\\\\\s\\\\\\\\S]*?)(/providers/Microsoft.Security.*)\\\",1,id)), ResourceGroup = trim_end(\\\"/\\\",extract(\\\".*resourceGroups/(.+?)/\\\",0,id)), ResourceType = tolower(split(id,\\\"/\\\").[6]), subscriptionId, severity = tostring(parse_json(properties).status.severity), status = tostring(parse_json(properties).status.code), VulnId = tostring(parse_json(properties).id), description = tostring(parse_json(properties).displayName), patchable = parse_json(properties.additionalData).patchable, cve = parse_json(properties.additionalData).cve\\r\\n | where status == 'Unhealthy'\\r\\n | summarize dcount(VulnId) by ResourceGroup, Resource, severity, VulnId, description, tostring(patchable), tostring(cve)\\r\\n | summarize Total = count(dcount_VulnId), sevH=countif(severity=='High'), sevM=countif(severity=='Medium'), sevL=countif(severity=='Low'), patchAvailable = countif(patchable=='true'), CVEcount =countif(cve!='[]') by ResourceGroup, Resource\\r\\n | order by sevH desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Vulnerability Scanning\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"exportFieldName\":\"Resource\",\"exportParameterName\":\"selectedServer\",\"exportDefaultValue\":\"All\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"$gen_group\",\"formatter\":13,\"formatOptions\":{\"linkColumn\":\"Resource\",\"linkTarget\":\"Resource\",\"showIcon\":true,\"customColumnWidthSetting\":\"30ch\"}},{\"columnMatch\":\"ResourceGroup\",\"formatter\":5},{\"columnMatch\":\"Resource\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"Total\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10ch\"}},{\"columnMatch\":\"sevH\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"12ch\"}},{\"columnMatch\":\"sevM\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\",\"customColumnWidthSetting\":\"13ch\"}},{\"columnMatch\":\"sevL\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blueDark\",\"customColumnWidthSetting\":\"10ch\"}},{\"columnMatch\":\"patchAvailable\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\"},\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"CVEcount\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"10ch\"}}],\"rowLimit\":1000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ResourceGroup\"],\"expandTopLevel\":true,\"finalBy\":\"Resource\"},\"labelSettings\":[{\"columnId\":\"ResourceGroup\",\"label\":\"Resource group\"},{\"columnId\":\"sevH\",\"label\":\"High\"},{\"columnId\":\"sevM\",\"label\":\"Medium\"},{\"columnId\":\"sevL\",\"label\":\"Low\"},{\"columnId\":\"patchAvailable\",\"label\":\"Available patches\"},{\"columnId\":\"CVEcount\",\"label\":\"CVEs\"}]}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n| where type == \\\"microsoft.security/assessments/subassessments\\\"\\r\\n| extend assessmentKey = extract(\\\".*assessments/(.+?)/.*\\\",1, id)\\r\\n| where assessmentKey == \\\"1195afff-c881-495e-9bc5-1486211ae03f\\\"\\r\\n| project Resource = tolower(extract(\\\"([\\\\\\\\s\\\\\\\\S]*?)(/providers/Microsoft.Security.*)\\\",1,id)), ResourceGroup = trim_end(\\\"/\\\",extract(\\\".*resourceGroups/(.+?)/\\\",0,id)), ResourceType = tolower(split(id,\\\"/\\\").[6]), subscriptionId, Severity = tostring(parse_json(properties).status.severity), Status = tostring(parse_json(properties).status.code), VulnId = tostring(parse_json(properties).id), Description = tostring(parse_json(properties).displayName), Patchable = parse_json(properties.additionalData).patchable, CVE = properties.additionalData.cve, Category = tostring(properties.category), TimeGenerated = tostring(properties.timeGenerated), Remediation = tostring(properties.remediation), Impact = tostring(properties.impact), Threat = tostring(properties.additionalData.threat)\\r\\n| where Status == 'Unhealthy'\\r\\n| where '{selectedServer}' == 'All' or Resource == '{selectedServer}'\\r\\n| project Severity, VulnId, Description, tostring(Patchable), Category, Resource, ResourceGroup, CVE, TimeGenerated, Remediation, Impact, Threat\\r\\n| mv-expand CveExpand = split (CVE, \\\"},\\\") to typeof(string)\\r\\n| parse CveExpand with * '\\\"title\\\":\\\"' singleCve '\\\"' *\\r\\n| summarize CVEs = tostring(make_list(singleCve)) by Severity, VulnId, Description, tostring(Patchable), Category, Resource, ResourceGroup, TimeGenerated, Threat, Impact, Remediation\",\"size\":0,\"showAnalytics\":true,\"title\":\"Vulnerability Details >> Select Asset in Vulnerability Scanning Panel Above\",\"noDataMessage\":\"Select Asset in Vulnerability Scanning Panel Above\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{selectedServer}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":5},{\"columnMatch\":\"VulnId\",\"formatter\":5},{\"columnMatch\":\"Resource\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"Remediation\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}}],\"rowLimit\":1000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Severity\"],\"expandTopLevel\":true,\"finalBy\":\"VulnId\"},\"labelSettings\":[{\"columnId\":\"ResourceGroup\",\"label\":\"Resource group\"},{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"}]}},\"name\":\"query - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"isRAL23112Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"RA.L2-3.11.2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Vulnerability Remediation (RA.L2-3.11.3)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#remediate-vulnerabilities-in-accordance-with-risk-assessments)\\r\\n\\r\\nRemediate vulnerabilities in accordance with risk assessments.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"vuln\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isRAL23113Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"RA.L2-3.11.3\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isRMVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Risk Assessment Group\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Assessment](https://www.acq.osd.mil/cmmc/index.html)\\r\\n---\\r\\nSecurity Assessment includes periodic evaluation of security controls for effectiveness.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Control Assessment (CA.L2-3.12.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CAL23121.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Plan of Action (CA.L2-3.12.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CAL23122.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Control Monitoring (CA.L2-3.12.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CAL23123.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"System Security Plan (CA.L2-3.12.4)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CAL23124.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCAL23121Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CAL23121.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCAL23122Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CAL23122.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"8c21e2d6-577c-431b-898e-31005bc5b3dd\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCAL23123Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CAL23123.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"09408af6-93db-4cfc-9896-27464b738854\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCAL23124Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CAL23124.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"c4bd4612-6a08-479b-82db-9afd61582581\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Control Assessment (CA.L2-3.12.1)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#periodically-assess-the-security-controls-in-organizational-systems-to-determine-if-the-controls-are-effective-in-their-application)\\r\\n\\r\\nPeriodically assess the security controls in organizational systems to determine if the controls are effective in their application. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) 🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SecurityProducts = datatable(ProviderName:string, Product:string, Portal:string)\\r\\n[\\r\\n \\\"ASI Scheduled Alerts\\\", \\\"Microsoft Sentinel\\\", \\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n \\\"ASI NRT Alerts\\\", \\\"Microsoft Sentinel\\\", \\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n \\\"Azure Sentinel\\\", \\\"Microsoft Sentinel\\\", \\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n \\\"MCAS\\\", \\\"Microsoft Defender for Cloud Apps\\\", \\\"https://seccxpninja.portal.cloudappsecurity.com/#/policy\\\",\\r\\n \\\"MDATP\\\", \\\"Microsoft Defender for Endpoint\\\", \\\"https://security.microsoft.com/alertpolicies\\\",\\r\\n \\\"Azure Security Center\\\", \\\"Microsoft Defender for Cloud\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/7\\\",\\r\\n \\\"Detection-WarmPathV2\\\", \\\"Microsoft Defender for Cloud\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/7\\\",\\r\\n \\\"MicrosoftThreatProtection\\\", \\\"Microsoft 365 Defender\\\", \\\"https://security.microsoft.com/alertpolicies\\\",\\r\\n \\\"IPC\\\", \\\"Azure Active Directory Identity Protection\\\", \\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/IdentityProtectionMenuBlade/UsersAtRiskAlerts\\\",\\r\\n \\\"Detection-Fusion\\\", \\\"Microsoft Sentinel\\\", \\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n \\\"Sentinel Fusion\\\", \\\"Microsoft Sentinel\\\", \\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n \\\"Azure Advanced Threat Protection\\\", \\\"Microsoft Defender for Identity\\\", \\\"https://portal.atp.azure.com/\\\",\\r\\n \\\"Threat Intelligence Alerts\\\", \\\"Microsoft Sentinel\\\", \\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n \\\"IoTSecurity\\\", \\\"Microsoft Defender for IoT\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Alerts\\\",\\r\\n \\\"MSTIC\\\", \\\"Microsoft Sentinel\\\", \\\"https://portal.azure.com/#blade/HubsExtension/ArgQueryBlade\\\",\\r\\n \\\"AntimalwarePublisher\\\", \\\"Microsoft Defender for Cloud\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/7\\\",\\r\\n \\\"OATP\\\", \\\"Microsoft Defender for Office 365\\\", \\\"https://security.microsoft.com/alertpolicies\\\",\\r\\n \\\"AdaptiveNetworkHardenings\\\", \\\"Microsoft Defender for Cloud\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/f9f0eed0-f143-47bf-b856-671ea2eeed62\\\",\\r\\n \\\"StorageThreatDetection\\\", \\\"Microsoft Defender for Cloud\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/7\\\",\\r\\n \\\"CloudNetworkSecurity\\\", \\\"Azure Network Security\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/overview\\\",\\r\\n \\\"SQLThreatDetection\\\", \\\"Microsoft Defender for Cloud\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SqlVaServersRecommendationDetailsBlade/assessmentKey/82e20e14-edc5-4373-bfc4-f13121257c37\\\"\\r\\n];\\r\\nSecurityIncident\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| where Status==\\\"Closed\\\"\\r\\n| mv-expand AlertIds\\r\\n| extend SystemAlertId=strcat(AlertIds)\\r\\n| join kind=inner (SecurityAlert | extend SystemAlertId=strcat(SystemAlertId)) on SystemAlertId\\r\\n| summarize\\r\\n TruePositive = countif(Classification == \\\"TruePositive\\\"),\\r\\n BenignPositive = countif(Classification == \\\"BenignPositive\\\"),\\r\\n FalsePositive = countif(Classification == \\\"FalsePositive\\\"),\\r\\n Undetermined = countif(Classification == \\\"Undetermined\\\"),\\r\\n Total = countif(Classification == \\\"TruePositive\\\" or Classification == \\\"BenignPositive\\\" or Classification == \\\"FalsePositive\\\") by AlertName, ProviderName1\\r\\n| extend EfficiencyRating = (TruePositive / todouble(Total)) * 100\\r\\n| join kind=leftouter(SecurityProducts) on $left.ProviderName1 == $right.ProviderName\\r\\n| project AlertName, EfficiencyRating, Portal, Product, Total, TruePositive, BenignPositive, FalsePositive, Undetermined\\r\\n| sort by EfficiencyRating, Total desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Alert Efficiency\",\"noDataMessage\":\"No Alerts Observed Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EfficiencyRating\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redGreen\"},\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":0}}},{\"columnMatch\":\"Portal\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Tune Alert >>\"}},{\"columnMatch\":\"Product\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"TruePositive\",\"color\":\"green\"},{\"columnName\":\"BenignPositive\",\"color\":\"orange\"},{\"columnName\":\"FalsePositive\",\"color\":\"redBright\"}]}}}],\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Product\"],\"expandTopLevel\":true,\"finalBy\":\"AlertName\"},\"sortBy\":[{\"itemKey\":\"TruePositive\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TruePositive\",\"sortOrder\":2}]},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCAL23121Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CA.L2-3.12.1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Plan of Action (CA.L2-3.12.2)\\r\\n\\r\\nDevelop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\\r\\n| summarize\\r\\n Failed = countif(RecommendationState == \\\"Unhealthy\\\"),\\r\\n Passed = countif(RecommendationState == \\\"Healthy\\\"),\\r\\n Total = countif(RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"Unhealthy\\\")\\r\\n by AssessedResourceId\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| project AssessedResourceId, Total, PassedControls, Passed, Failed\\r\\n| sort by Total, Failed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Develop Plan of Action via Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AssessedResourceId\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCAL23122Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CA.L2-3.12.2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Control Monitoring (CA.L2-3.12.3)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#monitor-security-controls-on-an-ongoing-basis-to-ensure-the-continued-effectiveness-of-the-controls)\\r\\n\\r\\nMonitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. \\r\\n## Secondary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SecurityProducts = datatable(ProviderName:string, Product:string)\\r\\n[\\r\\n \\\"ASI Scheduled Alerts\\\", \\\"Microsoft Sentinel\\\", \\r\\n \\\"ASI NRT Alerts\\\", \\\"Microsoft Sentinel\\\", \\r\\n \\\"Azure Sentinel\\\", \\\"Microsoft Sentinel\\\", \\r\\n \\\"MCAS\\\", \\\"Microsoft Defender for Cloud Apps\\\",\\r\\n \\\"MDATP\\\", \\\"Microsoft Defender for Endpoint\\\", \\r\\n \\\"Azure Security Center\\\", \\\"Microsoft Defender for Cloud\\\",\\r\\n \\\"Detection-WarmPathV2\\\", \\\"Microsoft Defender for Cloud\\\", \\r\\n \\\"MicrosoftThreatProtection\\\", \\\"Microsoft 365 Defender\\\",\\r\\n \\\"IPC\\\", \\\"Azure Active Directory Identity Protection\\\", \\r\\n \\\"Detection-Fusion\\\", \\\"Microsoft Sentinel\\\", \\r\\n \\\"Sentinel Fusion\\\", \\\"Microsoft Sentinel\\\", \\r\\n \\\"Azure Advanced Threat Protection\\\", \\\"Microsoft Defender for Identity\\\",\\r\\n \\\"Threat Intelligence Alerts\\\", \\\"Microsoft Sentinel\\\",\\r\\n \\\"IoTSecurity\\\", \\\"Microsoft Defender for IoT\\\", \\r\\n \\\"MSTIC\\\", \\\"Microsoft Sentinel\\\", \\r\\n \\\"AntimalwarePublisher\\\", \\\"Microsoft Defender for Cloud\\\",\\r\\n \\\"OATP\\\", \\\"Microsoft Defender for Office 365\\\", \\r\\n \\\"AdaptiveNetworkHardenings\\\", \\\"Microsoft Defender for Cloud\\\",\\r\\n \\\"StorageThreatDetection\\\", \\\"Microsoft Defender for Cloud\\\", \\r\\n \\\"CloudNetworkSecurity\\\", \\\"Azure Network Security\\\", \\r\\n \\\"SQLThreatDetection\\\", \\\"Microsoft Defender for Cloud\\\"\\r\\n];\\r\\nSecurityAlert\\r\\n| join kind=rightouter(SecurityProducts) on ProviderName\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Product\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor Security Controls for Efficiency >> Spikes Indicate Areas for Investigation+Tuning\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50%\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isCAL23123Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CA.L2-3.12.3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# System Security Plan (CA.L2-3.12.4) \\r\\n\\r\\nDevelop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Virtual Network](https://azure.microsoft.com/services/virtual-network/)\\r\\n\\r\\n## Recommended Resources\\r\\n💡 [Understanding Network Map](https://docs.microsoft.com/azure/security-center/security-center-network-recommendations#understanding-the-network-map) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where OperationName == \\\"NetworkSecurityGroupEvents\\\"\\r\\n| summarize count() by ruleName_s\\r\\n| project NetworkSecurityGroupRule=ruleName_s, FlowCount=count_\\r\\n| sort by FlowCount desc \",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Security Group Flow Counts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"NetworkSecurityGroupRule\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Lateral_Movement\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"FlowCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isCAL23124Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CA.L2-3.12.4\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCAVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Security Assessment Group\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [System & Communications Protection](https://www.acq.osd.mil/cmmc/index.html)\\r\\n---\\r\\nSystem & Communications Protection includes network security for administrative and management functions. The System & Communications Protection Control family includes 32 controls which varying application across the Cloud Service Provider (CSP) model including customer responsibility, service provider responsibility, and shared responsibility.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Boundary Protection (SC.L1-3.13.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL13131.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Public-Access System Separation (SC.L1-3.13.5)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL13135.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 1: Foundational\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL13131Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL13131.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL13135Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL13135.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"253f6dce-cdf2-4808-9298-bea80e2ca395\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Boundary Protection (SC.L1-3.13.1)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#monitor-control-and-protect-communications-ie-information-transmitted-or-received-by-organizational-systems-at-the-external-boundaries-and-key-internal-boundaries-of-organizational-systems)\\r\\n\\r\\nMonitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts) \\r\\n✳️ [Azure ExpressRoute]( https://azure.microsoft.com/services/expressroute/) 🔀[ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits) \\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) \\r\\n✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) 🔀[Load Balancers](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers) \\r\\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) \\r\\n✳️ [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) 🔀[Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways) \\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Customer Lockbox](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview) 🔀[Customer Lockbox](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) 🔀[Microsoft Defender for Identity](https://portal.atp.azure.com/) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"network\\\" or RecommendationName contains \\\"transit\\\" or RecommendationName contains \\\"http\\\" or RecommendationName contains \\\"web\\\" or RecommendationName contains \\\"port\\\" or RecommendationName contains \\\"internet\\\" or RecommendationName contains \\\"comm\\\" or RecommendationName contains \\\"private\\\" or RecommendationName contains \\\"firewall\\\" \\r\\n | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL13131Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L1-3.13.1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Public-Access System Separation (SC.L1-3.13.5)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#implement-subnetworks-for-publicly-accessible-system-components-that-are-physically-or-logically-separated-from-internal-networks)\\r\\n\\r\\nImplement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.\\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts) \\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) \\r\\n✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) 🔀[Load Balancers](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies) \\r\\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"microsoft.network/\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Asset Listing\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL13135Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L1-3.13.5\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 1: Foundational\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Engineering (SC.L2-3.13.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL23132.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Role Separation (SC.L2-3.13.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL23133.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Shared Resource Control (SC.L2-3.13.4)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL23134.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Network Communication by Exception (SC.L2-3.13.6)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL23136.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Split Tunneling (SC.L2-3.13.7)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL23137.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data in Transit (SC.L2-3.13.8)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL23138.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Connections Termination (SC.L2-3.13.9)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL23139.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL23132Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL23132.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL23133Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL23133.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b6f0f37d-776f-42b2-9cf5-123545d93466\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL23134Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL23134.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"240acabd-8dd6-4d2e-a6f3-6158a4d6d315\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL23136Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL23136.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"847a2397-a439-4d5b-8e41-dcef62425b34\"},{\"id\":\"77f0cff6-267c-43d9-8dba-1f53dfe11937\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL23137Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL23137.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL23138Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL23138.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"c7473fda-9fec-4cbd-b5ac-5ec94314abba\"},{\"id\":\"c0a05d48-e50d-4797-bdca-4c936c0ddf50\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL23139Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL23139.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Key Management (SC.L2-3.13.10)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL231310.\\\\\\\" },\\\\r\\\\n { \\\\\\\"Control\\\\\\\": \\\\\\\"CUI Encryption (SC.L2-3.13.11)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL231311.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Collaborative Device Control (SC.L2-3.13.12)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL231312.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Mobile Code (SC.L2-3.13.13)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL231313.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Voice Over Internet Protocol (SC.L2-3.13.14)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL231314.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Communications Authenticity (SC.L2-3.13.15)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL231315.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data at Rest (SC.L2-3.13.16)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL231316.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"698a9809-ab71-4cdb-b1c3-94d517877b35\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL231310Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL231310.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL231311Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL231311.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a34361c8-9925-4870-97a7-88aa482a68f1\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL231312Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL231312.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"88e70227-868b-4ed8-8a4f-4291ece1e2e8\"},{\"id\":\"c2ca0248-fbdc-423f-b426-e4ee0c0ec06b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL231313Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL231313.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"4f0a3a4d-c456-4b51-a546-285a15585053\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL231314Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL231314.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"5e809b7f-9a0c-4f39-bc79-0a71a2ccac8b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL231315Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL231315.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"8fc1e556-9d06-4c5b-9510-a99b3df07219\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL231316Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL231316.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Engineering (SC.L2-3.13.2)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#employ-architectural-designs-software-development-techniques-and-systems-engineering-principles-that-promote-effective-information-security-within-organizational-systems)\\r\\n\\r\\nEmploy architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.\\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL23132Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Role Separation (SC.L2-3.13.3)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#separate-user-functionality-from-system-management-functionality)\\r\\n\\r\\nSeparate user functionality from system management functionality. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [AADManagedIdentitySignInLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/aadmanagedidentitysigninlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AADManagedIdentitySignInLogs\\r\\n| summarize count() by ServicePrincipalName, ResourceDisplayName\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Active Directory: Managed Identities\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ServicePrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL23133Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Shared Resource Control (SC.L2-3.13.4)\\r\\n\\r\\nPrevent unauthorized and unintended information transfer via shared \\r\\nsystem resources.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Network Security Groups](https://azure.microsoft.com/services/virtual-network/) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/) 🔀[Web Application Firewall policies (WAF)](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies) \\r\\n✳️ [Azure Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Virtual Network](https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/security/business/microsoft-endpoint-manager) 🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀 [Microsoft 365 Defender](https://security.microsoft.com) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"data\\\" or Title contains \\\"loss\\\" or Title contains \\\"shared\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Shared Data Loss Prevention\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL23134Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Network Communication by Exception (SC.L2-3.13.6)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#deny-network-communications-traffic-by-default-and-allow-network-communications-traffic-by-exception-ie-deny-all-permit-by-exception)\\r\\n\\r\\nDeny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) 🔀[Load Balancers](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies) \\r\\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" \\\" TempDetails\\r\\n| parse TempDetails with \\\"was \\\" Action1 \\\". Reason: \\\" Rule1\\r\\n| parse TempDetails with \\\"to \\\" FQDN \\\":\\\" TargetPortInt:int \\\". Action: \\\" Action2 \\\".\\\" *\\r\\n| parse TempDetails with * \\\". Rule Collection: \\\" RuleCollection2a \\\". Rule:\\\" Rule2a\\r\\n| parse TempDetails with * \\\"Deny.\\\" RuleCollection2b \\\". Proceeding with\\\" Rule2b\\r\\n| extend SourcePort = tostring(SourcePortInt)\\r\\n| extend TargetPort = tostring(TargetPortInt)\\r\\n| extend Action1 = case(Action1 == \\\"Deny\\\",\\\"Deny\\\",\\\"Unknown Action\\\")\\r\\n| extend Action = case(Action2 == \\\"\\\",Action1,Action2),Rule = case(Rule2a == \\\"\\\", case(Rule1 == \\\"\\\",case(Rule2b == \\\"\\\",\\\"N/A\\\", Rule2b),Rule1),Rule2a), \\r\\nRuleCollection = case(RuleCollection2b == \\\"\\\",case(RuleCollection2a == \\\"\\\",\\\"No rule matched\\\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \\\"\\\", \\\"N/A\\\", FQDN),TargetPort = case(TargetPort == \\\"\\\", \\\"N/A\\\", TargetPort)\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Action\\r\\n| render timechart \",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewall: Action Count by Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL23136Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Split Tunneling (SC.L2-3.13.7)\\r\\n\\r\\nPrevent remote devices from simultaneously establishing non-remote \\r\\nconnections with organizational systems and communicating via some other \\r\\nconnection to resources in external networks (i.e., split tunneling).\\r\\n\\r\\n## Primary Services\\r\\n✳️ [VPN Gateway]( https://azure.microsoft.com/services/vpn-gateway/) 🔀[Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworkGateways) \\r\\n✳️ [Azure ExpressRoute](https://azure.microsoft.com/services/expressroute/) 🔀[ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) \\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [VPN Gateway]( https://azure.microsoft.com/services/vpn-gateway/)\\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"privateendpoints\\\" or type contains \\\"privatedns\\\" or type contains \\\"express\\\" or type contains \\\"azurefirewall\\\" or type contains \\\"circuit\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Split Tunneling Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL23137Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data in Transit (SC.L2-3.13.8)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#implement-cryptographic-mechanisms-to-prevent-unauthorized-disclosure-of-cui-during-transmission-unless-otherwise-protected-by-alternative-physical-safeguards)\\r\\n\\r\\nImplement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n\\r\\n\\r\\n# Secondary Services\\r\\n✳️ [Azure ExpressRoute]( https://azure.microsoft.com/services/expressroute/) 🔀[ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits) \\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) 🔀[Load Balancers](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) \\r\\n✳️ [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) 🔀[Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways) \\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft Information Protection](https://www.microsoft.com/security/business/compliance/information-protection) 🔀[Microsoft Information Protection](https://compliance.microsoft.com/informationprotection) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"key\\\" or RecommendationName contains \\\"crypt\\\" or RecommendationName contains \\\"region\\\" or RecommendationName contains \\\"transit\\\" or RecommendationName contains \\\"http\\\" or RecommendationName contains \\\"tls\\\"\\r\\n | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL23138Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Connections Termination (SC.L2-3.13.9)\\r\\n\\r\\nTerminate network connections associated with communications sessions at \\r\\nthe end of the sessions or after a defined period of inactivity.\\r\\n\\r\\n# Secondary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Azure Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) 🔀[Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) 🔷 [AADUserRiskEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/AADUserRiskEvents) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"IdentityInfo\\r\\n| summarize arg_max(TimeGenerated,*) by AccountUPN\\r\\n| join kind=inner(\\r\\nSigninLogs) on $left.AccountUPN==$right.UserPrincipalName\\r\\n| project SigninTime=TimeGenerated1, UserPrincipalName, AppDisplayName, ResultType, AssignedRoles, Location, UserAgent, AuthenticationRequirement, Country, City, CorrelationId\\r\\n| join kind=inner (\\r\\nAADUserRiskEvents) on CorrelationId\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId), AssignedRoles=strcat(AssignedRoles)\\r\\n| distinct UserPrincipalName, UserProfile, RiskState, RiskLevel, AppDisplayName, ResultType, DetectionTimingType, Location, AssignedRoles, UserAgent, AuthenticationRequirement, Country, City, SigninTime, UserId\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review/Terminate User Risk Event Sessions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"RiskLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AppDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL23139Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Key Management (SC.L2-3.13.10)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#establish-and-manage-cryptographic-keys-for-cryptography-employed-in-organizational-systems)\\r\\n\\r\\nEstablish and manage cryptographic keys for cryptography employed in organizational systems. \\r\\n\\r\\n# Primary Services\\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n\\r\\n# Secondary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"key\\\" or RecommendationName contains \\\"cert\\\"\\r\\n | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL231310Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.10\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [CUI Encryption (SC.L2-3.13.11)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#employ-fips-validated-cryptography-when-used-to-protect-the-confidentiality-of-cui)\\r\\n\\r\\nEmploy FIPS-validated cryptography when used to protect the confidentiality of CUI. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"key\\\" or type contains \\\"crypt\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Key Vault & Crytographic Assets Listing\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":1},{\"columnMatch\":\"ControlID\",\"formatter\":1},{\"columnMatch\":\"Recommendation\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >\"}},{\"columnMatch\":\"statusChangeDate\",\"formatter\":6},{\"columnMatch\":\"firstEvaluationDate\",\"formatter\":6}],\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"RecommendationName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL231311Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.11\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Collaborative Device Control (SC.L2-3.13.12) \\r\\n\\r\\nProhibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.\\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Resources\\r\\n💡 [Group Policy](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings) \\r\\n💡 [Intune/Microsoft Endpoint Manager policy](https://docs.microsoft.com/mem/intune/protect/windows-hello) \\r\\n💡 [Windows Hello biometrics in the enterprise](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise) \\r\\n💡 [View Connected Devices](https://docs.microsoft.com/azure/active-directory/user-help/my-account-portal-devices-page#view-your-connected-devices) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [Event](https://docs.microsoft.com/azure/azure-monitor/reference/tables/event) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Event\\r\\n| where RenderedDescription contains \\\"Hello\\\"\\r\\n| summarize count() by _ResourceId, EventLevelName, RenderedDescription, EventID\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configure Windows Hello for Collaborative Computing Devices & Monitor Event Logs\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL231312Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Mobile Code (SC.L2-3.13.13)\\r\\n\\r\\nControl and monitor the use of mobile code. \\r\\n\\r\\n# Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n# Secondary Services\\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [DeviceFileEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/devicefileevents) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let M365Files = OfficeActivity\\r\\n| where SourceFileName contains \\\".vbx\\\" or SourceFileName contains \\\".js \\\" or SourceFileName contains \\\".dcr\\\" or SourceFileName contains \\\".fla\\\" or SourceFileName contains \\\".flv\\\" or SourceFileName contains \\\".swr\\\"\\r\\n| extend FileName=SourceFileName, FileLocations=OfficeObjectId\\r\\n| summarize count() by FileName, FileLocations;\\r\\nlet FilePathList = DeviceFileEvents\\r\\n//Update file types and mobile code indicators as required\\r\\n| where FileName contains \\\".vbx\\\" or FileName contains \\\".js \\\" or FileName contains \\\".dcr\\\" or FileName contains \\\".fla\\\" or FileName contains \\\".flv\\\" or FileName contains \\\".swr\\\"\\r\\n| extend FileLocations = strcat(\\\"DEVICENAME: \\\",DeviceName,\\\" \\\",\\\"ACCOUNT: \\\",InitiatingProcessAccountName,\\\" \\\",\\\"PATH: \\\",\\\" \\\",FolderPath)\\r\\n| summarize FileLocations = makelist(FileLocations) by FileName\\r\\n| extend FileLocations = tostring(FileLocations);\\r\\nDeviceFileEvents\\r\\n//Update file types and mobile code indicators as required\\r\\n| where FileName contains \\\".vbx\\\" or FileName contains \\\".js \\\" or FileName contains \\\".dcr\\\" or FileName contains \\\".fla\\\" or FileName contains \\\".flv\\\" or FileName contains \\\".swr\\\"\\r\\n| summarize count() by FileName\\r\\n| join (FilePathList) on FileName\\r\\n| project FileName, count_, FileLocations\\r\\n| union M365Files\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Control & Monitor the Use of Mobile Code\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FileName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"File\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"FileLocations\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Folder\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL231313Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.13\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Voice Over Internet Protocol (SC.L2-3.13.14)\\r\\n\\r\\nControl and monitor the use of Voice over Internet Protocol (VoIP) technologies.\\r\\n\\r\\n# Secondary Services\\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [OfficeActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/officeactivity) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where RecordType == \\\"MicrosoftTeams\\\"\\r\\n| summarize count() by RecordType, Operation, UserId\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Control & Monitor Microsoft Teams Activity\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecordType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Connect\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"RecommendationName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL231314Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Communications Authenticity (SC.L2-3.13.15)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#protect-the-authenticity-of-communications-sessions)\\r\\n\\r\\nProtect the authenticity of communications sessions.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n\\r\\n# Secondary Services\\r\\n✳️ [Azure ExpressRoute]( https://azure.microsoft.com/services/expressroute/) 🔀[ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits) \\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) 🔀[Load Balancers](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) \\r\\n✳️ [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) 🔀[Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways) \\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"web\\\" or RecommendationName contains \\\"http\\\" or RecommendationName contains \\\"protocol\\\" or RecommendationName contains \\\"session\\\" or RecommendationName contains \\\"comm\\\"\\r\\n | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL231315Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.15\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data at Rest (SC.L2-3.13.16)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#protect-the-confidentiality-of-cui-at-rest)\\r\\n\\r\\nProtect the confidentiality of CUI at rest.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n\\r\\n# Secondary Services\\r\\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview) \\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"stor\\\" or RecommendationName contains \\\"data\\\" or RecommendationName contains \\\"sql\\\" or RecommendationName contains \\\"crypt\\\" or RecommendationName contains \\\"rest\\\"\\r\\n | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL231316Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.16\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"System & Communications Group\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [System & Information Integrity](https://www.acq.osd.mil/cmmc/index.html)\\r\\n---\\r\\nSystem & Information Integrity includes controls to identify system flaws, combat malware, and identify anomalies.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Flaw Remediation (SI.L1-3.14.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SIL13141.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Malicious Code Protection (SI.L1-3.14.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SIL13142.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Update Malicious Code Protection (SI.L1-3.14.4)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SIL13144.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"System & File Scanning (SI.L1-3.14.5)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SIL13145.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 1: Foundational\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSIL13141Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SIL13141.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSIL13142Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SIL13142.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"adf5b3f9-8e8d-4de1-b844-59433c7b4a56\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSIL13144Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SIL13144.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"d5518def-74aa-451d-b9b3-0e4f53faaf29\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSIL13145Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SIL13145.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"8956271d-e314-4936-8d67-a14a4bc8ee00\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Flaw Remediation (SI.L1-3.14.1)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#identify-report-and-correct-information-and-information-system-flaws-in-a-timely-manner)\\r\\n\\r\\nIdentify, report, and correct information and information system flaws in a timely manner\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"vuln\\\"\\r\\n | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSIL13141Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI.L1-3.14.1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Malicious Code Protection (SI.L1-3.14.2)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#provide-protection-from-malicious-code-at-appropriate-locations-within-organizational-information-systems)\\r\\n\\r\\nProvide protection from malicious code at appropriate locations within organizational information systems.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure DNS](https://azure.microsoft.com/services/dns/) 🔀[DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones) \\r\\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"malware\\\" or RecommendationName contains \\\"EDR\\\" or RecommendationName contains \\\"endpoint protect\\\" or RecommendationName contains \\\"virus\\\"\\r\\n | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSIL13142Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI.L1-3.14.2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Update Malicious Code Protection (SI.L1-3.14.4)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#update-malicious-code-protection-mechanisms-when-new-releases-are-available)\\r\\n\\r\\nUpdate malicious code protection mechanisms when new releases are available.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"signature\\\"\\r\\n | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSIL13144Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI.L1-3.14.4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [System & File Scanning (SI.L1-3.14.5)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#perform-periodic-scans-of-the-information-system-and-real-time-scans-of-files-from-external-sources-as-files-are-downloaded-opened-or-executed)\\r\\n\\r\\nPerform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure DNS](https://azure.microsoft.com/services/dns/) 🔀[DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"defender\\\"\\r\\n | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSIL13145Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI.L1-3.14.5\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 1: Foundational\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Alerts & Advisories (SI.L2-3.14.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SIL23143.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Monitor Communications for Attacks (SI.L2-3.14.6)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SIL23146.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Identify Unauthorized Use (SI.L2-3.14.7)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SIL23147.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSIL23143Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SIL23143.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSIL23146Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SIL23146.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b2d9f468-fd6e-4312-b3f6-1d3dfeb4340d\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSIL23147Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SIL23147.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"1033883e-71d4-4e30-b176-955fe08a9783\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Security Alerts & Advisories (SI.L2-3.14.3)\\r\\n\\r\\nMonitor system security alerts and advisories and take action in response.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"logic\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Automated Security Response (SOAR) Actions Configured\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSIL23143Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI.L2-3.14.3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Monitor Communications for Attacks (SI.L2-3.14.6)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#monitor-organizational-systems-including-inbound-and-outbound-communications-traffic-to-detect-attacks-and-indicators-of-potential-attacks)\\r\\n\\r\\nMonitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure DNS](https://azure.microsoft.com/services/dns/) 🔀[DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones) \\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) \\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) 🔀[Microsoft Defender for Identity](https://portal.atp.azure.com/) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let IncidentTrending = SecurityIncident \\r\\n| summarize arg_max(TimeGenerated,*) by IncidentNumber \\r\\n| extend IncidentType=Title\\r\\n| make-series Trend = dcount(IncidentNumber) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by IncidentType;\\r\\nSecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| summarize count() by IncidentType=Title, Severity\\r\\n| join kind=inner(IncidentTrending) on IncidentType\\r\\n| sort by count_ desc\\r\\n| project IncidentType, Severity, count_, Trend\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Trending\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSIL23146Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI.L2-3.14.6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Identify Unauthorized Use (SI.L2-3.14.7)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#identify-unauthorized-use-of-organizational-systems)\\r\\n\\r\\nIdentify unauthorized use of organizational systems.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts) \\r\\n✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) 🔀[Load Balancers](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) 🔀[Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [BehaviorAnalytics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/behavioranalytics) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AnomalousSigninActivity = BehaviorAnalytics\\r\\n | where ActionType == \\\"Sign-in\\\"\\r\\n | where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\\r\\n ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\\r\\n or ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\\r\\n | join (\\r\\n SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \\\"none\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indicaiton from AAD\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3', 'c4e39bd9-1100-46d3-8c65-fb160da0071f', '158c047a-c907-4556-b7ef-446551a6b5f7', '62e90394-69f5-4237-9190-012177145e10', 'd29b2b05-8046-44ba-8758-1e26182fcf32', '729827e3-9c14-49f7-bb1b-9608f156bbb8', '966707d0-3269-4727-9be2-8c3a10f19b9d', '194ae4cb-b126-40b2-bd5b-6091b380977d', 'fe930be7-5e62-47db-91af-98c3a49a38b1']);\\r\\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c', '7495fdc4-34c4-4d15-a289-98788ce399fd', 'aaf43236-0c0d-4d5f-883a-6955382ac081', '3edaf663-341e-4475-9f94-5c398ef6c070', '7698a772-787b-4ac8-901f-60d6b08affd2', 'b1be1c3e-b65d-4f19-8427-f6fa0d97feb9', '9f06204d-73c1-4d4c-880a-6edb90606fd8', '29232cdf-9323-42fd-ade2-1d097af3e4de', 'be2f45a1-457d-42af-a067-6ec1fa63bc45', '7be44c8a-adaf-4e2a-84d6-ab2649e08a13', 'e8611ab8-c189-46e8-94e1-60213ab1f814']);//witdstomstl\\r\\nlet AnomalousRoleAssignment = AuditLogs\\r\\n | where TimeGenerated > ago(28d)\\r\\n | where OperationName == \\\"Add member to role\\\"\\r\\n | mv-expand TargetResources\\r\\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n | where isnotempty(RoleName)\\r\\n | extend TargetId = tostring(TargetResources.id)\\r\\n | extend Target = tostring(TargetResources.userPrincipalName)\\r\\n | join kind=inner (\\r\\n BehaviorAnalytics\\r\\n | where ActionType == \\\"Add member to role\\\"\\r\\n | where UsersInsights.BlasrRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n )\\r\\n on $left._ItemId == $right.SourceRecordId\\r\\n | extend AnomalyName = \\\"Anomalous Role Assignemt\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Account Manipulation\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing Add member to priveleged role, or ones that add users for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let LogOns=materialize(\\r\\n BehaviorAnalytics\\r\\n | where ActivityType == \\\"LogOn\\\");\\r\\nlet AnomalousResourceAccess = LogOns\\r\\n | where ActionType == \\\"ResourceAccess\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | extend AnomalyName = \\\"Anomalous Resource Access\\\",\\r\\n Tactic = \\\"Lateral Movement\\\",\\r\\n Technique = \\\"\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousRDPActivity = LogOns\\r\\n | where ActionType == \\\"RemoteInteractiveLogon\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | extend AnomalyName = \\\"Anomalous RDP Activity\\\",\\r\\n Tactic = \\\"Lateral Movement\\\",\\r\\n Technique = \\\"\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousLogintoDevices = LogOns\\r\\n | where ActionType == \\\"InteractiveLogon\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\\r\\n | extend AnomalyName = \\\"Anomalous Login To Devices\\\",\\r\\n Tactic = \\\"Privilege Escalation\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administator users performing an interactive logon (4624:2) to a device for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousPasswordReset = BehaviorAnalytics\\r\\n | where ActionType == \\\"Reset user password\\\"\\r\\n | where ActivityInsights.FirstTimeUserPerformedAction == \\\"True\\\"\\r\\n | join (\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Reset user password\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | mv-expand TargetResources\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Password Reset\\\",\\r\\n Tactic = \\\"Impact\\\",\\r\\n Technique = \\\"Account Access Removal\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n | sort by TimeGenerated desc;\\r\\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\\r\\n | where ActionType == \\\"Sign-in\\\"\\r\\n | where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\\r\\n | join (\\r\\n SigninLogs\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n Tactic = \\\"Initial Access\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousFailedLogon = BehaviorAnalytics\\r\\n | where ActivityType == \\\"LogOn\\\"\\r\\n | where UsersInsights.BlastRadius == \\\"High\\\"\\r\\n | join (\\r\\n SigninLogs \\r\\n | where Status.errorCode == 50126\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Failed Logon\\\",\\r\\n Tactic = \\\"Credential Access\\\",\\r\\n Technique = \\\"Brute Force\\\",\\r\\n SubTechnique = \\\"Password Guessing\\\",\\r\\n Description = \\\"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousAADAccountManipulation = AuditLogs\\r\\n | where OperationName == \\\"Update user\\\"\\r\\n | mv-expand AdditionalDetails\\r\\n | where AdditionalDetails.key == \\\"UserPrincipalName\\\"\\r\\n | mv-expand TargetResources\\r\\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n | where isnotempty(RoleName)\\r\\n | extend TargetId = tostring(TargetResources.id)\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | join kind=inner ( \\r\\n BehaviorAnalytics\\r\\n | where ActionType == \\\"Update user\\\"\\r\\n | where UsersInsights.BlasrRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n )\\r\\n on $left._ItemId == $right.SourceRecordId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName) \\r\\n | extend AnomalyName = \\\"Anomalous Account Manipulation\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Account Manipulation\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to priveleged role, or ones that changed users for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\\r\\n | where ActionType == \\\"Add user\\\"\\r\\n | where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\\r\\n | join(\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Add user\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | mv-expand TargetResources\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | extend DisplayName = tostring(UsersInsights.AccountDisplayName),\\r\\n UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Account Creation\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Create Account\\\",\\r\\n SubTechnique = \\\"Cloud Account\\\",\\r\\n Description = \\\"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\\\"\\t\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n | sort by TimeGenerated desc;\\r\\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\\r\\nlet TopUsersByAnomalies = AnomalyTable\\r\\n | summarize hint.strategy = shuffle AnomalyCount=count() by UserName, UserPrincipalName, tostring(UsersInsights.OnPremSid), tostring(UsersInsights.AccountObjectId)\\r\\n | project Name=tolower(UserName), UPN=tolower(UserPrincipalName), AadUserId=UsersInsights_AccountObjectId, Sid=UsersInsights_OnPremSid, AnomalyCount\\r\\n | sort by AnomalyCount desc;\\r\\nlet TopUsersByIncidents = SecurityIncident\\r\\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\\r\\n | where Status == \\\"New\\\" or Status == \\\"Active\\\"\\r\\n | mv-expand AlertIds\\r\\n | extend AlertId = tostring(AlertIds)\\r\\n | join kind= innerunique ( \\r\\n SecurityAlert \\r\\n )\\r\\n on $left.AlertId == $right.SystemAlertId\\r\\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n | mv-expand todynamic(Entities)\\r\\n | where Entities[\\\"Type\\\"] =~ \\\"account\\\"\\r\\n | extend Name = tostring(tolower(Entities[\\\"Name\\\"])), NTDomain = tostring(Entities[\\\"NTDomain\\\"]), UPNSuffix = tostring(Entities[\\\"UPNSuffix\\\"]), AadUserId = tostring(Entities[\\\"AadUserId\\\"]), AadTenantId = tostring(Entities[\\\"AadTenantId\\\"]), \\r\\n Sid = tostring(Entities[\\\"Sid\\\"]), IsDomainJoined = tobool(Entities[\\\"IsDomainJoined\\\"]), Host = tostring(Entities[\\\"Host\\\"])\\r\\n | extend UPN = iff(Name != \\\"\\\" and UPNSuffix != \\\"\\\", strcat(Name, \\\"@\\\", UPNSuffix), \\\"\\\")\\r\\n | where UPN <> \\\"\\\"\\r\\n | where UPN <> \\\" @ \\\"\\r\\n | union TopUsersByAnomalies\\r\\n | extend \\r\\n AadPivot = iff(isempty(AadUserId), iff(isempty(Sid), Name, Sid), AadUserId),\\r\\n SidPivot = iff(isempty(Sid), iff(isempty(AadUserId), Name, AadUserId), Sid),\\r\\n UPNExists = iff(isempty(UPN), false, true),\\r\\n NameExists = iff(isempty(Name), false, true),\\r\\n SidExists = iff(isempty(Sid), false, true),\\r\\n AADExists = iff(isempty(AadUserId), false, true)\\r\\n | summarize hint.strategy = shuffle IncidentCount=dcount(IncidentNumber, 4), AlertCount=dcountif(AlertId, isnotempty(AlertId), 4), AnomalyCount=sum(AnomalyCount), any(Title, Severity, Status, StartTime, IncidentNumber, IncidentUrl, Owner), UPNAnchor=anyif(UPN, UPNExists == true), NameAnchor=anyif(Name, NameExists == true), AadAnchor=anyif(AadUserId, AADExists == true), SidAnchor=anyif(Sid, SidExists == true), any(SidPivot) by AadPivot\\r\\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), NameAnchor=anyif(NameAnchor, isempty(NameAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_Title, any_Severity, any_StartTime, any_IncidentNumber, any_IncidentUrl) by any_SidPivot\\r\\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_any_Title, any_any_Severity, any_any_StartTime, any_any_IncidentNumber, any_any_IncidentUrl) by NameAnchor\\r\\n | project [\\\"UserName\\\"]=NameAnchor, IncidentCount, AlertCount, AnomalyCount, [\\\"AadUserId\\\"]=AadAnchor, [\\\"OnPremSid\\\"]=SidAnchor, [\\\"UserPrincipalName\\\"]=UPNAnchor;\\r\\nTopUsersByIncidents\\r\\n| where UserPrincipalName !contains \\\"[\\\"\\r\\n| project UserPrincipalName, IncidentCount, AlertCount, AnomalyCount\\r\\n| sort by IncidentCount desc\\r\\n| limit 50\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review User Entity Behavior Analytics for Unauthorized Activity\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}],\"rowLimit\":50,\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_heatmap_IncidentCount_1\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_heatmap_IncidentCount_1\",\"sortOrder\":2}]},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSIL23147Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI.L2-3.14.7\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSIVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"System & Information Integrity Group\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"sentinel-CybersecurityMaturityModelCertification(CMMC)2.0\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Getting Started\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\",\"value\":\"No\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureLighthouse\",\"label\":\"🔦 Azure Lighthouse\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\",\"value\":\"No\",\"id\":\"2872d4c0-b938-4e7d-8722-e72df7f7c01e\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"314d02bf-4691-43fa-af59-d67073c8b8fa\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2592000000}],\"allowCustom\":true},\"value\":{\"durationMs\":604800000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\" Please take time to answer a quick survey,\\r\\n[ click here. ](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR5vpbw39GIlPr6oh7FnjxTFUOVhBOFowTFlaT1pOSTAxVDdRT1pIUDlINy4u)\"},\"name\":\"Survey\"},{\"type\":1,\"content\":{\"json\":\"## Getting Started\\r\\nThis solution is designed to augment staffing through automation, query/alerting generation, and visualizations. This solution leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with Cybersecurity Maturity Model Certification 2.0 control requirements. A filter set is available for custom reporting by guides, subscriptions, workspaces, time-filtering, control family, and maturity level. This offering telemetry from 25+ Microsoft Security products, while only Microsoft Sentinel/Microsoft Defender for Cloud are required to get started, each offering provides additional enrichment for aligning with control requirements. Each CMMC 2.0 control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads. \\r\\n\\r\\n### [Recommended Microsoft Sentinel Roles](https://docs.microsoft.com/azure/sentinel/roles) / [Recommended Microsoft Defender for Cloud Roles](https://docs.microsoft.com/azure/defender-for-cloud/permissions#roles-and-allowed-actions)\\r\\n| Roles | Rights | \\r\\n|:--|:--|\\r\\n|Security Reader | View Workbooks, Analytics, Hunting, Security Recommendations |\\r\\n|Security Contributor| Deploy/Modify Workbooks, Analytics, Hunting Queries, Apply Security Recommendations |\\r\\n|Owner| Assign Regulatory Compliance Initiatives|\\r\\n\\r\\n### Onboarding Prerequisites \\r\\n1️⃣ [Access Microsoft 365 Compliance Manager: Assessments](https://compliance.microsoft.com/compliancemanager?viewid=Assessments) \\r\\n2️⃣ [Planning: Review Microsoft Product Placemat for CMMC 2.0](https://aka.ms/cmmc/productplacemat) \\r\\n3️⃣ [Onboard Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard) \\r\\n4️⃣ [Onboard Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-get-started) \\r\\n5️⃣ [Add the Microsoft Defender for Cloud: NIST SP 800 171 R2 Assessment to Your Dashboard](https://docs.microsoft.com/azure/security-center/update-regulatory-compliance-packages#add-a-regulatory-standard-to-your-dashboard) \\r\\n6️⃣ [Continuously Export Security Center Data to Log Analytics Workspace](https://docs.microsoft.com/azure/security-center/continuous-export) \\r\\n7️⃣ [Extend Microsoft Sentinel Across Workspaces and Tenants](https://docs.microsoft.com/azure/sentinel/extend-sentinel-across-workspaces-tenants) \\r\\n8️⃣ [Review Microsoft Service Trust Portal](https://servicetrust.microsoft.com/) \\r\\n\\r\\n### Print/Export Report\\r\\n1️⃣ Set Background Theme: Settings > Appearance > Theme: Azure > Apply \\r\\n2️⃣ Print/Export Report: More Content Actions (...) > Print Content \\r\\n3️⃣ Settings: Layout (Landscape), Pages (All), Print (One Sided), Scale (60), Pages Per Sheet (1), Quality (1,200 DPI), Margins (None) > Print \\r\\n4️⃣ Executive Summary: Microsoft Defender for Cloud > Regulatory Compliance > Download Report > Report Standard (NIST SP 800 171 R2), Format (PDF)\\r\\n\\r\\nThe Microsoft Sentinel CMMC 2.0 Solution demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. The solution outlines controls across Levels 1-2. All accreditation requirements and decisions are governed by the 💡[CMMC Accreditation Body](https://cyberab.org/CMMC-Ecosystem/C3PAO-Detail). This solution provides visibility and situational awareness for control requirements delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations and query modification for operation. Recommendations should be considered a starting point for planning full or partial coverage of respective control requirements. \",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"56\",\"name\":\"Help\"},{\"type\":1,\"content\":{\"json\":\" \\r\\nFor more information, see the💡[CMMC Model](https://dodcio.defense.gov/CMMC/)\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"43.6\",\"name\":\"text - 29\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"managedservicesresources\\r\\n| where type == \\\"microsoft.managedservices/registrationassignments\\\"\\r\\n| where properties.provisioningState == \\\"Succeeded\\\"\\r\\n| extend ManageeTenantName = properties.registrationDefinition.properties.manageeTenantName\\r\\n| extend ManageeTenantId = properties.registrationDefinition.properties.manageeTenantId\\r\\n| extend ManagedByTenantName = properties.registrationDefinition.properties.managedByTenantName\\r\\n| extend ManagedByTenantId = properties.registrationDefinition.properties.managedByTenantId\\r\\n| extend PermanentAccess = properties.registrationDefinition.properties.authorizations\\r\\n| extend JITAccess = properties.registrationDefinition.properties.eligibleAuthorizations\\r\\n| extend AddedDate = properties.registrationDefinition.systemData.createdAt\\r\\n| extend CreatedBy = systemData.createdBy\\r\\n| project ManageeTenantName, ManageeTenantId, ManagedByTenantName, ManagedByTenantId, AddedDate, CreatedBy\",\"size\":1,\"showAnalytics\":true,\"title\":\"Azure Lighthouse Delegations\",\"noDataMessage\":\"No Azure Lighthouse Delegations/Customers Detected\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ManageeTenantName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Download\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ManagedByTenantName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Upload\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AddedDate\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Clock\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"PermanentAccess\",\"formatter\":1},{\"columnMatch\":\"JITAccess\",\"formatter\":1}],\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"AzureLighthouse\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"query - 21 - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Cybersecurity Maturity Model Certification (CMMC) 2.0](https://dodcio.defense.gov/CMMC/)\\n---\\n\\nThis solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This solution includes (1) Workbook for build/design/assessment/reporting, (2) Analytics rules for monitoring and (3) Playbooks for response/remediation. CMMC 2.0 is the next iteration of the Department’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity – Foundational, Advanced and Expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.\\n\"},\"name\":\"Workbook Overview\"}]},\"name\":\"group - 29\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-cybersecurity-maturity-model/ba-p/3295095\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/-_a5HxJgriE\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"customWidth\":\"50\",\"name\":\"links - 29\"}]},\"customWidth\":\"78.8\",\"name\":\"group - 27\"},{\"type\":1,\"content\":{\"json\":\" \"},\"customWidth\":\"20\",\"name\":\"Microsoft Sentinel Logo\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Executive Summary\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AS\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Controls Crosswalk\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"RCA\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Access Control\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Awareness & Training\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AT\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Audit & Accountability\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AU\\\\\\\" },\\\\r\\\\n { \\\\\\\"Control Family\\\\\\\": \\\\\\\"Configuration Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Identification & Authentication\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IA\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Incident Response\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IR\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"tab2\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"Control Family \",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7b682fc9-cb6b-4475-a24c-41dcb43d0cef\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isASVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AS\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"086e8f81-2a72-4e52-acab-40631bb21ed5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRCAVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"RCA\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b2d05502-68c5-4d0c-8caa-d5e439a2b9ac\"},{\"id\":\"c01e6494-1f74-4194-88b3-c98bbabdf84f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAUVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AU\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"696bf441-12c0-45db-918c-215a1170f18e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isATVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AT\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"02596750-83d0-48ad-b9e0-2897e262ab29\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCMVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"a932ee8a-1039-4482-9fc8-ed79fe6f2ebb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IA\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"2822f61e-a9f8-4419-87b6-f7b06a032cc2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIRVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"tab2\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IR\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Maintenance\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MA\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Media Protection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MP\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Personnel Security\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"PS\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Physical Protection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"PE\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Risk Assessment\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"RM\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Security Assessment\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CA\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"System & Communications Protection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"System & Information Integrity\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SI\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"Control Family - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"308bde5a-386f-4674-a712-26e31436b12e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMAVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MA\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMPVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MP\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"24021387-ba53-41a3-80ff-a3c23429d82d\"},{\"id\":\"e18bc9ef-6479-4eda-807a-b47f58f5f2f1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPSVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"PS\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"401a85db-1c90-45b4-86d2-3e5439784818\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPEVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"PE\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRMVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"RM\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"0af0cea9-8f28-4850-b48e-93a195efa02b\"},{\"id\":\"e9fdb883-980a-4147-b494-43f7137f7131\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCAVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CA\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"c16d4f92-ce1a-4ff0-9576-23b39836e95d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSIVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SI\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9637281c-861a-4ba6-90cd-6650f187f00c\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Executive Summary](https://docs.microsoft.com/azure/defender-for-cloud/regulatory-compliance-dashboard)\\r\\n---\\r\\n\\r\\nThis section leverages Microsoft Defender for Cloud: Regulatory Compliance for policy assessments. Find, fix, and resolve CMMC 2.0 recommendations aligned to the NIST SP 800-171 Regulatory Compliance Initiative. A selector provides capability to filter by all, specific, or groups of controls by level. Upon selection, subordinate panels will summarize recommendations by control family, status over time, recommendations, and resources identified.\"},\"customWidth\":\"40\",\"name\":\"NS Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 11\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"99a47f97-1aa4-4840-91ee-119aad6d6217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Level\",\"label\":\"CMMC 2.0 Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityRegulatoryCompliance\\r\\n| where ComplianceStandard == \\\"NIST-SP-800-171-R2\\\"\\r\\n| extend Level=iff(ComplianceControl in (\\\"3.1.1\\\",\\\"3.1.2\\\",\\\"3.1.20\\\",\\\"3.1.22\\\",\\\"3.4.1\\\",\\\"3.5.2\\\",\\\"3.5.2\\\",\\\"3.8.3\\\",\\\"3.13.1\\\",\\\"3.13.5\\\",\\\"3.14.1\\\",\\\"3.14.2\\\",\\\"3.14.4\\\",\\\"3.14.5\\\"), \\\"Level 1: Foundational\\\",\\\"Level 2: Advanced\\\")\\r\\n| summarize count() by Level\\r\\n| project-away count_\\r\\n| sort by Level asc\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"40\",\"name\":\"parameters - 26\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend TimeGenerated = tostring(properties1.status.statusChangeDate)\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n| join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName\\r\\n| extend Level=iff(controlId in (\\\"3.1.1\\\",\\\"3.1.2\\\",\\\"3.1.20\\\",\\\"3.1.22\\\",\\\"3.4.1\\\",\\\"3.5.2\\\",\\\"3.5.2\\\",\\\"3.8.3\\\",\\\"3.13.1\\\",\\\"3.13.5\\\",\\\"3.14.1\\\",\\\"3.14.2\\\",\\\"3.14.4\\\",\\\"3.14.5\\\"), \\\"Level 1: Foundational\\\",\\\"Level 2: Advanced\\\")\\r\\n| where Level in ({Level})\\r\\n | summarize arg_max(TimeGenerated, *) by RecommendationName, Level, tostring(RecommendationLink), tostring(state), tostring(complianceState)\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\") by Level\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | project Level, Total, PassedControls, Passed, Failed\\r\\n | sort by Total, Passed desc\\r\\n \",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations by Level\",\"noDataMessage\":\"Confirm the Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is Enabled. See https://docs.microsoft.com/azure/defender-for-cloud/update-regulatory-compliance-packages\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Total\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\") by RecommendationName, ControlID = controlId\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink, name) on RecommendationName\\r\\n | extend Level=iff(ControlID in (\\\"3.1.1\\\",\\\"3.1.2\\\",\\\"3.1.20\\\",\\\"3.1.22\\\",\\\"3.4.1\\\",\\\"3.5.2\\\",\\\"3.5.2\\\",\\\"3.8.3\\\",\\\"3.13.1\\\",\\\"3.13.5\\\",\\\"3.14.1\\\",\\\"3.14.2\\\",\\\"3.14.4\\\",\\\"3.14.5\\\"), \\\"Level 1: Foundational\\\",\\\"Level 2: Advanced\\\")\\r\\n | where Level in ({Level})\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, name\\r\\n | sort by Total, Passed desc\\r\\n | limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations \",\"noDataMessage\":\"Confirm the Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is Enabled. See https://docs.microsoft.com/azure/defender-for-cloud/update-regulatory-compliance-packages\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Total\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"name\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"name\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend TimeGenerated = tostring(properties1.status.statusChangeDate)\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend Level=iff(controlId in (\\\"3.1.1\\\",\\\"3.1.2\\\",\\\"3.1.20\\\",\\\"3.1.22\\\",\\\"3.4.1\\\",\\\"3.5.2\\\",\\\"3.5.2\\\",\\\"3.8.3\\\",\\\"3.13.1\\\",\\\"3.13.5\\\",\\\"3.14.1\\\",\\\"3.14.2\\\",\\\"3.14.4\\\",\\\"3.14.5\\\"), \\\"Level 1: Foundational\\\",\\\"Level 2: Advanced\\\")\\r\\n | where Level in ({Level})\\r\\n| summarize arg_max(TimeGenerated, *) by RecommendationName, Level, tostring(RecommendationLink), tostring(state), tostring(complianceState)\\r\\n| distinct RecommendationName, resourceId, tostring(state), tostring(complianceState)\\r\\n| summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by resourceId\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| where Failed > 0\\r\\n| project AssessedResourceId=resourceId, Total, PassedControls, Passed, Failed\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations by Asset\",\"noDataMessage\":\"No Recommendations Observed Within These Thresholds. Confirm the Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is Enabled\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AssessedResourceId\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Total\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"resourceId\",\"formatter\":13,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Remediate >>\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRegulatoryCompliance\\r\\n| where ComplianceStandard == \\\"NIST-SP-800-171-R2\\\"\\r\\n| extend Level=iff(ComplianceControl in (\\\"3.1.1\\\",\\\"3.1.2\\\",\\\"3.1.20\\\",\\\"3.1.22\\\",\\\"3.4.1\\\",\\\"3.5.2\\\",\\\"3.5.2\\\",\\\"3.8.3\\\",\\\"3.13.1\\\",\\\"3.13.5\\\",\\\"3.14.1\\\",\\\"3.14.2\\\",\\\"3.14.4\\\",\\\"3.14.5\\\"), \\\"Level 1: Foundational\\\",\\\"Level 2: Advanced\\\")\\r\\n| where Level in ({Level})\\r\\n| where State == \\\"Failed\\\"\\r\\n| make-series count() default=0 on TimeGenerated from startofday({TimeRange:start}) to startofday({TimeRange:end}) step 1d by Level\\r\\n| render timechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations over Time\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: SecurityRegulatoryCompliance and SecurityRecommendation Data Tables are Onboarded to Your Microsoft Sentinel Workspace. See https://docs.microsoft.com/azure/defender-for-cloud/continuous-export\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":1},{\"columnMatch\":\"ControlID\",\"formatter\":1},{\"columnMatch\":\"Recommendation\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend TimeGenerated = tostring(properties1.status.statusChangeDate)\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend Level=iff(controlId in (\\\"3.1.1\\\",\\\"3.1.2\\\",\\\"3.1.20\\\",\\\"3.1.22\\\",\\\"3.4.1\\\",\\\"3.5.2\\\",\\\"3.5.2\\\",\\\"3.8.3\\\",\\\"3.13.1\\\",\\\"3.13.5\\\",\\\"3.14.1\\\",\\\"3.14.2\\\",\\\"3.14.4\\\",\\\"3.14.5\\\"), \\\"Level 1: Foundational\\\",\\\"Level 2: Advanced\\\")\\r\\n | where Level in ({Level})\\r\\n| summarize arg_max(TimeGenerated, *) by RecommendationName, Level, tostring(RecommendationLink), tostring(state), controlId, tostring(severity)\\r\\n| where resourceId <> \\\"\\\"\\r\\n| project ResourceID=resourceId, RecommendationName, Severity=tostring(severity), CurrentState=tostring(state), RecommendationLink=tostring(RecommendationLink), name, FirstObserved=TimeGenerated\\r\\n| distinct ResourceID, RecommendationName, Severity, CurrentState, RecommendationLink, FirstObserved, name\\r\\n| where CurrentState == \\\"Unhealthy\\\"\\r\\n| extend Rank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, 0)))\\r\\n| sort by Rank desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Current Recommendation Details\",\"noDataMessage\":\"Confirm the Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is Enabled. See https://docs.microsoft.com/azure/defender-for-cloud/update-regulatory-compliance-packages\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ResourceID\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Level\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlID\",\"formatter\":1},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":1},{\"columnMatch\":\"Recommendation\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"name\"}]}}},{\"columnMatch\":\"name\",\"formatter\":5},{\"columnMatch\":\"FirstObserved\",\"formatter\":6},{\"columnMatch\":\"Rank\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"name\":\"query - 8\"}]},\"conditionalVisibility\":{\"parameterName\":\"isASVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Assessment\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Regulatory Compliance Alignment](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-171-r2)\\r\\n---\\r\\nControls crosswalk provides a mapping of CMMC 2.0 controls across additional compliance frameworks. This provides free-text search capabilities mapping numerous frameworks including NIST SP 800-171 R2 and NIST SP 800-53 R4. There is also a mapping for primary and secondary services which aligns with the Microsoft Technical Reference Guide for CMMC 2.0.\"},\"customWidth\":\"40\",\"name\":\"Controls Mapping\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Crosswalk = datatable([\\\"Control Name\\\"]: string, [\\\"Control Number\\\"]: string, [\\\"Control Family\\\"]: string, [\\\"NIST SP 800-171 R2\\\"]: string, [\\\"NIST SP 800-53 R4\\\"]: string, [\\\"Primary Services\\\"]: string, [\\\"Secondary Services\\\"]: string) [\\r\\n\\\"Authorized Access Control\\\",\\t\\\"AC.L1-3.1.1\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.1\\\",\\t\\\"AC-2 | AC-3 | AC-17\\\",\\t\\\"Microsoft Defender for Cloud | Azure Active Directory | Microsoft Endpoint Manager\\\",\\t\\\"Conditional Access | Customer Lockbox | Azure AD Privileged Identity Management | Microsoft Defender for Office 365\\\",\\r\\n\\\"Transaction & Function Control\\\",\\t\\\"AC.L1-3.1.2\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.2\\\",\\t\\\"AC-2 | AC-3 | AC-17\\\",\\t\\\"Microsoft Defender for Cloud | Azure Active Directory | Azure AD Privileged Identity Management\\\",\\t\\\"Network Security Groups | Conditional Access | GitHub Enterprise Cloud | GitHub AE\\\",\\r\\n\\\"External Connections\\\",\\t\\\"AC.L1-3.1.20\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.20\\\",\\t\\\"AC-20 | AC-20(1)\\\",\\t\\\"Microsoft Defender for Cloud | Azure Active Directory\\\",\\t\\\"Microsoft Azure Portal | Azure Firewall | Network Security Groups | Conditional Access | Microsoft Endpoint Manager\\\",\\r\\n\\\"Control Public Information\\\",\\t\\\"AC.L1-3.1.22\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.22\\\",\\t\\\"AC-22\\\",\\t\\\"Microsoft Endpoint Manager\\\",\\t\\\"Microsoft Sentinel\\\",\\r\\n\\\"Control CUI Flow\\\",\\t\\\"AC.L2-3.1.3\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.3\\\",\\t\\\"AC-4\\\",\\t\\\"Azure Web Application Firewall | Azure Information Protection | Microsoft 365 Compliance Manager | Microsoft Defender for Cloud\\\",\\t\\\"Network Security Groups | Microsoft Endpoint Manager | Microsoft Defender for Cloud Apps | Microsoft Defender for Identity\\\",\\r\\n\\\"Separation of Duties\\\",\\t\\\"AC.L2-3.1.4\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.4\\\",\\t\\\"AC-5\\\",\\t\\\"Azure Active Directory | Microsoft Defender for Cloud\\\",\\t\\\"Azure AD Privileged Identity Management\\\",\\r\\n\\\"Least Privilege\\\",\\t\\\"AC.L2-3.1.5\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.5\\\",\\t\\\"AC-6 | AC-6(1) | AC-6(5)\\\",\\t\\\"Azure AD Privileged Identity Management | Microsoft Defender for Cloud\\\",\\t\\\"Azure Active Directory | GitHub Enterprise Cloud | GitHub AE\\\",\\r\\n\\\"Non-Privileged Account Use\\\",\\t\\\"AC.L2-3.1.6\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.6\\\",\\t\\\"AC-6(2)\\\",\\t\\\"Azure Active Directory | Microsoft Defender for Cloud\\\",\\t\\\"Azure AD Privileged Identity Management\\\",\\r\\n\\\"Privileged Functions\\\",\\t\\\"AC.L2-3.1.7\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.7\\\",\\t\\\"AC-6(9) | AC-6(10)\\\",\\t\\\"Azure Active Directory | Azure AD Privileged Identity Management | Microsoft Defender for Cloud\\\",\\t\\\"Microsoft Endpoint Manager | Microsoft Defender for Office 365 | Microsoft 365 Compliance Manager\\\",\\r\\n\\\"Unsuccessful Logon Attempts\\\",\\t\\\"AC.L2-3.1.8\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.8\\\",\\t\\\"AC-7\\\",\\t\\\"Azure Active Directory | Microsoft Defender for Identity | Microsoft Sentinel\\\",\\t\\\"Password Protection for Azure AD\\\",\\r\\n\\\"Privacy & Security Notices\\\",\\t\\\"AC.L2-3.1.9\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.9\\\",\\t\\\"AC-8\\\",\\t\\\"Microsoft Azure Portal | Virtual Machines\\\",\\t\\\"Azure Active Directory\\\",\\r\\n\\\"Session Lock\\\",\\t\\\"AC.L2-3.1.10\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.10\\\",\\t\\\"AC-11 | AC-11(1)\\\",\\t\\\"Microsoft Azure Portal | Virtual Machines | Microsoft Endpoint Manager\\\",\\t\\\"NA\\\",\\r\\n\\\"Session Termination\\\",\\t\\\"AC.L2-3.1.11\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.11\\\",\\t\\\"AC-12\\\",\\t\\\"Microsoft Azure Portal | Azure AD Privileged Identity Management\\\",\\t\\\"Application Gateway | Azure Bastion\\\",\\r\\n\\\"Control Remote Access\\\",\\t\\\"AC.L2-3.1.12\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.12\\\",\\t\\\"AC-17(1)\\\",\\t\\\"Azure Active Directory | Microsoft Defender for Cloud | Microsoft Sentinel | Azure Bastion\\\",\\t\\\"Microsoft Azure Portal | Azure ExpressRoute | Network Security Groups | Conditional Access | Intune/Microsoft Endpoint Manager | Microsoft Defender for Office 365\\\",\\r\\n\\\"Remote Access Confidentiality\\\",\\t\\\"AC.L2-3.1.13\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.13\\\",\\t\\\"AC-17(2)\\\",\\t\\\"Microsoft Azure Portal | Azure Active Directory\\\",\\t\\\"Load Balancer | Azure Multi-Factor Authentication\\\",\\r\\n\\\"Remote Access Routing\\\",\\t\\\"AC.L2-3.1.14\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.14\\\",\\t\\\"AC-17(3)\\\",\\t\\\"Azure Bastion | VPN Gateway | Intune/Microsoft Endpoint Manager\\\",\\t\\\"Azure ExpressRoute | Azure Front Door | Named Locations | Network Security Groups | Azure Web Application Firewall | Conditional Access\\\",\\r\\n\\\"Privileged Remote Access\\\",\\t\\\"AC.L2-3.1.15\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.15\\\",\\t\\\"AC-17(4)\\\",\\t\\\"Azure Active Directory | Azure AD Privileged Identity Management\\\",\\t\\\"Named Locations | Azure Virtual Machines | Conditional Access | Intune/Microsoft Endpoint Manager\\\",\\r\\n\\\"Wireless Access Authorization\\\",\\t\\\"AC.L2-3.1.16\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.16\\\",\\t\\\"AC-18\\\",\\t\\\"Intune/Microsoft Endpoint Manager\\\",\\t\\\"NA\\\",\\r\\n\\\"Wireless Access Protection\\\",\\t\\\"AC.L2-3.1.17\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.17\\\",\\t\\\"AC-18(1)\\\",\\t\\\"Intune/Microsoft Endpoint Manager\\\",\\t\\\"NA\\\",\\r\\n\\\"Mobile Device Connection\\\",\\t\\\"AC.L2-3.1.18\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.18\\\",\\t\\\"AC-19\\\",\\t\\\"Intune/Microsoft Endpoint Manager\\\",\\t\\\"NA\\\",\\r\\n\\\"Encrypt CUI on Mobile\\\",\\t\\\"AC.L2-3.1.19\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.19\\\",\\t\\\"AC-19(5)\\\",\\t\\\"Conditional Access | Intune/Microsoft Endpoint Manager\\\",\\t\\\"NA\\\",\\r\\n\\\"Portable Storage Use\\\",\\t\\\"AC.L2-3.1.21\\\",\\t\\\"Access Control\\\",\\t\\\"3.1.21\\\",\\t\\\"AC-20(2)\\\",\\t\\\"Intune/Microsoft Endpoint Manager\\\",\\t\\\"Named Locations\\\",\\r\\n\\\"Role-Based Risk Awareness\\\",\\t\\\"AT.L2-3.2.1\\\",\\t\\\"Awareness & Training\\\",\\t\\\"3.2.1\\\",\\t\\\"AT-2 | AT-3\\\",\\t\\\"NA\\\",\\t\\\"Microsoft Learn\\\",\\r\\n\\\"Role-Based Training\\\",\\t\\\"AT.L2-3.2.2\\\",\\t\\\"Awareness & Training\\\",\\t\\\"3.2.2\\\",\\t\\\"AT-2 | AT-4\\\",\\t\\\"NA\\\",\\t\\\"Microsoft Learn\\\",\\r\\n\\\"Insider Threat Awareness\\\",\\t\\\"AT.L2-3.2.3\\\",\\t\\\"Awareness & Training\\\",\\t\\\"3.2.3\\\",\\t\\\"AT-2(2)\\\",\\t\\\"NA\\\",\\t\\\"Microsoft Learn\\\",\\r\\n\\\"User Accountability\\\",\\t\\\"AU.L2-3.3.2\\\",\\t\\\"Audit & Accountability\\\",\\t\\\"3.3.2\\\",\\t\\\"AU-2 | AU-3 | AU-3(1) | AU-6 | AU-11 | AU-12\\\",\\t\\\"Microsoft Sentinel\\\",\\t\\\"Intune/Microsoft Endpoint Manager | O365 Security and Compliance\\\",\\r\\n\\\"Event Review\\\",\\t\\\"AU.L2-3.3.3\\\",\\t\\\"Audit & Accountability\\\",\\t\\\"3.3.3\\\",\\t\\\"AU-2(3)\\\",\\t\\\"NA\\\",\\t\\\"Microsoft Sentinel | Azure Active Directory | Intune/Microsoft Endpoint Manager | Microsoft Defender for Cloud Apps | O365 Security and Compliance\\\",\\r\\n\\\"Audit Failure Alerting\\\",\\t\\\"AU.L2-3.3.4\\\",\\t\\\"Audit & Accountability\\\",\\t\\\"3.3.4\\\",\\t\\\"AU-5\\\",\\t\\\"Microsoft Sentinel\\\",\\t\\\"Azure Active Directory | Intune/Microsoft Endpoint Manager\\\",\\r\\n\\\"Audit Correlation\\\",\\t\\\"AU.L2-3.3.5\\\",\\t\\\"Audit & Accountability\\\",\\t\\\"3.3.5\\\",\\t\\\"AU-6(3)\\\",\\t\\\"Microsoft Sentinel | Microsoft Defender for Cloud Apps | Microsoft 365 Defender\\\",\\t\\\"Log Analytics Workspace | Microsoft Defender for Cloud Apps | Microsoft Defender for Identity | O365 Security and Compliance | Microsoft Defender for Cloud\\\",\\r\\n\\\"Reduction & Reporting\\\",\\t\\\"AU.L2-3.3.6\\\",\\t\\\"Audit & Accountability\\\",\\t\\\"3.3.6\\\",\\t\\\"AU-7\\\",\\t\\\"Microsoft Defender for Cloud | Microsoft Sentinel\\\",\\t\\\"Log Analytics Workspace | Azure Active Directory | O365 Security and Compliance\\\",\\r\\n\\\"Authoritative Time Source\\\",\\t\\\"AU.L2-3.3.7\\\",\\t\\\"Audit & Accountability\\\",\\t\\\"3.3.7\\\",\\t\\\"AU-8 | AU-8(1)\\\",\\t\\\"Azure Active Directory\\\",\\t\\\"NA\\\",\\r\\n\\\"Audit Protection\\\",\\t\\\"AU.L2-3.3.8\\\",\\t\\\"Audit & Accountability\\\",\\t\\\"3.3.8\\\",\\t\\\"AU-6(7) | AU-9\\\",\\t\\\"Log Analytics Workspace | Azure Active Directory | O365 Security and Compliance\\\",\\t\\\"Conditional Access\\\",\\r\\n\\\"Audit Management\\\",\\t\\\"AU.L2-3.3.9\\\",\\t\\\"Audit & Accountability\\\",\\t\\\"3.3.9\\\",\\t\\\"AU-6(7) | AU-9\\\",\\t\\\"Log Analytics Workspace | Azure Active Directory\\\",\\t\\\"Conditional Access | O365 Security and Compliance\\\",\\r\\n\\\"System Baselining\\\",\\t\\\"CM.L2-3.4.1\\\",\\t\\\"Configuration Management\\\",\\t\\\"3.4.1\\\",\\t\\\"CM-2 | CM-6 | CM-8 | CM-8(1)\\\",\\t\\\"Microsoft Defender for Cloud | Intune/Microsoft Endpoint Manager | Microsoft Defender for Endpoint | GitHub Enterprise Cloud | GitHub AE\\\",\\t\\\"Azure Virtual Machines\\\",\\r\\n\\\"Security Configuration Enforcement\\\",\\t\\\"CM.L2-3.4.2\\\",\\t\\\"Configuration Management\\\",\\t\\\"3.4.2\\\",\\t\\\"CM-2 | CM-6 | CM-8 | CM-8(1)\\\",\\t\\\"Azure Active Directory | Intune/Microsoft Endpoint Manager\\\",\\t\\\"NA\\\",\\r\\n\\\"System Change Management\\\",\\t\\\"CM.L2-3.4.3\\\",\\t\\\"Configuration Management\\\",\\t\\\"3.4.3\\\",\\t\\\"CM-3\\\",\\t\\\"Microsoft Defender for Cloud | GitHub Enterprise Cloud | GitHub AE\\\",\\t\\\"Log Analytics Workspace | Azure Active Directory | Intune/Microsoft Endpoint Manager\\\",\\r\\n\\\"Security Impact Analysis\\\",\\t\\\"CM.L2-3.4.4\\\",\\t\\\"Configuration Management\\\",\\t\\\"3.4.4\\\",\\t\\\"CM-4\\\",\\t\\\"GitHub Enterprise Cloud | GitHub AE\\\",\\t\\\"Intune/Microsoft Endpoint Manager | Microsoft Defender Endpoint\\\",\\r\\n\\\"Access Restrictions for Change\\\",\\t\\\"CM.L2-3.4.5\\\",\\t\\\"Configuration Management\\\",\\t\\\"3.4.5\\\",\\t\\\"CM-5\\\",\\t\\\"Azure Active Directory\\\",\\t\\\"Azure Firewall | Network Security Groups | Azure Web Application Firewall | Virtual Network | Conditional Access | Intune/Microsoft Endpoint Manager | GitHub Enterprise Cloud | GitHub AE\\\",\\r\\n\\\"Least Functionality\\\",\\t\\\"CM.L2-3.4.6\\\",\\t\\\"Configuration Management\\\",\\t\\\"3.4.6\\\",\\t\\\"CM-7\\\",\\t\\\"Azure Active Directory | Intune/ Microsoft Endpoint Manager\\\",\\t\\\"Microsoft 365 Defender\\\",\\r\\n\\\"Nonessential Functionality\\\",\\t\\\"CM.L2-3.4.7\\\",\\t\\\"Configuration Management\\\",\\t\\\"3.4.7\\\",\\t\\\"CM-7(1) | CM-7(2)\\\",\\t\\\"Network Security Groups\\\",\\t\\\"Microsoft Defender for Cloud | Azure Firewall | Azure Web Application Firewall | Intune/Microsoft Endpoint Manager\\\",\\r\\n\\\"Application Execution Policy\\\",\\t\\\"CM.L2-3.4.8\\\",\\t\\\"Configuration Management\\\",\\t\\\"3.4.8\\\",\\t\\\"CM-7(4) | CM-7(5)\\\",\\t\\\"Azure Virtual Machines | Intune/Microsoft Endpoint Manager | Microsoft Defender for Cloud Apps\\\",\\t\\\"Azure Firewall | Network Security Groups | Azure Web Application Firewall | Conditional Access | Microsoft Defender for Endpoint | GitHub Enterprise Cloud | GitHub AE\\\",\\r\\n\\\"User-Installed Software\\\",\\t\\\"CM.L2-3.4.9\\\",\\t\\\"Configuration Management\\\",\\t\\\"3.4.9\\\",\\t\\\"CM-11\\\",\\t\\\"Microsoft Sentinel | Intune/Microsoft Endpoint Manager\\\",\\t\\\"Azure Active Directory | Microsoft Defender for Cloud Apps | Microsoft Defender for Endpoint | Microsoft Defender for Identity | GitHub Enterprise Cloud\\\",\\r\\n\\\"Authentication\\\",\\t\\\"IA.L1-3.5.2\\\",\\t\\\"Identification & Authentication\\\",\\t\\\"3.5.2\\\",\\t\\\"IA-2 | IA-3 | IA-5\\\",\\t\\\"Azure Active Directory | Azure Multi-Factor Authentication | Conditional Access | Intune/Microsoft Endpoint Manager\\\",\\t\\\"Customer Lockbox\\\",\\r\\n\\\"Replay-Resistant Authentication\\\",\\t\\\"IA.L2-3.5.4\\\",\\t\\\"Identification & Authentication\\\",\\t\\\"3.5.4\\\",\\t\\\"IA-2(8) | IA-2(9)\\\",\\t\\\"Microsoft Azure Portal | Azure Active Directory | Azure Multi-Factor Authentication | Intune/Microsoft Endpoint Manager\\\",\\t\\\"NA\\\",\\r\\n\\\"Identifier Reuse\\\",\\t\\\"IA.L2-3.5.5\\\",\\t\\\"Identification & Authentication\\\",\\t\\\"3.5.5\\\",\\t\\\"IA-4\\\",\\t\\\"Azure Active Directory\\\",\\t\\\"Intune/Microsoft Endpoint Manager | O365 Security and Compliance\\\",\\r\\n\\\"Identifier Handling\\\",\\t\\\"IA.L2-3.5.6\\\",\\t\\\"Identification & Authentication\\\",\\t\\\"3.5.6\\\",\\t\\\"IA-4\\\",\\t\\\"Azure Active Directory | Microsoft Defender for Identity\\\",\\t\\\"NA\\\",\\r\\n\\\"Password Complexity\\\",\\t\\\"IA.L2-3.5.7\\\",\\t\\\"Identification & Authentication\\\",\\t\\\"3.5.7\\\",\\t\\\"IA-5(1)\\\",\\t\\\"Azure Active Directory\\\",\\t\\\"Intune/Microsoft Endpoint Manager | Password Protection for Azure AD\\\",\\r\\n\\\"Password Reuse\\\",\\t\\\"IA.L2-3.5.8\\\",\\t\\\"Identification & Authentication\\\",\\t\\\"3.5.8\\\",\\t\\\"IA-5(1)\\\",\\t\\\"Azure Active Directory\\\",\\t\\\"Intune/Microsoft Endpoint Manager | Password Protection for Azure AD\\\",\\r\\n\\\"Temporary Passwords\\\",\\t\\\"IA.L2-3.5.9\\\",\\t\\\"Identification & Authentication\\\",\\t\\\"3.5.9\\\",\\t\\\"IA-5(1)\\\",\\t\\\"Azure Active Directory\\\",\\t\\\"NA\\\",\\r\\n\\\"Cryptographically-Protected Passwords\\\",\\t\\\"IA.L2-3.5.10\\\",\\t\\\"Identification & Authentication\\\",\\t\\\"3.5.10\\\",\\t\\\"IA-5(1)\\\",\\t\\\"Microsoft Azure Portal | Azure Key Vault | Azure Virtual Machines | Azure Active Directory | Intune/Microsoft Endpoint Manager\\\",\\t\\\"NA\\\",\\r\\n\\\"Obscure Feedback\\\",\\t\\\"IA.L2-3.5.11\\\",\\t\\\"Identification & Authentication\\\",\\t\\\"3.5.11\\\",\\t\\\"IA-6\\\",\\t\\\"Microsoft Azure Portal | Intune/Microsoft Endpoint Manager\\\",\\t\\\"Azure Bastion | Azure Virtual Machines\\\",\\r\\n\\\"Incident Handling\\\",\\t\\\"IR.L2-3.6.1\\\",\\t\\\"Incident Response\\\",\\t\\\"3.6.1\\\",\\t\\\"IR-2 | IR-4 | IR-5 | IR-6 | IR-7\\\",\\t\\\"Microsoft Sentinel\\\",\\t\\\"Microsoft Defender for Endpoint | Microsoft Defender for Office 365\\\",\\r\\n\\\"Incident Reporting\\\",\\t\\\"IR.L2-3.6.2\\\",\\t\\\"Incident Response\\\",\\t\\\"3.6.2\\\",\\t\\\"IR-2 | IR-4 | IR-5 | IR-6 | IR-7\\\",\\t\\\"Microsoft Sentinel\\\",\\t\\\"NA\\\",\\r\\n\\\"Incident Response Testing\\\",\\t\\\"IR.L2-3.6.3\\\",\\t\\\"Incident Response\\\",\\t\\\"3.6.3\\\",\\t\\\"IR-3\\\",\\t\\\"NA\\\",\\t\\\"Microsoft Sentinel\\\",\\r\\n\\\"Perform Maintenance\\\",\\t\\\"MA.L2-3.7.1\\\",\\t\\\"Maintenance\\\",\\t\\\"3.7.1\\\",\\t\\\"MA-2 | MA-3 | MA-3(1) | MA-3(2)\\\",\\t\\\"NA\\\",\\t\\\"Microsoft Azure Portal | Azure Virtual Machines | Intune/Microsoft Endpoint Manager | Microsoft Defender for Endpoint\\\",\\r\\n\\\"System Maintenance Control\\\",\\t\\\"MA.L2-3.7.2\\\",\\t\\\"Maintenance\\\",\\t\\\"3.7.2\\\",\\t\\\"MA-2 | MA-3 | MA-3(1) | MA-3(2)\\\",\\t\\\"Network Security Groups | Azure Active Directory\\\",\\t\\\"Azure Bastion | Intune/Microsoft Endpoint Manager\\\",\\r\\n\\\"Equipment Sanitization\\\",\\t\\\"MA.L2-3.7.3\\\",\\t\\\"Maintenance\\\",\\t\\\"3.7.3\\\",\\t\\\"MA-2\\\",\\t\\\"NA\\\",\\t\\\"NA\\\",\\r\\n\\\"Media Inspection\\\",\\t\\\"MA.L2-3.7.4\\\",\\t\\\"Maintenance\\\",\\t\\\"3.7.4\\\",\\t\\\"MA-3(2)\\\",\\t\\\"NA\\\",\\t\\\"NA\\\",\\r\\n\\\"Nonlocal Maintenance\\\",\\t\\\"MA.L2-3.7.5\\\",\\t\\\"Maintenance\\\",\\t\\\"3.7.5\\\",\\t\\\"MA-4\\\",\\t\\\"Microsoft Azure Portal | Azure Active Directory | Azure Multi-Factor Authentication\\\",\\t\\\"Intune/Microsoft Endpoint Manager\\\",\\r\\n\\\"Maintenance Personnel\\\",\\t\\\"MA.L2-3.7.6\\\",\\t\\\"Maintenance\\\",\\t\\\"3.7.6\\\",\\t\\\"MA-5\\\",\\t\\\"NA\\\",\\t\\\"Customer Lockbox\\\",\\r\\n\\\"Media Disposal\\\",\\t\\\"MP.L1-3.8.3\\\",\\t\\\"Media Protection\\\",\\t\\\"3.8.3\\\",\\t\\\"MP-2 | MP-4 | MP-6\\\",\\t\\\"Azure Key Vault\\\",\\t\\\"Azure Information Protection\\\",\\r\\n\\\"Media Protection\\\",\\t\\\"MP.L2-3.8.1\\\",\\t\\\"Media Protection\\\",\\t\\\"3.8.1\\\",\\t\\\"MP-2 | MP-4 | MP-6\\\",\\t\\\"Azure Key Vault | Azure Information Protection | Intune/Microsoft Endpoint Manager\\\",\\t\\\"Azure Virtual Machines\\\",\\r\\n\\\"Media Access\\\",\\t\\\"MP.L2-3.8.2\\\",\\t\\\"Media Protection\\\",\\t\\\"3.8.2\\\",\\t\\\"MP-2 | MP-4 | MP-6\\\",\\t\\\"Azure Active Directory | Azure Information Protection | Conditional Access | Intune/Microsoft Endpoint Manager\\\",\\t\\\"Network Security Groups\\\",\\r\\n\\\"Media Markings\\\",\\t\\\"MP.L2-3.8.4\\\",\\t\\\"Media Protection\\\",\\t\\\"3.8.4\\\",\\t\\\"MP-2 | MP-4 | MP-6\\\",\\t\\\"Azure Key Vault\\\",\\t\\\"Azure Information Protection\\\",\\r\\n\\\"Media Accountability\\\",\\t\\\"MP.L2-3.8.5\\\",\\t\\\"Media Protection\\\",\\t\\\"3.8.5\\\",\\t\\\"MP-5\\\",\\t\\\"Azure Key Vault\\\",\\t\\\"Azure Information Protection | Intune/Microsoft Endpoint Manager\\\",\\r\\n\\\"Portable Storage Encryption\\\",\\t\\\"MP.L2-3.8.6\\\",\\t\\\"Media Protection\\\",\\t\\\"3.8.6\\\",\\t\\\"MP-5(4)\\\",\\t\\\"Azure Key Vault | Intune/Microsoft Endpoint Manager\\\",\\t\\\"Azure Information Protection\\\",\\r\\n\\\"Removable Media\\\",\\t\\\"MP.L2-3.8.7\\\",\\t\\\"Media Protection\\\",\\t\\\"3.8.7\\\",\\t\\\"MP-7\\\",\\t\\\"Intune/Microsoft Endpoint Manager\\\",\\t\\\"Azure Information Protection\\\",\\r\\n\\\"Shared Media\\\",\\t\\\"MP.L2-3.8.8\\\",\\t\\\"Media Protection\\\",\\t\\\"3.8.8\\\",\\t\\\"MP-7(1)\\\",\\t\\\"Intune/Microsoft Endpoint Manager\\\",\\t\\\"Conditional Access\\\",\\r\\n\\\"Protect Backups\\\",\\t\\\"MP.L2-3.8.9\\\",\\t\\\"Media Protection\\\",\\t\\\"3.8.9\\\",\\t\\\"CP-9\\\",\\t\\\"Microsoft Azure Portal\\\",\\t\\\"Azure Key Vault\\\",\\r\\n\\\"Screen Individuals\\\",\\t\\\"PS.L2-3.9.1\\\",\\t\\\"Personnel Security\\\",\\t\\\"3.9.1\\\",\\t\\\"PS-3 | PS-4 | PS-5\\\",\\t\\\"NA\\\",\\t\\\"NA\\\",\\r\\n\\\"Personnel Actions\\\",\\t\\\"PS.L2-3.9.2\\\",\\t\\\"Personnel Security\\\",\\t\\\"3.9.2\\\",\\t\\\"PS-3 | PS-4 | PS-5\\\",\\t\\\"Azure Active Directory\\\",\\t\\\"Azure Information Protection | Intune/Microsoft Endpoint Manager | Microsoft Defender for Cloud Apps | Microsoft 365 Insider Risk Management\\\",\\r\\n\\\"Limit Physical Access\\\",\\t\\\"PE.L1-3.10.1\\\",\\t\\\"Physical Protection\\\",\\t\\\"3.10.1\\\",\\t\\\"PE\\\",\\t\\\"Azure Datacenter\\\",\\t\\\"NA\\\",\\r\\n\\\"Escort Visitors\\\",\\t\\\"PE.L1-3.10.3\\\",\\t\\\"Physical Protection\\\",\\t\\\"3.10.3\\\",\\t\\\"PE\\\",\\t\\\"Azure Datacenter\\\",\\t\\\"NA\\\",\\r\\n\\\"Physical Access Logs\\\",\\t\\\"PE.L1-3.10.4\\\",\\t\\\"Physical Protection\\\",\\t\\\"3.10.4\\\",\\t\\\"PE\\\",\\t\\\"Azure Datacenter\\\",\\t\\\"NA\\\",\\r\\n\\\"Manage Physical Access\\\",\\t\\\"PE.L1-3.10.5\\\",\\t\\\"Physical Protection\\\",\\t\\\"3.10.5\\\",\\t\\\"PE\\\",\\t\\\"Azure Datacenter\\\",\\t\\\"NA\\\",\\r\\n\\\"Monitor Facility\\\",\\t\\\"PE.L2-3.10.2\\\",\\t\\\"Physical Protection\\\",\\t\\\"3.10.2\\\",\\t\\\"PE\\\",\\t\\\"Azure Datacenter\\\",\\t\\\"NA\\\",\\r\\n\\\"Alternative Work Sites\\\",\\t\\\"PE.L2-3.10.6\\\",\\t\\\"Physical Protection\\\",\\t\\\"3.10.6\\\",\\t\\\"PE-17\\\",\\t\\\"Azure Datacenter | Intune/Microsoft Endpoint Manager\\\",\\t\\\"Named Locations | Azure Information Protection | Conditional Access\\\",\\r\\n\\\"Risk Assessments\\\",\\t\\\"RA.L2-3.11.1\\\",\\t\\\"Risk Assessment\\\",\\t\\\"3.11.1\\\",\\t\\\"RA-3\\\",\\t\\\"Microsoft Defender for Cloud\\\",\\t\\\"Microsoft Sentinel | Intune/Microsoft Endpoint Manager | Microsoft Defender for Cloud Apps | Microsoft Defender for Endpoint\\\",\\r\\n\\\"Vulnerability Scan\\\",\\t\\\"RA.L2-3.11.2\\\",\\t\\\"Risk Assessment\\\",\\t\\\"3.11.2\\\",\\t\\\"RA-5 | RA-5(5)\\\",\\t\\\"Microsoft Defender for Cloud | GitHub Enterprise Cloud | GitHub AE | GitHub Advanced Security (Add-On)\\\",\\t\\\"Azure DNS | Intune/Microsoft Endpoint Manager | Microsoft Defender for Endpoint | Microsoft Defender for Office 365\\\",\\r\\n\\\"Vulnerability Remediation\\\",\\t\\\"RA.L2-3.11.3\\\",\\t\\\"Risk Assessment\\\",\\t\\\"3.11.3\\\",\\t\\\"RA-5\\\",\\t\\\"GitHub Advanced Security (Add-On)\\\",\\t\\\"Microsoft Defender for Cloud | Intune/Microsoft Endpoint Manager | Microsoft Defender for Endpoint | GitHub Enterprise Cloud | GitHub AE\\\",\\r\\n\\\"Security Control Assessment\\\",\\t\\\"CA.L2-3.12.1\\\",\\t\\\"Security Assessment\\\",\\t\\\"3.12.1\\\",\\t\\\"CA-2 | CA-5 | CA-7 | PL-2\\\",\\t\\\"Microsoft Defender for Cloud\\\",\\t\\\"Microsoft Sentinel | Intune/Microsoft Endpoint Manager | Microsoft Defender for Cloud Apps | Microsoft Defender for Endpoint\\\",\\r\\n\\\"Plan of Action\\\",\\t\\\"CA.L2-3.12.2\\\",\\t\\\"Security Assessment\\\",\\t\\\"3.12.2\\\",\\t\\\"CA-2 | CA-5 | CA-7 | PL-2\\\",\\t\\\"Microsoft Defender for Endpoint\\\",\\t\\\"NA\\\",\\r\\n\\\"Security Control Monitoring\\\",\\t\\\"CA.L2-3.12.3\\\",\\t\\\"Security Assessment\\\",\\t\\\"3.12.3\\\",\\t\\\"CA-2 | CA-5 | CA-7 | PL-2\\\",\\t\\\"NA\\\",\\t\\\"Microsoft Sentinel | Intune/Microsoft Endpoint Manager | Microsoft Defender for Cloud Apps | Microsoft Defender for Endpoint | O365 Security and Compliance\\\",\\r\\n\\\"System Security Plan\\\",\\t\\\"CA.L2-3.12.4\\\",\\t\\\"Security Assessment\\\",\\t\\\"3.12.4\\\",\\t\\\"CA-2 | CA-5 | CA-7 | PL-2\\\",\\t\\\"NA\\\",\\t\\\"Microsoft Defender for Cloud\\\",\\r\\n\\\"Boundary Protection\\\",\\t\\\"SC.L1-3.13.1\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.1\\\",\\t\\\"SC-15\\\",\\t\\\"NA\\\",\\t\\\"Intune/Microsoft Endpoint Manager\\\",\\r\\n\\\"Public-Access System Separation\\\",\\t\\\"SC.L1-3.13.5\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.5\\\",\\t\\\"SC-7\\\",\\t\\\"NA\\\",\\t\\\"Azure Bastion | Azure Firewall | Load Balancer | Network Security Groups | Azure Web Application Firewall | Virtual Network\\\",\\r\\n\\\"Security Engineering\\\",\\t\\\"SC.L2-3.13.2\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.2\\\",\\t\\\"SC-7 | SA-8\\\",\\t\\\"NA\\\",\\t\\\"Microsoft Defender for Cloud\\\",\\r\\n\\\"Role Separation\\\",\\t\\\"SC.L2-3.13.3\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.3\\\",\\t\\\"SC-2\\\",\\t\\\"Azure Active Directory\\\",\\t\\\"Conditional Access | Azure AD Privileged Identity Management\\\",\\r\\n\\\"Shared Resource Control\\\",\\t\\\"SC.L2-3.13.4\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.4\\\",\\t\\\"SC-4\\\",\\t\\\"Azure Information Protection\\\",\\t\\\"Network Security Groups | Azure Web Application Firewall | Azure Virtual Machines | Virtual Network | Intune/Microsoft Endpoint Manager | Microsoft Defender for Office 365\\\",\\r\\n\\\"Network Communication by Exception\\\",\\t\\\"SC.L2-3.13.6\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.6\\\",\\t\\\"SC-7(5)\\\",\\t\\\"Azure Firewall\\\",\\t\\\"Microsoft Defender for Cloud | Load Balancer | Network Security Groups | Azure Web Application Firewall | Virtual Network | Intune/Microsoft Endpoint Manager\\\",\\r\\n\\\"Split Tunneling\\\",\\t\\\"SC.L2-3.13.7\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.7\\\",\\t\\\"SC-7(7)\\\",\\t\\\"NA\\\",\\t\\\"NA\\\",\\r\\n\\\"Data in Transit\\\",\\t\\\"SC.L2-3.13.8\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.8\\\",\\t\\\"SC-8 | SC-8(1)\\\",\\t\\\"Microsoft Azure Portal\\\",\\t\\\"Azure ExpressRoute | Azure Key Vault | Load Balancer | Network Security Groups | Azure Virtual Machines | Virtual Network | VPN Gateway | Azure Information Protection\\\",\\r\\n\\\"Connections Termination\\\",\\t\\\"SC.L2-3.13.9\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.9\\\",\\t\\\"SC-10\\\",\\t\\\"NA\\\",\\t\\\"Microsoft Azure Portal | Azure Virtual Machines | VPN Gateway | Azure Active Directory\\\",\\r\\n\\\"Key Management\\\",\\t\\\"SC.L2-3.13.10\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.10\\\",\\t\\\"SC-12\\\",\\t\\\"Azure Key Vault | Azure Information Protection | GitHub Enterprise Cloud | GitHub AE\\\",\\t\\\"Azure Active Directory\\\",\\r\\n\\\"CUI Encryption\\\",\\t\\\"SC.L2-3.13.11\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.11\\\",\\t\\\"SC-13\\\",\\t\\\"Azure Key Vault\\\",\\t\\\"Microsoft Azure Portal | Azure Firewall | Azure Virtual Machines | Azure Information Protection | Intune/Microsoft Endpoint Manager | GitHub AE\\\",\\r\\n\\\"Collaborative Device Control\\\",\\t\\\"SC.L2-3.13.12\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.12\\\",\\t\\\"SC-15\\\",\\t\\\"NA\\\",\\t\\\"Intune/Microsoft Endpoint Manager\\\",\\r\\n\\\"Mobile Code\\\",\\t\\\"SC.L2-3.13.13\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.13\\\",\\t\\\"SC-18\\\",\\t\\\"Microsoft Sentinel | Intune/Microsoft Endpoint Manager\\\",\\t\\\"Azure Virtual Machines\\\",\\r\\n\\\"Voice over Internet Protocol\\\",\\t\\\"SC.L2-3.13.14\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.14\\\",\\t\\\"SC-19\\\",\\t\\\"Microsoft Teams\\\",\\t\\\"Microsoft Defender for Cloud\\\",\\r\\n\\\"Communications Authenticity\\\",\\t\\\"SC.L2-3.13.15\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.15\\\",\\t\\\"SC-23\\\",\\t\\\"Microsoft Azure Portal\\\",\\t\\\"Azure ExpressRoute | Azure Key Vault | Load Balancer | Network Security Groups | Azure Virtual Machines | Virtual Network | VPN Gateway | Azure Information Protection | Intune/Microsoft Endpoint Manager | Microsoft Cloud App Security\\\",\\r\\n\\\"Data at Rest\\\",\\t\\\"SC.L2-3.13.16\\\",\\t\\\"System & Communications Protection\\\",\\t\\\"3.13.16\\\",\\t\\\"SC-28\\\",\\t\\\"Azure Key Vault\\\",\\t\\\"Azure ExpressRoute | Azure Key Vault | Load Balancer | Network Security Groups | Azure Virtual Machines | Virtual Network | VPN Gateway | Azure Information Protection | Intune/Microsoft Endpoint Manager | Microsoft Defender for Cloud Apps\\\",\\r\\n\\\"Flaw Remediation\\\",\\t\\\"SI.L1-3.14.1\\\",\\t\\\"System & Information Integrity\\\",\\t\\\"3.14.1\\\",\\t\\\"SI-2 | SI-3 | SI-5\\\",\\t\\\"Microsoft Defender for Cloud | Microsoft Sentinel\\\",\\t\\\"Intune/Microsoft Endpoint Manager | Microsoft Defender for Endpoint\\\",\\r\\n\\\"Malicious Code Protection\\\",\\t\\\"SI.L1-3.14.2\\\",\\t\\\"System & Information Integrity\\\",\\t\\\"3.14.2\\\",\\t\\\"SI-2 | SI-3 | SI-5\\\",\\t\\\"Azure Web Application Firewall | Intune/Microsoft Endpoint Manager | Microsoft Defender for Endpoint\\\",\\t\\\"Azure DNS | Azure Virtual Machines | Microsoft Defender for Office 365\\\",\\r\\n\\\"Update Malicious Code Protection\\\",\\t\\\"SI.L1-3.14.4\\\",\\t\\\"System & Information Integrity\\\",\\t\\\"3.14.4\\\",\\t\\\"SI-3\\\",\\t\\\"Intune/Microsoft Endpoint Manager\\\",\\t\\\"Azure Virtual Machines | Microsoft Defender for Endpoint | Microsoft Defender for Office 365\\\",\\r\\n\\\"System & File Scanning\\\",\\t\\\"SI.L1-3.14.5\\\",\\t\\\"System & Information Integrity\\\",\\t\\\"3.14.5\\\",\\t\\\"SI-3\\\",\\t\\\"Intune/Microsoft Endpoint Manager\\\",\\t\\\"Azure DNS | Azure Virtual Machines | Microsoft Defender for Cloud Apps | Microsoft Defender for Endpoint | Microsoft Defender for Office 365\\\",\\r\\n\\\"Security Alerts & Advisories\\\",\\t\\\"SI.L2-3.14.3\\\",\\t\\\"System & Information Integrity\\\",\\t\\\"3.14.3\\\",\\t\\\"SI-2 | SI-3 | SI-5\\\",\\t\\\"Microsoft Defender for Cloud | Microsoft Sentinel\\\",\\t\\\"Azure Active Directory | Microsoft Defender for Cloud Apps | Microsoft Defender for Endpoint\\\",\\r\\n\\\"Monitor Communications for Attacks\\\",\\t\\\"SI.L2-3.14.6\\\",\\t\\\"System & Information Integrity\\\",\\t\\\"3.14.6\\\",\\t\\\"AU-2 | AU-2(3) | AU-6 | SI-4 | SI-4(4)\\\",\\t\\\"Microsoft Sentinel | Microsoft 365 Defender | Microsoft Defender for Cloud | Microsoft Defender for Cloud Apps \\\",\\t\\\"Azure DNS | Azure Firewall | Azure Key Vault | Network Security Groups | Azure Web Application Firewall | Virtual Network | Conditional Access | Microsoft Defender for Endpoint | Microsoft Defender for Identity | Microsoft Defender for Office 365\\\",\\r\\n\\\"Identify Unauthorized Use\\\",\\t\\\"SI.L2-3.14.7\\\",\\t\\\"System & Information Integrity\\\",\\t\\\"3.14.7\\\",\\t\\\"SI-4\\\",\\t\\\"Microsoft Sentinel | Microsoft Defender for Cloud Apps\\\",\\t\\\"Azure Bastion | Load Balancer | Network Security Groups | Azure Virtual Machines | VPN Gateway | Azure Active Directory | Microsoft Defender for Endpoint | Azure AD Privileged Identity Management | Microsoft Defender for Office 365\\\"\\r\\n];\\r\\nCrosswalk\\r\\n| project [\\\"Control Name\\\"],[\\\"Control Number\\\"],[\\\"Control Family\\\"],[\\\"NIST SP 800-171 R2\\\"],[\\\"NIST SP 800-53 R4\\\"],[\\\"Primary Services\\\"],[\\\"Secondary Services\\\"]\",\"size\":0,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Control Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Primary Services\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Secondary Services\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isRCAVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Controls Mapping\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control](https://dodcio.defense.gov/CMMC/) \\r\\n---\\r\\nAccess Control is the process of authorizing users, groups, and computers to access objects on a network, asset, and/or cloud. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Authorized Access Control (AC.L1-3.1.1) \\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL1311.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Transaction & Function Control (AC.L1-3.1.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL1312.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"External Connections (AC.L1-3.1.20)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL13120.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Control Public Information (AC.L1-3.1.22)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL13122.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 1: Foundational\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL1311Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL1311.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL1312Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL1312.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"2d395ae1-35fa-47b7-96fd-3c9b038a7226\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL13120Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL13120.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9ebfa70c-22df-4445-8b1c-7112129c7be8\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL13122Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL13122.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"0df1cfb7-2b39-45bd-adde-5ea8d922ccdc\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Authorized Access Control (AC.L1-3.1.1)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-171-r2#limit-system-access-to-authorized-users-processes-acting-on-behalf-of-authorized-users-and-devices-including-other-systems)\\r\\n\\r\\nLimit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️[Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Customer Lockbox](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview) 🔀[Customer Lockbox](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview) \\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n\\r\\n## Recommended Logs \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 2\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| project UserPrincipalName, SignInCount=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Access Control\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":1000,\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"Implemented\"},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL1311Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L1-3.1.1\",\"styleSettings\":{\"margin\":\"3\",\"padding\":\"3\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Transaction & Function Control (AC.L1-3.1.2)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#limit-information-system-access-to-the-types-of-transactions-and-functions-that-authorized-users-are-permitted-to-execute)\\r\\n\\r\\nLimit information system access to the types of transactions and functions that authorized users are permitted to execute. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\",\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| extend UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\",UserPrincipalName)\\r\\n| summarize Runs = count(), Success = countif(Result == 'success'), Fails = countif(Result != 'success') by UserPrincipalName, OperationName, UserProfile // Summarize the total, successful and failed operations by name\\r\\n| extend SuccessRate = (Success * 100 / Runs) // Calculate the percentage of successful operations against the total\\r\\n| join (SigninLogs | project UserPrincipalName, UserId) on UserPrincipalName\\r\\n| summarize count() by UserPrincipalName, UserProfile, OperationName, UserId\\r\\n| project UserPrincipalName, ActionCount=count_, OperationName, UserProfile, UserId\\r\\n| where UserPrincipalName <> \\\"\\\"\\r\\n| sort by ActionCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActionCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL1312Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L1-3.1.2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [External Connections (AC.L1-3.1.20)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#verify-and-controllimit-connections-to-and-use-of-external-information-systems)\\r\\n\\r\\nVerify and control/limit connections to and use of external information systems. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\",\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where Location <> \\\"\\\"\\r\\n| where ResultType == 0\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\",UserId)\\r\\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude)\\r\\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| summarize count() by City, Location\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Sign-In Summary by Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"City\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Location\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go To AAD User Profile >\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where Location <> \\\"\\\"\\r\\n| where ResultType == 0\\r\\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude)\\r\\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)\\r\\n| extend city_ = tostring(LocationDetails.city)\\r\\n\",\"size\":2,\"title\":\"User Sign-Ins by Geolocation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":12,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\",\"heatmapMax\":100},\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}}},\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL13120Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L1-3.1.20\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Control Public Information (AC.L1-3.1.22)\\r\\n\\r\\nControl information posted or processed on publicly accessible information systems.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"sensitive\\\" or Title contains \\\"data\\\" or Title contains \\\"leak\\\" or Tactics contains \\\"exfil\\\" or Title contains \\\"PII\\\" or Title contains \\\"intellectual\\\" or Title contains \\\"confidential\\\" or Title contains \\\"spill\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Data Loss\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL13122Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L1-3.1.22\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 1: Foundational\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Control CUI Flow (AC.L2-3.1.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL2313.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Separation of Duties (AC.L2-3.1.4)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL2314.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Least Privilege (AC.L2-3.1.5)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL2315.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Non-Privileged Account Use (AC.L2-3.1.6)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL2316.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Privileged Functions (AC.L2-3.1.7)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL2317.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Unsuccessful Logon Attempts (AC.L2-3.1.8)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL2318.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Privacy & Security Notices (AC.L2-3.1.9)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL2319.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Session Lock (AC.L2-3.1.10)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL23110.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Session Termination (AC.L2-3.1.11)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL23111.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL2313Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL2313.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL2314Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL2314.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"34825a5b-616a-43e6-86f7-dfaaec89f6c5\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL2315Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL2315.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"f8eec0a4-8207-40a4-b2e5-5d3a3c3f43ff\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL2316Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL2316.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"901b782d-9d5f-4496-acff-14eba10dfdcc\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL2317Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL2317.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e7504687-2c9a-4821-8073-10ee5e23023a\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL2318Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL2318.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"21b09f0f-6ebb-437f-b8dc-0bb14bebd757\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL2319Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL2319.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"607fb3ad-cdea-44d8-b578-07a2749629ab\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL23110Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL23110.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4e0b74e2-8db0-47b9-ba59-33663592db04\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL23111Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL23111.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"370d2451-c722-4bed-9124-50016092da87\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Control Remote Access (AC.L2-3.1.12)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL23112.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Remote Access Confidentiality (AC.L2-3.1.13)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL23113.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Remote Access Routing (AC.L2-3.1.14)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL23114.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Privileged Remote Access (AC.L2-3.1.15)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL23115.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Wireless Access Authorization (AC.L2-3.1.16)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL23116.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Wireless Access Protection (AC.L2-3.1.17)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL23117.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Mobile Device Connection (AC.L2-3.1.18)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL23118.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Encrypt CUI on Mobile (AC.L2-3.1.19)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL23119.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Portable Storage Use (AC.L2-3.1.21)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ACL23121.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"30560f02-4a96-4628-8600-bccdd3728ad5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL23112Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL23112.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL23113Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL23113.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e5c99657-f0a4-4e90-abc2-7c5c27b30f58\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL23114Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL23114.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9d45c4e1-9609-48af-8e1b-f7303ce8b698\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL23115Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL23115.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b461aaf0-2be5-4930-9feb-d287c4cb7327\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL23116Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL23116.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a689497a-5981-48dd-b928-179500bbb146\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL23117Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL23117.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b34f76b2-5540-4ecb-b51c-175ed759105f\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL23118Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL23118.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"651933a2-04a4-4f48-a5f8-3c26dc8be4f8\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL23119Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL23119.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"6acb347d-36a1-4aab-a3f2-08122beb8ad2\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACL23121Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ACL23121.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"d282094f-2bbd-421f-a8d8-90e104966e11\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Control CUI Flow (AC.L2-3.1.3)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#control-the-flow-of-cui-in-accordance-with-approved-authorizations)\\r\\n\\r\\nControl the flow of CUI in accordance with approved authorizations. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies) \\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Microsoft Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Microsoft 365 Compliance Manager](https://compliance.microsoft.com/informationprotection) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) 🔀[Microsoft Defender for Identity](https://security.microsoft.com/settings/identities) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"customWidth\":\"50\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\",\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| project UserId_s, Computer, ContentId_g, LabelName_s, ApplicationName_s, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Information Protection Details\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL2313Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Separation of Duties (AC.L2-3.1.4)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#separate-the-duties-of-individuals-to-reduce-the-risk-of-malevolent-activity-without-collusion)\\r\\n\\r\\nSeparate the duties of individuals to reduce the risk of malevolent activity without collusion.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"name\":\"text - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"member\\\" or RecommendationName contains \\\"owner\\\" or RecommendationName contains \\\"group\\\"\\r\\n| where RecommendationName !contains \\\"security group\\\"\\r\\n| where RecommendationName !contains \\\"Email\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| join (IdentityInfo| extend UserPrincipalName = AccountUPN | project UserPrincipalName, GroupMembership, AssignedRoles) on UserPrincipalName\\r\\n| project UserPrincipalName, SignInCount=count_, UserProfile, GroupMembership, AssignedRoles, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review User Group Membership & Assigned Roles\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL2314Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Least Privilege (AC.L2-3.1.5)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#employ-the-principle-of-least-privilege-including-for-specific-security-functions-and-privileged-accounts)\\r\\n\\r\\nEmploy the principle of least privilege, including for specific security functions and privileged accounts.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| where OperationName contains \\\"PIM\\\"\\r\\n| distinct OperationName, Identity, AADOperationType, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Privileged Identity Management (PIM) Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"GrantedTo\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go To: AAD Profile >\"}},{\"columnMatch\":\"OperationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isACL2315Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Non-Privileged Account Use (AC.L2-3.1.6)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#use-non-privileged-accounts-or-roles-when-accessing-nonsecurity-functions)\\r\\n\\r\\nUse non-privileged accounts or roles when accessing non-security functions.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"user\\\" or RecommendationName contains \\\"account\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL2316Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Privileged Functions (AC.L2-3.1.7)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#prevent-non-privileged-users-from-executing-privileged-functions-and-capture-the-execution-of-such-functions-in-audit-logs)\\r\\n\\r\\nPrevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"audit\\\" or RecommendationName contains \\\"priv\\\" or RecommendationName contains \\\"log\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL2317Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Unsuccessful Logon Attempts (AC.L2-3.1.8)\\r\\n\\r\\nLimit unsuccessful logon attempts. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) 🔀[Microsoft Defender for Identity](https://security.microsoft.com/settings/identities) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n\\r\\n\\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Password Protection for Azure AD](https://docs.microsoft.com/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy) 🔀[Azure AD Password Protection](https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordProtectionBlade) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType <> 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| project UserPrincipalName, FailedSignInAttempt=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by FailedSignInAttempt desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Unsuccessful Logon Attempts \",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"FailedSignInAttempt\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"sign\\\" or Title contains \\\"brute\\\" or Title contains \\\"account\\\" or Title contains \\\"access\\\" or Title contains \\\"cred\\\" or Title contains \\\"logon\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Logon Attempts\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL2318Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Privacy & Security Notices (AC.L2-3.1.9)\\r\\n\\r\\nProvide privacy and security notices consistent with applicable CUI rules.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Recommended Configuration\\r\\n💡 [Add Terms of Use](https://docs.microsoft.com/azure/active-directory/conditional-access/terms-of-use#add-terms-of-use) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\",\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"banner\\\" or Description contains \\\"agree\\\" or Description contains \\\"notification\\\" or Description contains \\\"terms\\\" or Description contains \\\"privacy\\\" or Description contains \\\"notice\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"banner\\\" or Description contains \\\"agree\\\" or Description contains \\\"notification\\\" or Description contains \\\"terms\\\" or Description contains \\\"privacy\\\" or Description contains \\\"notice\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"banner\\\" or Description contains \\\"agree\\\" or Description contains \\\"notification\\\" or Description contains \\\"terms\\\" or Description contains \\\"privacy\\\" or Description contains \\\"notice\\\"\\r\\n| summarize\\r\\n Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL2319Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Session Lock (AC.L2-3.1.10) \\r\\n\\r\\nUse session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Recommended Configuration\\r\\n💡 [Configure screen lock settings using Intune](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#locked-screen-experience) \\r\\n💡 [Grant access to resources if devices are marked as compliant](https://docs.microsoft.com/azure/active-directory/conditional-access/require-managed-devices#require-device-to-be-marked-as-compliant) \\r\\n💡 [Conceal Passwords with Password Box](https://docs.microsoft.com/windows/uwp/design/controls-and-patterns/password-box) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"name\":\"text - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"lock\\\" or Description contains \\\"pattern\\\" or Description contains \\\"screen\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"lock\\\" or Description contains \\\"pattern\\\" or Description contains \\\"screen\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"lock\\\" or Description contains \\\"pattern\\\" or Description contains \\\"screen\\\"\\r\\n| summarize\\r\\n Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL23110Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.10\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Session Termination (AC.L2-3.1.11) \\r\\n\\r\\nTerminate (automatically) a user session after a defined condition.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Application Gateway](https://azure.microsoft.com/services/application-gateway/) 🔀 [Application Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) \\r\\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) 🔷 [AADUserRiskEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/AADUserRiskEvents) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"name\":\"text - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"IdentityInfo\\r\\n| summarize arg_max(TimeGenerated,*) by AccountUPN\\r\\n| join kind=inner(\\r\\nSigninLogs) on $left.AccountUPN==$right.UserPrincipalName\\r\\n| project SigninTime=TimeGenerated1, UserPrincipalName, AppDisplayName, ResultType, AssignedRoles, Location, UserAgent, AuthenticationRequirement, Country, City, CorrelationId\\r\\n| join kind=inner (\\r\\nAADUserRiskEvents) on CorrelationId\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId), AssignedRoles=strcat(AssignedRoles)\\r\\n| distinct UserPrincipalName, UserProfile, RiskState, RiskLevel, AppDisplayName, ResultType, DetectionTimingType, Location, AssignedRoles, UserAgent, AuthenticationRequirement, Country, City, SigninTime, UserId\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review/Terminate User Session Risk Events\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"RiskLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AppDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL23111Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.11\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Control Remote Access (AC.L2-3.1.12)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#monitor-and-control-remote-access-sessions)\\r\\n\\r\\nMonitor and control remote access sessions.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Azure ExpressRoute]( https://azure.microsoft.com/services/expressroute/) 🔀[ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"customWidth\":\"50\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\",\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where Location <> \\\"\\\"\\r\\n| where ResultType == 0\\r\\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude)\\r\\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)\\r\\n| extend city_ = tostring(LocationDetails.city)\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Sign-Ins by Geolocation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":10,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"},\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL23112Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Remote Access Confidentiality (AC.L2-3.1.13)\\r\\n\\r\\nEmploy cryptographic mechanisms to protect the confidentiality of remote access sessions.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Multi-Factor Authentication](https://azure.microsoft.com/services/active-directory/) 🔀[Multi-Factor Authentication](https://portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/GettingStarted) \\r\\n✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) 🔀[Load Balancers](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers) \\r\\n\\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\",\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"crypt\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL23113Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.13\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Privileged Remote Access (AC.L2-3.1.14)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#route-remote-access-via-managed-access-control-points)\\r\\n\\r\\nRoute remote access via managed access control points.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts) \\r\\n✳️ [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) 🔀[Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure ExpressRoute]( https://azure.microsoft.com/services/expressroute/) 🔀[ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits) \\r\\n✳️ [Named Locations](https://docs.microsoft.com/azure/active-directory/conditional-access/location-condition) 🔀[Azure AD Named Locations](https://portal.azure.com/#blade/Microsoft_AAD_IAM/NamedNetworksWithCountryBlade) \\r\\n✳️ [Azure Front Door](https://azure.microsoft.com/services/frontdoor/) 🔀[Front Doors](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/frontdoors) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/) \\r\\n\\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"customWidth\":\"50\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\",\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"where type contains \\\"network\\\" \\r\\n| project id,type,resourceGroup\\r\\n| order by type asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Rule\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL23114Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Privileged Remote Access (AC.L2-3.1.15)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#authorize-remote-execution-of-privileged-commands-and-remote-access-to-security-relevant-information)\\r\\n\\r\\nAuthorize remote execution of privileged commands and remote access to security-relevant information. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Named Locations](https://docs.microsoft.com/azure/active-directory/conditional-access/location-condition) 🔀[Azure AD Named Locations](https://portal.azure.com/#blade/Microsoft_AAD_IAM/NamedNetworksWithCountryBlade) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo)🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"customWidth\":\"50\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\",\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SigninCount = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName\\r\\n| project UserPrincipalName, SignInCount=count_;\\r\\nlet LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nIdentityInfo\\r\\n| extend Roles = strcat(AssignedRoles)\\r\\n| extend Groups = strcat(GroupMembership)\\r\\n| where Roles contains \\\"security\\\" or Groups contains \\\"security\\\" or Roles contains \\\"admin\\\" or Groups contains \\\"admin\\\"\\r\\n| extend UserPrincipalName = MailAddress\\r\\n| join (SigninLogs) on UserPrincipalName\\r\\n// where Location <> \\\"US\\\" // Exempt Non Remote Locations\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\",UserPrincipalName)\\r\\n| distinct UserPrincipalName, UserProfile, Roles, Groups, UserType, Location, TimeGenerated, UserId\\r\\n| sort by TimeGenerated desc\\r\\n| summarize count() by UserPrincipalName, UserProfile, Roles, Groups, UserType, Location, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| project UserPrincipalName, UserProfile, Roles, Groups, UserType, Location, LastSignIn, UserId\\r\\n| join (SigninCount) on UserPrincipalName\\r\\n| project UserPrincipalName, SignInCount, UserProfile, Roles, Groups, UserType, Location, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Admin User SignIns by Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL23115Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.15\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Wireless Access Authorization (AC.L2-3.1.16) \\r\\n\\r\\nAuthorize wireless access prior to allowing such connections.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Recommended Configuration\\r\\n💡 [Network Access Control (NAC)](https://docs.microsoft.com/mem/intune/protect/network-access-control-integrate) \\r\\n💡 [Grant access to resources if devices are marked as compliant](https://docs.microsoft.com/azure/active-directory/conditional-access/) \\r\\n💡 [Conditional Access with Intune](https://docs.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use)\\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"customWidth\":\"50\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\",\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"wire\\\" or Description contains \\\"wifi\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"wire\\\" or Description contains \\\"wifi\\\" \\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"wire\\\" or Description contains \\\"wifi\\\" \\r\\n| summarize\\r\\n Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL23116Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.16\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Wireless Access Protection (AC.L2-3.1.17) \\r\\n\\r\\nProtect wireless access using authentication and encryption. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Recommended Configuration\\r\\n💡 [Use a Custom Device Profile to Create a WiFi Profile with a Pre-Shared Key in Intune](https://docs.microsoft.com/mem/intune/configuration/wi-fi-profile-shared-key) \\r\\n💡 [Using NAC with Conditional Access & Intune](https://docs.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use)\\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"wire\\\" or Description contains \\\"wifi\\\" or Description contains \\\"auth\\\" or Description contains \\\"encrypt\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"wire\\\" or Description contains \\\"wifi\\\" or Description contains \\\"auth\\\" or Description contains \\\"encrypt\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"wire\\\" or Description contains \\\"wifi\\\" or Description contains \\\"auth\\\" or Description contains \\\"encrypt\\\"\\r\\n| summarize\\r\\n Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL23117Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.17\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Mobile Device Connection (AC.L2-3.1.18) \\r\\n\\r\\nControl connection of mobile devices.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where ResultType == 0\\r\\n| extend OperatingSystem = tostring(DeviceDetail.operatingSystem)\\r\\n| extend Browser = tostring(DeviceDetail.browser)\\r\\n| where OperatingSystem contains \\\"Android\\\" or OperatingSystem contains \\\"iOS\\\"\\r\\n| summarize count() by OperatingSystem, Browser, AppDisplayName\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor Mobile Device Access\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL23118Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.18\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Encrypt CUI on Mobile (AC.L2-3.1.19) \\r\\n\\r\\nEncrypt CUI on mobile devices and mobile computing platforms. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Recommended Configurations\\r\\n💡 [How to Create and Assign App Protection Policies](https://docs.microsoft.com/mem/intune/apps/app-protection-policies) \\r\\n💡 [App Protection Policies Overview](https://docs.microsoft.com/mem/intune/apps/app-protection-policy) \\r\\n💡 [Microsoft Intune Protected Apps](https://docs.microsoft.com/mem/intune/apps/apps-supported-intune-apps) \\r\\n💡 [Data Protection Framework Using App Protection Policies](https://docs.microsoft.com/mem/intune/apps/app-protection-framework) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\",\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|extend CAStatus = case(ConditionalAccessStatus == \\\"failure\\\", \\\"Failed\\\", \\r\\n ConditionalAccessStatus == \\\"notApplied\\\", \\\"Not applied\\\", \\r\\n isempty(ConditionalAccessStatus), \\\"Not applied\\\", \\r\\n \\\"Disabled\\\")\\r\\n|mvexpand ConditionalAccessPolicies\\r\\n| extend Conditional_AccessPolicies = strcat(ConditionalAccessPolicies.displayName)\\r\\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0]);\\r\\ndata\\r\\n| where CAGrantControlName <> \\\"\\\"\\r\\n| where ResultType == 0\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\",UserPrincipalName)\\r\\n| summarize count() by AppDisplayName, Conditional_AccessPolicies, ConditionalAccessStatus\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configure App Protection Policy and Monitor Conditional Access Policy Compliance\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ConditionalAccessStatus\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"success\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"failure\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"1\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go To: AAD User Profile >\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACL23119Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.19\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Portable Storage Use (AC.L2-3.1.21) \\r\\n\\r\\nLimit use of portable storage devices on external systems.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Named Locations](https://docs.microsoft.com/azure/active-directory/conditional-access/location-condition) 🔀[Azure AD Named Locations](https://portal.azure.com/#blade/Microsoft_AAD_IAM/NamedNetworksWithCountryBlade) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [DeviceEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceevents) 🔷 [DeviceFileEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/devicefileevents) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender) \\r\\n\\r\\n## Recommended Configuration\\r\\n💡 [How to Control USB Devices and Other Removable Media Using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/device-control/control-usb-devices-using-intune) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"2\",\"padding\":\"2\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceEvents\\r\\n| project TimeGenerated, ActionType, AdditionalFields, DeviceId, FileName\\r\\n| where ActionType == \\\"UsbDriveMounted\\\"\\r\\n| extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)\\r\\n| join kind=inner (DeviceFileEvents\\r\\n | project TimeGenerated, ActionType, FolderPath, DeviceId, FileName, FileSize\\r\\n | extend FileCopyTime = TimeGenerated\\r\\n | where ActionType == \\\"FileCreated\\\"\\r\\n | parse FolderPath with DriveLetter '\\\\\\\\' *\\r\\n | extend DriveLetter = tostring(DriveLetter)\\r\\n )\\r\\n on DeviceId, DriveLetter\\r\\n| distinct FileCopyTime, FileName1, FileSize\\r\\n| summarize DataCopiedinGB=sum(FileSize / 1024 / 1024 / 1024) by startofday(FileCopyTime)\\r\\n| render columnchart\\r\\n with (\\r\\n kind=unstacked,\\r\\n xtitle=\\\"Data Copied in GB\\\",\\r\\n ytitle=\\\"Day\\\",\\r\\n title=\\\"Data Copied to USB per day\\\")\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor Portable Storage Devices\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DeviceName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AccountName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"is Empty\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isACL23121Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC.L2-3.1.21\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isACVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Access Control Group\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Awareness & Training](https://dodcio.defense.gov/CMMC/)\\r\\n---\\r\\nAwareness & Training is focused on controlling human access to systems, networks, and assets. Personnel Security includes considerations for screening individuals with access to Controlled Unclassified Information (CUI) and protection of such data after personnel actions such as terminations or transfers.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Role-Based Risk Awareness (AT.L2-3.2.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ATL2321.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Role-Based Training (AT.L2-3.2.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ATL2321.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Insider Threat Awareness (AT.L2-3.2.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"ATL2321.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isATL2321Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"ATL2321.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"5\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Role-Based Risk Awareness (AT.L2-3.2.1) \\r\\n\\r\\nEnsure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.\\r\\n\\r\\n## Role-Based Training (AT.L2-3.2.2) \\r\\n\\r\\nEnsure that personnel are trained to carry out their assigned information security-related duties and responsibilities. \\r\\n\\r\\n## Insider Threat Awareness (AT.L2-3.2.3) \\r\\n\\r\\nProvide security awareness training on recognizing and reporting potential indicators of insider threat.\\r\\n\\r\\n## Recommended Resources\\r\\n💡 [Microsoft Certified: Security Operations Analyst Associate](https://docs.microsoft.com/learn/certifications/security-operations-analyst) \\r\\n💡 [Learning with the Microsoft Sentinel Training Lab](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/learning-with-the-microsoft-sentinel-training-lab/ba-p/2953403) \\r\\n💡 [Learn Microsoft Sentinel on Microsoft Learn](https://techcommunity.microsoft.com/blog/itopstalkblog/learn-azure-sentinel-on-microsoft-learn/2006346) \\r\\n💡 [Microsoft Sentinel Ninja Training Knowledge Check](https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-ninja-training-knowledge-check/ba-p/2677696) \\r\\n💡 [Manage Insider Risk](https://docs.microsoft.com/learn/modules/m365-compliance-insider-manage-insider-risk/) \\r\\n💡 [Get Started Using Attack Simulation Training](https://docs.microsoft.com/microsoft-365/security/office-365-security/attack-simulation-training-get-started) \\r\\n💡 [SimuLand: Understand adversary tradecraft and improve detection strategies](https://www.microsoft.com/security/blog/2021/05/20/simuland-understand-adversary-tradecraft-and-improve-detection-strategies/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide) \\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":1,\"content\":{\"json\":\"### [Leverage Microsoft Learn for Role-Based Training for Security Professionals](https://docs.microsoft.com/learn/)\\r\\n \\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 1\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isATL2321Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AT.L2-3.2.1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isATVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Awareness & Training Group\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Audit & Accountability](https://dodcio.defense.gov/CMMC/)\\r\\n---\\r\\nAudit & Accountability involves the evaluation of configurable security and logging options to help identify gaps in security policies and mechanisms. \"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"System Auditing (AU.L2-3.3.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AUL2331.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"User Accountability (AU.L2-3.3.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AUL2332.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Event Review (AU.L2-3.3.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AUL2333.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Audit Failure Alerting (AU.L2-3.3.4)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AUL2334.\\\\\\\" },\\\\t\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Audit Correlation (AU.L2-3.3.5)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AUL2335.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAUL2331Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AUL2331.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAUL2332Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AUL2332.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"d19637ad-09c9-4a1b-8987-ee2348384fed\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAUL2333Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AUL2333.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"ede6dc18-910b-45e4-97a6-ac014c9d397d\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAUL2334Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AUL2334.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"bdbc3a5c-37f6-4a1f-9d67-62dd6f8782a5\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAUL2335Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AUL2335.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"96e61cfa-f86e-44e7-b7c8-b5450ee00d53\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Reduction & Reporting (AU.L2-3.3.6)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AUL2336.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Authoritative Time Source (AU.L2-3.3.7) \\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AUL2337.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Audit Protection (AU.L2-3.3.8)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AUL2338.\\\\\\\" },\\\\t\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Audit Management (AU.L2-3.3.9)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AUL2339.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"24e2c8b9-34c1-4559-aaee-0414d9b98420\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAUL2336Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AUL2336.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"b7b6fd63-9a21-4122-8f7d-6fbcc265a2d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAUL2337Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AUL2337.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"eecb3728-3783-4f86-9074-da005a39a679\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAUL2338Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AUL2338.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"ce3ab9b5-a1bd-4b29-ae20-63e8c3da2ec2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAUL2339Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AUL2339.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [System Auditing (AU.L2-3.3.1)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#create-and-retain-system-audit-logs-and-records-to-the-extent-needed-to-enable-the-monitoring-analysis-investigation-and-reporting-of-unlawful-or-unauthorized-system-activity)\\r\\n\\r\\nCreate and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) \\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union withsource=_TableName *\\r\\n| summarize Entries = count(), Size = sum(_BilledSize), last_log = datetime_diff(\\\"second\\\",now(), max(TimeGenerated)), estimate = sumif(_BilledSize, _IsBillable==true) by _TableName, _IsBillable\\r\\n| project ['Table Name'] = _TableName, ['Table Size'] = Size, ['Table Entries'] = Entries,\\r\\n ['Size per Entry'] = 1.0 * Size / Entries, ['IsBillable'] = _IsBillable\\r\\n| order by ['Table Size'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Log Table Management\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Microsoft Sentinel Workspace • Adjust the Time Parameter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Microsoft Defender for Cloud Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Party Tooling Requirements\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Table Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Table Size\",\"formatter\":8,\"formatOptions\":{\"palette\":\"purple\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"Table Entries\",\"formatter\":8,\"formatOptions\":{\"palette\":\"turquoise\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"Size per Entry\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"IsBillable\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"True\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"False\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Important\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_IsBillable_4\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_IsBillable_4\",\"sortOrder\":2}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAUL2331Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU.L2-3.3.1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [User Accountability (AU.L2-3.3.2)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#ensure-that-the-actions-of-individual-system-users-can-be-uniquely-traced-to-those-users-so-they-can-be-held-accountable-for-their-actions)\\r\\n\\r\\nEnsure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| where Caller <> \\\"\\\"\\r\\n| extend UserPrincipalName = Caller\\r\\n| join (SigninLogs) on UserPrincipalName\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\",UserId)\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Action Count by User\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAUL2332Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU.L2-3.3.2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Event Review (AU.L2-3.3.3) \\r\\n\\r\\nReview and update logged events.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/) \\r\\n\\r\\n## Recommended Configurations\\r\\n💡 [Connect Data Sources](https://docs.microsoft.com/azure/sentinel/connect-data-sources)\\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Usage\\r\\n| summarize count() by DataType\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Log Events Count by Log Type\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAUL2333Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU.L2-3.3.3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Audit Failure Alerting (AU.L2-3.3.4)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#alert-in-the-event-of-an-audit-logging-process-failure)\\r\\n\\r\\nAlert in the event of an audit logging process failure. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union withsource = _TableName *\\r\\n| summarize last_log = datetime_diff(\\\"second\\\",now(), max(TimeGenerated)) by _TableName\\r\\n| where last_log > 0\\r\\n| where _TableName !contains \\\"_SRCH\\\"\\r\\n| project ['Table Name'] = _TableName, ['Last Record Received'] = last_log\\r\\n| order by ['Last Record Received'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor Log Source Health \",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. • Confirm Log Source is Onboarded to Microsoft Sentinel Workspace • Adjust Query Time Thresholds for a Larger Data-Set\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Table Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Backlog\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Last Record Received\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orangeRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\"}}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAUL2334Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU.L2-3.3.4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Audit Correlation (AU.L2-3.3.5) \\r\\n\\r\\nCorrelate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview) \\r\\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/) \\r\\n✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) 🔀[Microsoft Defender for Identity](https://security.microsoft.com/settings/identities) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [BehaviorAnalytics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/behavioranalytics) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AnomalousSigninActivity = BehaviorAnalytics\\r\\n | where ActionType == \\\"Sign-in\\\"\\r\\n | where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\\r\\n ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\\r\\n or ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\\r\\n | join (\\r\\n SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \\\"none\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indicaiton from AAD\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3', 'c4e39bd9-1100-46d3-8c65-fb160da0071f', '158c047a-c907-4556-b7ef-446551a6b5f7', '62e90394-69f5-4237-9190-012177145e10', 'd29b2b05-8046-44ba-8758-1e26182fcf32', '729827e3-9c14-49f7-bb1b-9608f156bbb8', '966707d0-3269-4727-9be2-8c3a10f19b9d', '194ae4cb-b126-40b2-bd5b-6091b380977d', 'fe930be7-5e62-47db-91af-98c3a49a38b1']);\\r\\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c', '7495fdc4-34c4-4d15-a289-98788ce399fd', 'aaf43236-0c0d-4d5f-883a-6955382ac081', '3edaf663-341e-4475-9f94-5c398ef6c070', '7698a772-787b-4ac8-901f-60d6b08affd2', 'b1be1c3e-b65d-4f19-8427-f6fa0d97feb9', '9f06204d-73c1-4d4c-880a-6edb90606fd8', '29232cdf-9323-42fd-ade2-1d097af3e4de', 'be2f45a1-457d-42af-a067-6ec1fa63bc45', '7be44c8a-adaf-4e2a-84d6-ab2649e08a13', 'e8611ab8-c189-46e8-94e1-60213ab1f814']);//witdstomstl\\r\\nlet AnomalousRoleAssignment = AuditLogs\\r\\n | where TimeGenerated > ago(28d)\\r\\n | where OperationName == \\\"Add member to role\\\"\\r\\n | mv-expand TargetResources\\r\\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n | where isnotempty(RoleName)\\r\\n | extend TargetId = tostring(TargetResources.id)\\r\\n | extend Target = tostring(TargetResources.userPrincipalName)\\r\\n | join kind=inner (\\r\\n BehaviorAnalytics\\r\\n | where ActionType == \\\"Add member to role\\\"\\r\\n | where UsersInsights.BlasrRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n )\\r\\n on $left._ItemId == $right.SourceRecordId\\r\\n | extend AnomalyName = \\\"Anomalous Role Assignemt\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Account Manipulation\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing Add member to priveleged role, or ones that add users for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let LogOns=materialize(\\r\\n BehaviorAnalytics\\r\\n | where ActivityType == \\\"LogOn\\\");\\r\\nlet AnomalousResourceAccess = LogOns\\r\\n | where ActionType == \\\"ResourceAccess\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | extend AnomalyName = \\\"Anomalous Resource Access\\\",\\r\\n Tactic = \\\"Lateral Movement\\\",\\r\\n Technique = \\\"\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousRDPActivity = LogOns\\r\\n | where ActionType == \\\"RemoteInteractiveLogon\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | extend AnomalyName = \\\"Anomalous RDP Activity\\\",\\r\\n Tactic = \\\"Lateral Movement\\\",\\r\\n Technique = \\\"\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousLogintoDevices = LogOns\\r\\n | where ActionType == \\\"InteractiveLogon\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\\r\\n | extend AnomalyName = \\\"Anomalous Login To Devices\\\",\\r\\n Tactic = \\\"Privilege Escalation\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administator users performing an interactive logon (4624:2) to a device for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousPasswordReset = BehaviorAnalytics\\r\\n | where ActionType == \\\"Reset user password\\\"\\r\\n | where ActivityInsights.FirstTimeUserPerformedAction == \\\"True\\\"\\r\\n | join (\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Reset user password\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | mv-expand TargetResources\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Password Reset\\\",\\r\\n Tactic = \\\"Impact\\\",\\r\\n Technique = \\\"Account Access Removal\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n | sort by TimeGenerated desc;\\r\\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\\r\\n | where ActionType == \\\"Sign-in\\\"\\r\\n | where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\\r\\n | join (\\r\\n SigninLogs\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n Tactic = \\\"Initial Access\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousFailedLogon = BehaviorAnalytics\\r\\n | where ActivityType == \\\"LogOn\\\"\\r\\n | where UsersInsights.BlastRadius == \\\"High\\\"\\r\\n | join (\\r\\n SigninLogs \\r\\n | where Status.errorCode == 50126\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Failed Logon\\\",\\r\\n Tactic = \\\"Credential Access\\\",\\r\\n Technique = \\\"Brute Force\\\",\\r\\n SubTechnique = \\\"Password Guessing\\\",\\r\\n Description = \\\"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousAADAccountManipulation = AuditLogs\\r\\n | where OperationName == \\\"Update user\\\"\\r\\n | mv-expand AdditionalDetails\\r\\n | where AdditionalDetails.key == \\\"UserPrincipalName\\\"\\r\\n | mv-expand TargetResources\\r\\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n | where isnotempty(RoleName)\\r\\n | extend TargetId = tostring(TargetResources.id)\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | join kind=inner ( \\r\\n BehaviorAnalytics\\r\\n | where ActionType == \\\"Update user\\\"\\r\\n | where UsersInsights.BlasrRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n )\\r\\n on $left._ItemId == $right.SourceRecordId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName) \\r\\n | extend AnomalyName = \\\"Anomalous Account Manipulation\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Account Manipulation\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to priveleged role, or ones that changed users for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\\r\\n | where ActionType == \\\"Add user\\\"\\r\\n | where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\\r\\n | join(\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Add user\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | mv-expand TargetResources\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | extend DisplayName = tostring(UsersInsights.AccountDisplayName),\\r\\n UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Account Creation\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Create Account\\\",\\r\\n SubTechnique = \\\"Cloud Account\\\",\\r\\n Description = \\\"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\\\"\\t\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n | sort by TimeGenerated desc;\\r\\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\\r\\nlet TopUsersByAnomalies = AnomalyTable\\r\\n | summarize hint.strategy = shuffle AnomalyCount=count() by UserName, UserPrincipalName, tostring(UsersInsights.OnPremSid), tostring(UsersInsights.AccountObjectId)\\r\\n | project Name=tolower(UserName), UPN=tolower(UserPrincipalName), AadUserId=UsersInsights_AccountObjectId, Sid=UsersInsights_OnPremSid, AnomalyCount\\r\\n | sort by AnomalyCount desc;\\r\\nlet TopUsersByIncidents = SecurityIncident\\r\\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\\r\\n | where Status == \\\"New\\\" or Status == \\\"Active\\\"\\r\\n | mv-expand AlertIds\\r\\n | extend AlertId = tostring(AlertIds)\\r\\n | join kind= innerunique ( \\r\\n SecurityAlert \\r\\n )\\r\\n on $left.AlertId == $right.SystemAlertId\\r\\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n | mv-expand todynamic(Entities)\\r\\n | where Entities[\\\"Type\\\"] =~ \\\"account\\\"\\r\\n | extend Name = tostring(tolower(Entities[\\\"Name\\\"])), NTDomain = tostring(Entities[\\\"NTDomain\\\"]), UPNSuffix = tostring(Entities[\\\"UPNSuffix\\\"]), AadUserId = tostring(Entities[\\\"AadUserId\\\"]), AadTenantId = tostring(Entities[\\\"AadTenantId\\\"]), \\r\\n Sid = tostring(Entities[\\\"Sid\\\"]), IsDomainJoined = tobool(Entities[\\\"IsDomainJoined\\\"]), Host = tostring(Entities[\\\"Host\\\"])\\r\\n | extend UPN = iff(Name != \\\"\\\" and UPNSuffix != \\\"\\\", strcat(Name, \\\"@\\\", UPNSuffix), \\\"\\\")\\r\\n | union TopUsersByAnomalies\\r\\n | extend \\r\\n AadPivot = iff(isempty(AadUserId), iff(isempty(Sid), Name, Sid), AadUserId),\\r\\n SidPivot = iff(isempty(Sid), iff(isempty(AadUserId), Name, AadUserId), Sid),\\r\\n UPNExists = iff(isempty(UPN), false, true),\\r\\n NameExists = iff(isempty(Name), false, true),\\r\\n SidExists = iff(isempty(Sid), false, true),\\r\\n AADExists = iff(isempty(AadUserId), false, true)\\r\\n | summarize hint.strategy = shuffle IncidentCount=dcount(IncidentNumber, 4), AlertCount=dcountif(AlertId, isnotempty(AlertId), 4), AnomalyCount=sum(AnomalyCount), any(Title, Severity, Status, StartTime, IncidentNumber, IncidentUrl, Owner), UPNAnchor=anyif(UPN, UPNExists == true), NameAnchor=anyif(Name, NameExists == true), AadAnchor=anyif(AadUserId, AADExists == true), SidAnchor=anyif(Sid, SidExists == true), any(SidPivot) by AadPivot\\r\\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), NameAnchor=anyif(NameAnchor, isempty(NameAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_Title, any_Severity, any_StartTime, any_IncidentNumber, any_IncidentUrl) by any_SidPivot\\r\\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_any_Title, any_any_Severity, any_any_StartTime, any_any_IncidentNumber, any_any_IncidentUrl) by NameAnchor\\r\\n | project [\\\"UserName\\\"]=NameAnchor, IncidentCount, AlertCount, AnomalyCount, [\\\"AadUserId\\\"]=AadAnchor, [\\\"OnPremSid\\\"]=SidAnchor, [\\\"UserPrincipalName\\\"]=UPNAnchor;\\r\\nTopUsersByIncidents\\r\\n| project UserPrincipalName, IncidentCount, AlertCount, AnomalyCount\\r\\n| where UserPrincipalName <> \\\"\\\"\\r\\n| sort by AlertCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Entity Behavior Analytics Alerts\",\"noDataMessage\":\"There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_heatmap_AlertCount_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_heatmap_AlertCount_2\",\"sortOrder\":2}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAUL2335Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU.L2-3.3.5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Reduction & Reporting (AU.L2-3.3.6)\\r\\n\\r\\nProvide audit record reduction and report generation to support on-demand analysis and reporting.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview) \\r\\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Correlate/Aggregate Logging via Security Incidents\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAUL2336Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU.L2-3.3.6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Authoritative Time Source (AU.L2-3.3.7) \\r\\n\\r\\nProvide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Recommended Configurations\\r\\n💡 [Time sync for Windows VMs in Azure](https://docs.microsoft.com/azure/virtual-machines/windows/time-sync)\\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityBaseline\\r\\n| where Description contains \\\"NTP\\\" or Description contains \\\"clock\\\" or Description contains \\\"time\\\" or Description contains \\\"sync\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by Description, _ResourceId\\r\\n| summarize\\r\\n Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| project Description, Total, PassedControls, Passed, Failed\\r\\n| sort by Total desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines for Time Synchronization\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Caller\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"DataType\"},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAUL2337Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU.L2-3.3.7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Audit Protection (AU.L2-3.3.8)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#protect-audit-information-and-audit-logging-tools-from-unauthorized-access-modification-and-deletion)\\r\\n\\r\\nProtect audit information and audit logging tools from unauthorized access, modification, and deletion.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview) \\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| where OperationNameValue contains \\\"Insights\\\" or OperationName contains \\\"Log\\\" or OperationName contains \\\"Audit\\\" or OperationName contains \\\"Monitor\\\"\\r\\n| where OperationName contains \\\"Create\\\" or OperationName contains \\\"Audit\\\" or OperationName contains \\\"Update\\\" or OperationName contains \\\"Add\\\" or OperationName contains \\\"Change\\\" or OperationName contains \\\"Remove\\\" or OperationName contains \\\"Delete\\\" or OperationName contains \\\"Write\\\"\\r\\n| where OperationName <> \\\"\\\"\\r\\n| summarize count() by UserPrincipalName=Caller, OperationName, OperationNameValue, ResourceId\\r\\n| project OperationName, ActionCount=count_, UserPrincipalName, OperationNameValue, ResourceId\\r\\n| sort by ActionCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor User Audit Logging Tool Access, Modification, and Deletion\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OperationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActionCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAUL2338Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU.L2-3.3.8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Audit Management (AU.L2-3.3.9) \\r\\n\\r\\nLimit management of audit logging functionality to a subset of privileged users. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| join (IdentityInfo| extend UserPrincipalName = AccountUPN | project UserPrincipalName, AssignedRoles) on UserPrincipalName\\r\\n| where AssignedRoles contains \\\"Security Administrator\\\" or AssignedRoles contains \\\"Security Contributor\\\" or AssignedRoles contains \\\"Admin\\\" or AssignedRoles contains \\\"Owner\\\"\\r\\n| project UserPrincipalName, SignInCount=count_, UserProfile, AssignedRoles, LastSignIn, UserId\\r\\n| extend AssignedRoles=strcat(AssignedRoles)\\r\\n| distinct UserPrincipalName, SignInCount, UserProfile, AssignedRoles, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Users with Management of Audit Logging Functionality Privileges\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAUL2339Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU.L2-3.3.9\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAUVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Audit and Accountability Group\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Configuration Management](https://dodcio.defense.gov/CMMC/)\\r\\n---\\r\\nConfiguration Management establishes security baselines and measuresdeviations provides the basis for tracking the security posture of cloud assets.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"System Baselining (CM.L2-3.4.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CML2341.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Configuration Enforcement (CM.L2-3.4.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CML2342.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"System Change Management (CM.L2-3.4.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CML2343.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Impact Analysis (CM.L2-3.4.4)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CML2344.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Access Restrictions for Change (CM.L2-3.4.5)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CML2345.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCML2341Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CML2341.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCML2342Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CML2342.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"42705b8e-69c8-4f05-a32a-c2c71a12baa8\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCML2343Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CML2343.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"ea4ee9e3-7b47-4c7b-8a91-68b3c4303ca0\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCML2344Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CML2344.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"7a56b689-3e07-47c0-bf76-257ea083159f\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCML2345Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CML2345.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"35e995e3-5225-4bbb-b02d-b7987b637015\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Least Functionality (CM.L2-3.4.6)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CML2346.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Nonessential Functionality (CM.L2-3.4.7)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CML2347.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Application Execution Policy (CM.L2-3.4.8)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CML2348.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"User-Installed Software (CM.L2-3.4.9)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CML2349.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8a50cd3f-b3e9-4587-80e6-c52b2cfec5aa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCML2346Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CML2346.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"34719c4e-8f19-455e-b644-8c1fd62f7f1a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCML2347Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CML2347.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"33298753-7f88-41fd-b019-1bd801001f66\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCML2348Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CML2348.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"f4c18a08-dc34-40f2-bfd2-372935857c4b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCML2349Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CML2349.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [System Baselining (CM.L2-3.4.1)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#establish-and-maintain-baseline-configurations-and-inventories-of-organizational-systems-including-hardware-software-firmware-and-documentation-throughout-the-respective-system-development-life-cycles)\\r\\n\\r\\nEstablish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Azure Blueprints](https://docs.microsoft.com/azure/governance/blueprints/) 🔀[Blueprints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/BlueprintsMenuBlade/GetStarted) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/) \\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n💡 [Quickstart: Define and assign a blueprint in the portal](https://docs.microsoft.com/azure/governance/blueprints/create-blueprint-portal) \\r\\n💡 [Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| extend Azure_Inventory=location\\r\\n| extend M365_Inventory=strcat(\\\"https://security.microsoft.com/machines\\\")\\r\\n| project AssetID=id,AssetType=type, Azure_Inventory, M365_Inventory\\r\\n| sort by AssetType desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Asset Inventory\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Azure_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Inventory >>\",\"bladeOpenContext\":{\"bladeName\":\"InventoryBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"\",\"source\":\"static\",\"value\":\"25\"}]}}},{\"columnMatch\":\"M365_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"M365 Inventory >>\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| summarize\\r\\n Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCML2341Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM.L2-3.4.1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Configuration Enforcement (CM.L2-3.4.2) ](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#establish-and-enforce-security-configuration-settings-for-information-technology-products-employed-in-organizational-systems)\\r\\n\\r\\nEstablish and enforce security configuration settings for information technology products employed in organizational systems.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"config\\\"\\r\\n| where RecommendationName !contains \\\"security group\\\"\\r\\n| where RecommendationName !contains \\\"Email\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCML2342Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM.L2-3.4.2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [System Change Management (CM.L2-3.4.3)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#track-review-approve-or-disapprove-and-log-changes-to-organizational-systems)\\r\\n\\r\\nTrack, review, approve or disapprove, and log changes to organizational systems. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Recommended Configurations\\r\\n💡 [Enable Change Tracking and Inventory From an Automation Account](https://docs.microsoft.com/azure/automation/change-tracking/enable-from-automation-account)\\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"log\\\" or RecommendationName contains \\\"audit\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCML2343Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM.L2-3.4.3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Security Impact Analysis (CM.L2-3.4.4) \\r\\n\\r\\nAnalyze the security impact of changes prior to implementation. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) 🔷 [SecureScore](https://learn.microsoft.com/en-gb/azure/azure-monitor/reference/tables/SecureScoreControls) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName, tostring(severity)\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | where severity == \\\"High\\\"\\r\\n | distinct ControlID, RecommendationName, Total, severity, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | extend Severity=tostring(severity)\\r\\n | distinct RecommendationName, Severity, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n | sort by Total desc\\r\\n | limit 25\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Recommendations Impacting Security Posture\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCML2344Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM.L2-3.4.4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Access Restrictions for Change (CM.L2-3.4.5) \\r\\n\\r\\nDefine, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [ConfigurationChange](https://docs.microsoft.com/azure/azure-monitor/reference/tables/configurationchange) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ConfigurationChange\\r\\n| summarize count() by _ResourceId, ConfigChangeType\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor System Configuration Changes\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 65\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCML2345Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM.L2-3.4.5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Least Functionality (CM.L2-3.4.6)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#employ-the-principle-of-least-functionality-by-configuring-organizational-systems-to-provide-only-essential-capabilities)\\r\\n\\r\\nEmploy the principle of least functionality by configuring organizational systems to provide only essential capabilities. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)\\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"priv\\\" or RecommendationName contains \\\"access\\\"\\r\\n| where RecommendationName !contains \\\"security group\\\"\\r\\n| where RecommendationName !contains \\\"Email\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCML2346Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM.L2-3.4.6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Nonessential Functionality (CM.L2-3.4.7)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#restrict-disable-or-prevent-the-use-of-nonessential-programs-functions-ports-protocols-and-services)\\r\\n\\r\\nRestrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) \\r\\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"disable\\\" or RecommendationName contains \\\"port\\\"\\r\\n| where RecommendationName !contains \\\"security group\\\"\\r\\n| where RecommendationName !contains \\\"Email\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCML2347Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM.L2-3.4.7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Application Execution Policy (CM.L2-3.4.8)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#apply-deny-by-exception-blacklisting-policy-to-prevent-the-use-of-unauthorized-software-or-deny-all-permit-by-exception-whitelisting-policy-to-allow-the-execution-of-authorized-software)\\r\\n\\r\\nApply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"ware\\\" or Title contains \\\"deny\\\" or Title contains \\\"execution\\\" or Title contains \\\"software\\\" or Title contains \\\"restricted\\\" or Title contains \\\"tool\\\" or Title contains \\\"backdoor\\\" or Title contains \\\"file\\\" or Title contains \\\"exploit\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Restricted Software & Applications\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCML2348Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM.L2-3.4.8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [User-Installed Software (CM.L2-3.4.9)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#control-and-monitor-user-installed-software)\\r\\n\\r\\nControl and monitor user-installed software.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) 🔀[Microsoft Defender for Identity](https://security.microsoft.com/settings/identities) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | where ControlID == \\\"3.4.9\\\"\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCML2349Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM.L2-3.4.9\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCMVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Configuration Management\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Identification & Authentication](https://dodcio.defense.gov/CMMC/) \\r\\n---\\r\\nIdentification & Authentication Management is the process of managing user, system, asset identities and controlling access to authorized resources.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Identification (IA.L1-3.5.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IAL1351.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Authentication (IA.L1-3.5.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IAL1352.\\\\\\\" }\\\\r\\\\n]\\\\r\\\\n\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 1: Foundational\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAL1351Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IAL1351.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAL1352Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IAL1352.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4e13ea02-4a93-4b87-86a1-67c2d1088501\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Identification (IA.L1-3.5.1) \\r\\n\\r\\nIdentify information system users, processes acting on behalf of users, or devices.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Azure AD Identity Governance](https://docs.microsoft.com/azure/active-directory/governance/identity-governance-overview) 🔀[Identity Governance](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/GettingStarted) \\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [AADManagedIdentitySignInLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/aadmanagedidentitysigninlogs) 🔷 [AADServicePrincipalSignInLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/aadserviceprincipalsigninlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AADManagedIdentitySignInLogs\\r\\n| summarize count() by ServicePrincipalName, ResourceGroup\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Managed Identity Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ServicePrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"Managed Identity Actions\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AADServicePrincipalSignInLogs \\r\\n| summarize count() by ServicePrincipalName, ResourceGroup\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Service Principal Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ServicePrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"Service Principal Actions\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isIAL1351Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA.L1-3.5.1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Authentication (IA.L1-3.5.2)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#authenticate-or-verify-the-identities-of-those-users-processes-or-devices-as-a-prerequisite-to-allowing-access-to-organizational-information-systems)\\r\\n\\r\\nAuthenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Multi-Factor Authentication](https://azure.microsoft.com/services/active-directory/) 🔀[Multi-Factor Authentication](https://portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/GettingStarted) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Customer Lockbox](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview) 🔀[Customer Lockbox](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview) \\r\\n\\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 2\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|extend errorCode = Status.errorCode\\r\\n|extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\");\\r\\ndata\\r\\n| where IsInteractive == true\\r\\n| summarize Count = count() by SigninStatus\\r\\n| join kind = fullouter (datatable(SigninStatus:string)['Success', 'Pending action (Interrupts)', 'Failure']) on SigninStatus\\r\\n| project SigninStatus = iff(SigninStatus == '', SigninStatus1, SigninStatus), Count = iff(SigninStatus == '', 0, Count)\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SigninStatus)\\r\\n on SigninStatus\\r\\n| project-away SigninStatus1, TimeGenerated\\r\\n| extend Status = SigninStatus\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count()\\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend SigninStatus = 'All Sign-ins', Status = '*' \\r\\n)\\r\\n| where SigninStatus <> \\\"All Sign-ins\\\"\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Authentication Details\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"info\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Activities\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where ResultType == 0 and AppDisplayName != \\\"\\\"\\r\\n| summarize count() by AppDisplayName\\r\\n| join (\\r\\nSigninLogs\\r\\n| make-series TrendList = count() on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, 4h) by AppDisplayName \\r\\n) on AppDisplayName\\r\\n| top 25 by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Sign-Ins By Application\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"info\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Activities\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"AppDisplayName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"TrendList\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"AppDisplayName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIAL1352Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA.L1-3.5.2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 1: Foundational\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Multifactor Authentication (IA.L2-3.5.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IAL2353.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Replay-Resistant Authentication (IA.L2-3.5.4)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IAL2354.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Identifier Reuse (IA.L2-3.5.5)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IAL2355.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Identifier Handling (IA.L2-3.5.6)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IAL2356.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Password Complexity (IA.L2-3.5.7)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IAL2357.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAL2353Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IAL2353.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAL2354Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IAL2354.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a03661c7-1410-4410-89be-fffff2c4e0aa\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAL2355Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IAL2355.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"d0924f3b-66a9-451e-9314-9fac037c6f87\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAL2356Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IAL2356.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9d02dc73-6456-42d4-ad74-8f62da23d5c8\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAL2357Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IAL2357.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"c6b28a87-f463-4185-bb2b-536834bb2efb\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Password Reuse (IA.L2-3.5.8)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IAL2358.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Temporary Passwords (IA.L2-3.5.9)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IAL2359.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Cryptographically-Protected Passwords (IA.L2-3.5.10)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IAL23510.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Obscure Feedback (IA.L2-3.5.11)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IAL23511.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"f032b00a-cd79-4156-b773-9f5bf4873bfa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAL2358Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IAL2358.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"2d24fe30-f95d-4b56-a629-267d40ee4034\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAL2359Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IAL2359.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"95baeb0b-a97d-4408-a55a-3721e16cd12b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAL23510Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IAL23510.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"d7d7de6a-bbec-491d-bcf0-d21a0dfbcd3d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAL23511Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IAL23511.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Multifactor Authentication (IA.L2-3.5.3)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#use-multifactor-authentication-for-local-and-network-access-to-privileged-accounts-and-for-network-access-to-non-privileged-accounts)\\r\\n\\r\\nUse multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) 🔀[Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Multi-Factor Authentication](https://azure.microsoft.com/services/active-directory/) 🔀[Multi-Factor Authentication](https://portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/GettingStarted) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MFAFailures = SigninLogs\\r\\n| where AuthenticationRequirement == \\\"multiFactorAuthentication\\\"\\r\\n| where ResultType <> 0\\r\\n| extend FailureReason = tostring(Status.failureReason)\\r\\n| where FailureReason contains \\\"User did not pass the MFA\\\"\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| summarize count() by UserPrincipalName, UserId, UserProfile\\r\\n| extend FailedMFACount=count_;\\r\\nlet LastObserved = SigninLogs\\r\\n| where ResultType <> 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastFailedSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| where AuthenticationRequirement == \\\"multiFactorAuthentication\\\"\\r\\n| where ResultType <> 0\\r\\n| extend FailureReason = tostring(Status.failureReason)\\r\\n| where FailureReason contains \\\"User did not pass the MFA\\\"\\r\\n| make-series Trend = dcount(FailureReason) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by UserPrincipalName\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| join (MFAFailures) on UserPrincipalName\\r\\n| project UserPrincipalName, UserProfile, FailedMFACount, Trend, LastFailedSignIn, UserId\\r\\n| sort by FailedMFACount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor User MFA Failures\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"FailedMFACount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"MFA\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIAL2353Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA.L2-3.5.3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Replay-Resistant Authentication (IA.L2-3.5.4)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#employ-replay-resistant-authentication-mechanisms-for-network-access-to-privileged-and-nonprivileged-accounts)\\r\\n\\r\\nEmploy replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Multi-Factor Authentication](https://azure.microsoft.com/services/active-directory/) 🔀[Multi-Factor Authentication](https://portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/GettingStarted) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs \\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"accessible\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIAL2354Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA.L2-3.5.4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Identifier Reuse (IA.L2-3.5.5) \\r\\n\\r\\nPrevent reuse of identifiers for a defined period. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/) \\r\\n\\r\\n## Recommended Configurations\\r\\n💡 [Restore or Remove a Recently Deleted User Using Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-restore)\\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"reuse\\\" or Description contains \\\"without password\\\" or Description contains \\\"unneccessary account\\\" or Description contains \\\"blank password\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"reuse\\\" or Description contains \\\"without password\\\" or Description contains \\\"unneccessary account\\\" or Description contains \\\"blank password\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"reuse\\\" or Description contains \\\"without password\\\" or Description contains \\\"unneccessary account\\\" or Description contains \\\"blank password\\\"\\r\\n| summarize\\r\\n Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIAL2355Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA.L2-3.5.5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Identifier Handling (IA.L2-3.5.6) \\r\\n\\r\\nDisable identifiers after a defined period of inactivity. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) 🔀[Microsoft Defender for Identity](https://security.microsoft.com/settings/identities) \\r\\n\\r\\n## Recommended Configurations\\r\\n💡 [Report on Azure AD Stale Users](https://www.powershellgallery.com/packages/Get-AzureADStaleUsers/1.0/Content/Get-AzureADStaleUsers.ps1?)\\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastSignIn = SigninLogs\\r\\n| where ResultType == \\\"0\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nlet CurrentUsers = SigninLogs\\r\\n| where ResultType == \\\"0\\\"\\r\\n| where TimeGenerated > ago(90d)\\r\\n| summarize HistoricUsers = makeset(UserPrincipalName);\\r\\nSigninLogs\\r\\n| where ResultType == \\\"0\\\"\\r\\n| where TimeGenerated between (ago(90d)..ago(30d))\\r\\n| where UserPrincipalName !in (CurrentUsers)\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\",UserId)\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| join (LastSignIn) on UserPrincipalName\\r\\n| sort by count_ desc\\r\\n| extend SignInsBeforeInactive = count_\\r\\n| project UserPrincipalName, UserProfile, SignInsBeforeInactive, LastSignIn, UserId\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Inactive AAD Accounts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"SignInsBeforeInactive\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIAL2356Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA.L2-3.5.6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Password Complexity (IA.L2-3.5.7)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#enforce-a-minimum-password-complexity-and-change-of-characters-when-new-passwords-are-created)\\r\\n\\r\\nEnforce a minimum password complexity and change of characters when new passwords are created.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Azure AD Password Protection](https://docs.microsoft.com/azure/active-directory/governance/identity-governance-overview) 🔀[Azure AD Password Protection](https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordProtectionBlade) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"password\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIAL2357Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA.L2-3.5.7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Password Reuse (IA.L2-3.5.8)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#prohibit-password-reuse-for-a-specified-number-of-generations)\\r\\n\\r\\nProhibit password reuse for a specified number of generations.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Azure AD Password Protection](https://docs.microsoft.com/azure/active-directory/governance/identity-governance-overview) 🔀[Azure AD Password Protection](https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordProtectionBlade) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityBaseline\\r\\n| where Description contains \\\"reuse\\\" or Description contains \\\"password\\\" \\r\\n| summarize arg_max(TimeGenerated, *) by Description, _ResourceId\\r\\n| summarize\\r\\n Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| project Description, Total, PassedControls, Passed, Failed\\r\\n| sort by Total desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines for Password Reuse\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIAL2358Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA.L2-3.5.8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Temporary Passwords (IA.L2-3.5.9) \\r\\n\\r\\nAllow temporary password use for system logons with an immediate change to a permanent password. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) 🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Recommended Configurations\\r\\n💡 [Reset a User's Password Using Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-reset-password-azure-portal)\\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let PasswordReset = AuditLogs\\r\\n| where OperationName contains \\\"reset\\\"\\r\\n| extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\r\\n| summarize count() by UserPrincipalName\\r\\n| project UserPrincipalName, PasswordResetCount=count_;\\r\\nlet LastObserved = AuditLogs\\r\\n| where OperationName contains \\\"reset\\\"\\r\\n| extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastPasswordReset=TimeGenerated;\\r\\nlet UserProfiles = SigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| summarize count() by UserPrincipalName, UserId, UserProfile;\\r\\nAuditLogs\\r\\n| where OperationName contains \\\"reset\\\"\\r\\n| extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\r\\n| make-series Trend = dcount(OperationName) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by UserPrincipalName\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| join (PasswordReset) on UserPrincipalName\\r\\n| join (UserProfiles) on UserPrincipalName\\r\\n| project UserPrincipalName, UserProfile, PasswordResetCount, Trend, LastPasswordReset, UserId\\r\\n| sort by PasswordResetCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor Temporary Passwords via Password Resets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"PasswordResetCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIAL2359Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA.L2-3.5.9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Cryptographically-Protected Passwords (IA.L2-3.5.10)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#store-and-transmit-only-cryptographically-protected-passwords)\\r\\n\\r\\nStore and transmit only cryptographically-protected passwords. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"hash\\\" or Description contains \\\"sha\\\"\\r\\n| where Description !contains \\\"network\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"hash\\\" or Description contains \\\"sha\\\"\\r\\n| where Description !contains \\\"network\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"hash\\\" or Description contains \\\"sha\\\"\\r\\n| where Description !contains \\\"network\\\"\\r\\n| summarize\\r\\n Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIAL23510Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA.L2-3.5.10\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Obscure Feedback (IA.L2-3.5.11) \\r\\n\\r\\nObscure feedback of authentication information. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"reveal\\\" or Description contains \\\"hiding\\\" or Description contains \\\"display\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"reveal\\\" or Description contains \\\"hiding\\\" or Description contains \\\"display\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"reveal\\\" or Description contains \\\"hiding\\\" or Description contains \\\"display\\\"\\r\\n| summarize\\r\\n Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| where Description !contains \\\"Firewall\\\"\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIAL23511Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA.L2-3.5.11\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIAVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Identification & Authentication Group\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Incident Response](https://dodcio.defense.gov/CMMC/)\\r\\n---\\r\\nIncident Response is the process of responding to cybersecurity incidents and events. Incident Response includes preparation, identification, containment, eradication, recovery, and lessons learned phases.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Incident Handling (IR.L2-3.6.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IRL2361.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Incident Reporting (IR.L2-3.6.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IRL2362.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Incident Response Testing (IR.L2-3.6.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IRL2363.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIRL2361Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IRL2361.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIRL2362Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IRL2362.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"37671c36-7877-4f01-ac24-572c1bdee4a8\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIRL2363Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IRL2363.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"c3921efe-053c-42c8-8dac-825e5f012447\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Incident Handling (IR.L2-3.6.1)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#establish-an-operational-incident-handling-capability-for-organizational-systems-that-includes-preparation-detection-analysis-containment-recovery-and-user-response-activities)\\r\\n\\r\\nEstablish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\" Incidents Summary\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where Severity == \\\"High\\\"\\n| summarize kwSum=count(TenantId)\\n\\n\\n\\n\",\"size\":3,\"title\":\"CRITICAL\",\"noDataMessage\":\"No unauthorized devices making config changes\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"kwSum\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"24\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| summarize kwSum=count(TenantId)\\n\\n\\n\\n\",\"size\":0,\"title\":\"OPEN\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"kwSum\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where Status == \\\"Closed\\\"\\n| summarize kwSum=count(TenantId)\\n\\n\\n\\n\",\"size\":0,\"title\":\"CLOSED\",\"noDataMessage\":\"No unauthorized devices making config changes\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"kwSum\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"24\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where TimeGenerated > ago(1d)\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| distinct IncidentNumber\\n| summarize count()\\n\\n\\n\\n\\n\",\"size\":0,\"title\":\"NEW TODAY\",\"noDataMessage\":\"No unauthorized devices making config changes\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"24\",\"name\":\"query - 10\"}]},\"customWidth\":\"50\",\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber\\r\\n| where Status == \\\"Closed\\\"\\r\\n| extend TimeToRespond = (CreatedTime - FirstActivityTime)/1d \\r\\n| extend TimeToResolve = (ClosedTime - CreatedTime)/1d\\r\\n| extend AssignedAnalyst = tostring(Owner.assignedTo)\\r\\n| extend [\\\"MITRE ATT&CK Tactics\\\"] = tostring(parse_json(tostring(AdditionalData.tactics))[0])\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, ClosedTime desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, [\\\"MITRE ATT&CK Tactics\\\"], AssignedAnalyst, Classification, ClassificationComment, ClassificationReason, Description, TimeToRespond, TimeToResolve, IncidentStartTime=CreatedTime, IncidentClosedTime=ClosedTime, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Closure Reports\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"TimeToRespond\",\"formatter\":0,\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"TimeToResolve\",\"formatter\":0,\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIRL2361Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IR.L2-3.6.1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Incident Reporting (IR.L2-3.6.2) \\r\\n\\r\\nTrack, document, and report incidents to designated officials and/or authorities both internal and external to the organization.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Severity\\r\\n| render areachart \\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIRL2362Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IR.L2-3.6.2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Incident Response Testing (IR.L2-3.6.3) \\r\\n\\r\\nTest the organizational incident response capability.\\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Recommended Resources\\r\\n💡 [Learning with the Microsoft Sentinel Training Lab](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/learning-with-the-microsoft-sentinel-training-lab/ba-p/2953403) \\r\\n💡 [Microsoft Sentinel - SOC Process Framework Workbook](https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-soc-process-framework-workbook/ba-p/2339315) \\r\\n💡 [Sentinel ATT&CK](https://github.com/BlueTeamLabs/sentinel-attack) \\r\\n💡 [SimuLand: Understand adversary tradecraft and improve detection strategies](https://www.microsoft.com/security/blog/2021/05/20/simuland-understand-adversary-tradecraft-and-improve-detection-strategies/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"test\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Test\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIRL2363Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IR.L2-3.6.3\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIRVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Incident Response Group\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Maintenance](https://dodcio.defense.gov/CMMC/)\\r\\n---\\r\\nMaintenance includes processes such as system updates, patching, and configuration changes which are required for the overall functionality of the information system. \"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Perform Maintenance (MA.L2-3.7.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MAL2371.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"System Maintenance Control (MA.L2-3.7.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MAL2372.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Equipment Sanitization (MA.L2-3.7.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MAL2373.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Media Inspection (MA.L2-3.7.4)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MAL2374.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Nonlocal Maintenance (MA.L2-3.7.5)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MAL2375.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Maintenance Personnel (MA.L2-3.7.6)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MAL2376.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMAL2371Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MAL2371.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMAL2372Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MAL2372.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"5855b78f-147b-4bb6-9a86-4776ceabcd30\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMAL2373Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MAL2373.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"043a4584-dcf6-49b7-98a7-7bc4a279fa17\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMAL2374Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MAL2374.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4398eb19-df64-4d8e-b839-c8f215a38a72\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMAL2375Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MAL2375.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"8cef5081-ba3a-4fd7-a6c8-2db221eb7287\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMAL2376Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MAL2376.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"abcb0f11-bfa3-47e4-aaf5-f4b0487f632b\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Perform Maintenance (MA.L2-3.7.1) \\r\\n\\r\\nPerform maintenance on organizational systems.\\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Recommended Resources\\r\\n💡 [Handling Planned Maintenance Notifications Using the Azure Portal](https://docs.microsoft.com/azure/virtual-machines/maintenance-notifications-portal) \\r\\n💡 [Managing Platform Updates with Maintenance Control](https://docs.microsoft.com/azure/virtual-machines/maintenance-control) \\r\\n💡 [Scheduling Maintenance Updates with Maintenance Control and Azure Functions](https://github.com/Azure/azure-docs-powershell-samples/tree/master/maintenance-auto-scheduler) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"update\\\" or RecommendationName contains \\\"upgrade\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMAL2371Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MA.L2-3.7.1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# System Maintenance Control (MA.L2-3.7.2)\\r\\n\\r\\nProvide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Resources\\r\\n💡 [Privileged Access Workstations](https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstations)\\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"identity\\\" or type contains \\\"networksecuritygroups\\\" or type contains \\\"bastion\\\" or type contains \\\"lock\\\" or type contains \\\"endpoint\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Control Maintenance Activities via Security Controls (Identity, Network, Endpoint)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMAL2372Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MA.L2-3.7.2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Equipment Sanitization (MA.L2-3.7.3) \\r\\n\\r\\nEnsure equipment removed for off-site maintenance is sanitized of any CUI. \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) \\r\\n\\r\\n## Recommended Resources\\r\\n💡 [Data destruction in Microsoft 365](https://docs.microsoft.com/compliance/assurance/assurance-data-destruction) \\r\\n💡 [Azure customer data protection](https://docs.microsoft.com/azure/security/fundamentals/protection-customer-data) \\r\\n💡 [Configure encryption with customer-managed keys stored in Azure Key Vault](https://docs.microsoft.com/azure/storage/common/customer-managed-keys-configure-key-vault) \\r\\n💡 [NIST SP 800-88: Guidelines for Media Sanitization](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"key\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Leverage Key Vaults for Cryptographic Erasure\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMAL2373Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MA.L2-3.7.3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Media Inspection (MA.L2-3.7.4) \\r\\n\\r\\nCheck media containing diagnostic and test programs for malicious code before the media are used in organizational systems. \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Recommended Resources\\r\\n💡 [Use Microsoft Endpoint Configuration Manager to Run a Scan](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus#use-microsoft-endpoint-configuration-manager-to-run-a-scan) \\r\\n💡 [Custom Scan a USB Drive](https://learn.microsoft.com/en-gb/defender-endpoint/run-scan-microsoft-defender-antivirus) \\r\\n💡 [Configure Microsoft Defender Antivirus scanning options](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"usb\\\" or Title contains \\\"drive\\\" or Title contains \\\"media\\\" or Title contains \\\"removable\\\" or Title contains \\\"tool\\\" or Title contains \\\"ware\\\" or Title contains \\\"software\\\" or Title contains \\\"virus\\\" or Title contains \\\"trojan\\\" or Title contains \\\"c2\\\" or Title contains \\\"beacon\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Media Inspection\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMAL2374Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MA.L2-3.7.4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Nonlocal Maintenance (MA.L2-3.7.5)\\r\\n\\r\\nRequire multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Multi-Factor Authentication](https://azure.microsoft.com/services/active-directory/) 🔀[Multi-Factor Authentication](https://portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/GettingStarted) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MFAFailures = SigninLogs\\r\\n| where AuthenticationRequirement == \\\"multiFactorAuthentication\\\"\\r\\n| where ResultType <> 0\\r\\n| extend FailureReason = tostring(Status.failureReason)\\r\\n| where FailureReason contains \\\"User did not pass the MFA\\\"\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| summarize count() by UserPrincipalName, UserId, UserProfile\\r\\n| extend FailedMFACount=count_;\\r\\nlet LastObserved = SigninLogs\\r\\n| where ResultType <> 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| extend Country = tostring(LocationDetails.countryOrRegion)\\r\\n| extend State = tostring(LocationDetails.state)\\r\\n| project UserPrincipalName, LastFailedSignIn=TimeGenerated, City, State, Country;\\r\\nSigninLogs\\r\\n| where AuthenticationRequirement == \\\"multiFactorAuthentication\\\"\\r\\n| where ResultType <> 0\\r\\n| extend FailureReason = tostring(Status.failureReason)\\r\\n| where FailureReason contains \\\"User did not pass the MFA\\\"\\r\\n| join kind=inner (LastObserved) on UserPrincipalName\\r\\n| join kind=inner (MFAFailures) on UserPrincipalName\\r\\n| join kind=inner (IdentityInfo| extend AssignedRoles = strcat(AssignedRoles)| extend UserPrincipalName=AccountUPN| where AssignedRoles contains \\\"admin\\\" or AssignedRoles contains \\\"owner\\\"| project UserPrincipalName, AssignedRoles) on UserPrincipalName\\r\\n| distinct UserPrincipalName, UserProfile, FailedMFACount, LastFailedSignIn, AssignedRoles, City, State, Country, UserId\\r\\n| join (SigninLogs | where AuthenticationRequirement == \\\"multiFactorAuthentication\\\"| where ResultType <> 0| extend FailureReason = tostring(Status.failureReason)| where FailureReason contains \\\"User did not pass the MFA\\\"| make-series Trend = dcount(FailureReason) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by UserPrincipalName) on UserPrincipalName\\r\\n| project UserPrincipalName, UserProfile, FailedMFACount, Trend, LastFailedSignIn, AssignedRoles, City, State, Country, UserId\\r\\n| sort by FailedMFACount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor Admin MFA Failures by Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"FailedMFACount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"City\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Country\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMAL2375Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MA.L2-3.7.5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Maintenance Personnel (MA.L2-3.7.6)\\r\\n\\r\\nSupervise the maintenance activities of maintenance personnel without required access authorization.\\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Customer Lockbox](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview) 🔀[Customer Lockbox](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview) \\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| where OperationName contains \\\"PIM\\\"\\r\\n| distinct OperationName, Identity, AADOperationType, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| project OperationName, AADOperationType, Identity, TimeGenerated\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Implement/Monitor Privileged Identity Management for Maintenance\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"OperationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Identity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMAL2376Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MA.L2-3.7.6\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMAVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Maintenance\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Media Protection](https://dodcio.defense.gov/CMMC/)\\r\\n---\\r\\nMedia protection includes physical, logical, and administrative controls over sensitive data.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Media Disposal (MP.L1-3.8.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MPL1383.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 1: Foundational\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMPL1383Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MPL1383.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Media Disposal (MP.L1-3.8.3) \\r\\n\\r\\nSanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [DeviceEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceevents) 🔷 [DeviceFileEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/devicefileevents) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender) \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) \\r\\n🔷 [InformationProtectionEvents](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) \\r\\n\\r\\n## Recommended Resources\\r\\n💡 [Data destruction in Microsoft 365](https://docs.microsoft.com/compliance/assurance/assurance-data-destruction) \\r\\n💡 [NIST SP 800-88: Guidelines for Media Sanitization](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf) \\r\\n💡 [Purge Process](https://docs.microsoft.com/azure/data-explorer/kusto/concepts/data-purge#purge-process) \\r\\n💡 [Configure encryption with customer-managed keys stored in Azure Key Vault](https://docs.microsoft.com/azure/storage/common/customer-managed-keys-configure-key-vault) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionEvents\\r\\n| project DLPEventTime=Time, User, File=ItemName\\r\\n| join kind=inner (\\r\\n DeviceEvents\\r\\n | where ActionType == \\\"UsbDriveMounted\\\"\\r\\n | extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)\\r\\n | join kind=inner (DeviceFileEvents\\r\\n | project TimeGenerated, ActionType, FileName, FolderPath, DeviceId, DeviceName\\r\\n | extend FileCopyTime = TimeGenerated\\r\\n | where ActionType == \\\"FileCreated\\\"\\r\\n | extend FileCopyName = FileName\\r\\n | parse FolderPath with DriveLetter '\\\\\\\\' *\\r\\n | extend DriveLetter = tostring(DriveLetter)\\r\\n )\\r\\n on DeviceId, DriveLetter) \\r\\n on $left.File == $right.FileCopyName\\r\\n| project DLPEventTime, FileCopyTime, File, DeviceName, AccountName\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor/Sanitize Media Containing Sensitive Data (Sensitive Data Added to External Media)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"key\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Leverage Key Vaults for Cryptographic Erasure\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMPL1383Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP.L1-3.8.3\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 1: Foundational\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Media Protection (MP.L2-3.8.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MPL2381.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Media Access (MP.L2-3.8.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MPL2382.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Media Markings (MP.L2-3.8.4) \\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MPL2384.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Media Accountability (MP.L2-3.8.5)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MPL2385.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMPL2381Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MPL2381.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMPL2382Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MPL2382.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4c991fcc-ad60-4a85-8a81-8a1eca81b84f\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMPL2384Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MPL2384.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"382d8b6b-1535-4cd8-9bdb-15f36c4da757\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMPL2385Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MPL2385.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"75d66cd9-912d-461f-af51-d4d4cd613e66\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Portable Storage Encryption (MP.L2-3.8.6)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MPL2386.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Removable Storage Encryption (MP.L2-3.8.7)\\\\\\\" , \\\\\\\"tab\\\\\\\": \\\\\\\"MPL2387.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Shared Media (MP.L2-3.8.8)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MPL2388.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Protect Backups (MP.L2-3.8.9)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MPL2389.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"82671455-a6cd-456f-920d-60907f37b25a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMPL2386Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MPL2386.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"2dfdf645-b545-4f9f-a669-ef11d46eb8d5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMPL2387Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MPL2387.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"0078f793-27e8-4ff8-af11-81da3138422e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMPL2388Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MPL2388.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"4a59d8b9-e013-4034-a92b-49f9ea316b67\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMPL2389Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MPL2389.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Media Protection (MP.L2-3.8.1) \\r\\n\\r\\nProtect (i.e., physically control and securely store) system media containing CUI, both paper and digital. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [InformationProtectionEvents](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) \\r\\n\\r\\n## Recommended Resources\\r\\n💡 [Physical Security](https://docs.microsoft.com/azure/security/fundamentals/physical-security) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionEvents\\r\\n| where LabelName <> \\\"\\\"\\r\\n| extend AIP = strcat(\\\"https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/ActivityLogsBlade\\\")\\r\\n| summarize count() by LabelName, AIP, User, ItemName, ItemPath\\r\\n| sort by count_ desc\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Inventory / Secure Sensitive Data\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AIP\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Information Protection >>\",\"bladeOpenContext\":{\"bladeName\":\"DataClassGroupEditBlade\",\"extensionName\":\"Microsoft_Azure_InformationProtection\"}}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMPL2381Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP.L2-3.8.1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Media Access (MP.L2-3.8.2)\\r\\n\\r\\nLimit access to CUI on system media to authorized users.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Storage Accounts](https://azure.microsoft.com/product-categories/storage/) 🔀[Storage accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"access\\\" or Title contains \\\"data\\\" or Title contains \\\"loss\\\" or Title contains \\\"exfil\\\" or Title contains \\\"USB\\\" or Title contains \\\"drive\\\" or Title contains \\\"storage\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Data Access\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMPL2382Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP.L2-3.8.2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Media Markings (MP.L2-3.8.4)\\r\\n\\r\\nMark media with necessary CUI markings and distribution limitations.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [InformationProtectionEvents](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionEvents\\r\\n| where LabelName <> \\\"\\\"\\r\\n| extend AIP = strcat(\\\"https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/ActivityLogsBlade\\\")\\r\\n| summarize count() by LabelName, AIP\\r\\n| sort by count_ desc\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sensitive Data Labels in Use\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AIP\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Information Protection >>\",\"bladeOpenContext\":{\"bladeName\":\"DataClassGroupEditBlade\",\"extensionName\":\"Microsoft_Azure_InformationProtection\"}}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"chartSettings\":{\"showLegend\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMPL2384Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP.L2-3.8.4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Media Accountability (MP.L2-3.8.5) \\r\\n\\r\\nControl access to media containing CUI and maintain accountability for media during transport outside of controlled areas. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"521d368e-c46e-41b5-bea0-fd07dc96b511\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Review Azure Information Protection Logs\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataClassGroupEditBlade\",\"extensionName\":\"Microsoft_Azure_InformationProtection\"}}]},\"customWidth\":\"50\",\"name\":\"links - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMPL2385Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP.L2-3.8.5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Portable Storage Encryption (MP.L2-3.8.6)\\r\\n\\r\\nImplement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"crypt\\\" or RecommendationName contains \\\"transit\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMPL2386Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP.L2-3.8.6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Removable Media (MP.L2-3.8.7) \\r\\n\\r\\nControl the use of removable media on system components.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [DeviceEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceevents) 🔷 [DeviceFileEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/devicefileevents) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" DeviceEvents\\r\\n | where ActionType == \\\"UsbDriveMounted\\\"\\r\\n | extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)\\r\\n | join kind=inner (DeviceFileEvents\\r\\n | project TimeGenerated, ActionType, FileName, FolderPath, DeviceId, DeviceName\\r\\n | extend FileCopyTime = TimeGenerated\\r\\n | where ActionType == \\\"FileCreated\\\"\\r\\n | extend FileCopyName = FileName\\r\\n | parse FolderPath with DriveLetter '\\\\\\\\' *\\r\\n | extend DriveLetter = tostring(DriveLetter)\\r\\n )\\r\\n on DeviceId, DriveLetter\\r\\n| project FileName, DeviceName, AccountName, TimeGenerated\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor/Control Removeable Media Usage\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMPL2387Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP.L2-3.8.7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Shared Media (MP.L2-3.8.8) \\r\\n\\r\\nProhibit the use of portable storage devices when such devices have no identifiable owner.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n\\r\\n## Implementation Guidance\\r\\n💡 [Microsoft Defender for Endpoint Device Control Device Installation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/mde-device-control-device-installation#allow-or-block-removable-devices) \\r\\n💡 [Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":1,\"content\":{\"json\":\"### [Prohibit Rogue USB Devices >>](https://endpoint.microsoft.com/#blade/Microsoft_Intune_Workflows/SecurityManagementMenu/asr)\\r\\n![Image Name](https://docs.microsoft.com/windows/security/threat-protection/device-control/images/baselines.png \\\"Rogue USB\\\") \\r\\n\"},\"customWidth\":\"45\",\"name\":\"text - 1\",\"styleSettings\":{\"maxWidth\":\"45\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isMPL2388Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP.L2-3.8.8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Protect Backups (MP.L2-3.8.9) \\r\\n\\r\\nProtect the confidentiality of backup CUI at storage locations. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"back\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMPL2389Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP.L2-3.8.9\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMPVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Media Protection\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Personnel Security](https://dodcio.defense.gov/CMMC/)\\r\\n---\\r\\nPersonnel Security is focused on controlling human access to systems, networks, and assets. Personnel Security includes considerations for screening individuals with access to Controlled Unclassified Information (CUI) and protection of such data after personnel actions such as terminations or transfers. \"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Screen Individuals (PS.L2-3.9.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"PSL2391.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Personnel Actions (PS.L2-3.9.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"PSL2391.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPSL2391Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"PSL2391.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Screen Individuals (PS.L2-3.9.1) \\r\\n\\r\\nScreen individuals prior to authorizing access to organizational systems containing CUI.\\r\\n\\r\\n# Personnel Actions (PS.L2-3.9.2) \\r\\n\\r\\nEnsure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.\\r\\n\\r\\n## Implementation Statement\\r\\nPersonnel security screening (vetting) activities involve the evaluation/assessment of individual’s conduct, integrity, judgment, loyalty, reliability, and stability (i.e., the trustworthiness of the individual) prior to authorizing access to organizational systems containing CUI. The screening activities reflect applicable federal laws, Executive Orders, directives, policies, regulations, and specific criteria established for the level of access required for assigned positions.\\r\\nYou can ensure all employees who need access to CUI undergo organization-defined screening before being granted access based on the types of screening requirements for a given position and role. Clearly define positions and roles within your organization. Implement roles using 💡 [Azure RBAC](https://docs.microsoft.com/azure/role-based-access-control) and 💡 [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview). For example, administrators with access to CUI and specific roles with permissions to view CUI should follow an organizationally defined screening process. \\r\\n\\r\\n## Customer Responsibility\\r\\n Screening individuals prior to authorizing access to customer-deployed resources.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Microsoft 365 Compliance: Insider Risk Management](https://www.microsoft.com/microsoft-365/business/compliance-solutions) 🔀[Insider Risk Management](https://compliance.microsoft.com/insiderriskmgmt?viewid=overview) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft 365 Compliance: Insider Risk Management](https://www.microsoft.com/microsoft-365/business/compliance-solutions) \\r\\n\\r\\n## Recommended Configurations\\r\\n💡 [Insider Risk Management: Setup a Connector to import HR Data & Track Last Working Dates](https://docs.microsoft.com/microsoft-365/compliance/import-hr-data)\\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV1\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"5\",\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Role Based Access Control](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators) / [Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)\\r\\n \\r\\n\\r\\n\\r\\n\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProductName == \\\"Microsoft 365 Insider Risk Management\\\"\\r\\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n | mv-expand todynamic(Entities)\\r\\n | where Entities[\\\"Type\\\"] =~ \\\"account\\\"\\r\\n | extend Name = tostring(tolower(Entities[\\\"Name\\\"])), NTDomain = tostring(Entities[\\\"NTDomain\\\"]), UPNSuffix = tostring(Entities[\\\"UPNSuffix\\\"]), AadUserId = tostring(Entities[\\\"AadUserId\\\"]), AadTenantId = tostring(Entities[\\\"AadTenantId\\\"]), \\r\\n Sid = tostring(Entities[\\\"Sid\\\"]), IsDomainJoined = tobool(Entities[\\\"IsDomainJoined\\\"]), Host = tostring(Entities[\\\"Host\\\"])\\r\\n | extend UPN = iff(Name != \\\"\\\" and UPNSuffix != \\\"\\\", strcat(Name, \\\"@\\\", UPNSuffix), \\\"\\\")\\r\\n| extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\\r\\n| extend UserPrincipalName = UPN\\r\\n| distinct AlertName, ProductName, Status, AlertLink, UserPrincipalName, Tactics, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Enable the HR Connector & Monitor Microsoft 365: Insider Risk Management Alert Details\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"name\":\"query - 2\"}]},\"customWidth\":\"40\",\"name\":\"OV\"}]},\"conditionalVisibility\":{\"parameterName\":\"isPSL2391Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"PS.L2-3.9.1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isPSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Personnel Security\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Physical Protection](https://dodcio.defense.gov/CMMC/)\\r\\n---\\r\\nPhysical Protections are focused on protecting direct access to systems, networks, and assets. Physical protection includes considerations for limiting physical access, escorting visitors, maintaining visit audit logs, monitoring infrastructure, and protecting Controlled Unclassified Information (CUI).\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Limit Physical Access (PE.L1-3.10.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"PEL13101.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Escort Visitors (PE.L1-3.10.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"PEL13101.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Physical Access Logs (PE.L1-3.10.4)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"PEL13101.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Manage Physical Access (PE.L1-3.10.5)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"PEL13101.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 1: Foundational\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPEL13101Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"PEL13101.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Limit Physical Access (PE.L1-3.10.1) \\r\\nLimit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. \\r\\n# Escort Visitors (PE.L1-3.10.3) \\r\\nEscort visitors and monitor visitor activity. \\r\\n# Physical Access Logs (PE.L1-3.10.4) \\r\\nMaintain audit logs of physical access.\\r\\n# Manage Physical Access (PE.L1-3.10.5) \\r\\nControl and manage physical access devices. \\r\\n## Recommended References\\r\\n💡 [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/) \\r\\n💡 [Datacenter physical access security](https://docs.microsoft.com/compliance/assurance/assurance-datacenter-physical-access-security) \\r\\n💡 [Azure Facilities, Premises, and Physical Security](https://docs.microsoft.com/azure/security/fundamentals/physical-security) \\r\\n💡 [Management and Operation of the Azure Production Network](https://docs.microsoft.com/azure/security/fundamentals/infrastructure-operations) \\r\\n💡 [Azure Infrastructure Availability](https://docs.microsoft.com/azure/security/fundamentals/infrastructure-availability) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"45\",\"name\":\"text - 4\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"5\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"## [Azure Datacenters: Physical Security](https://docs.microsoft.com/azure/security/fundamentals/physical-security) \\r\\n\"},\"customWidth\":\"45\",\"name\":\"text - 2\",\"styleSettings\":{\"maxWidth\":\"45\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isPEL13101Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"PE.L1-3.10.1-PE.L1-3.10.5\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 1: Foundational\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Monitor Facility (PE.L2-3.10.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"PEL23102.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Alternate Work Sites (PE.L2-3.10.6) \\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"PEL23102.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPEL23102Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"PEL23102.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Monitor Facility (PE.L2-3.10.2) \\r\\nProtect and monitor the physical facility and support infrastructure for organizational systems.\\r\\n\\r\\n# Alternate Work Sites (PE.L2-3.10.6) \\r\\n\\r\\nEnforce safeguarding measures for CUI at alternate work sites.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Azure Global Infrastructure](https://azure.microsoft.com/global-infrastructure/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Named Locations](https://docs.microsoft.com/azure/active-directory/conditional-access/location-condition) 🔀[Azure AD Named Locations](https://portal.azure.com/#blade/Microsoft_AAD_IAM/NamedNetworksWithCountryBlade) \\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) \\r\\n\\r\\n## Recommended References\\r\\n💡 [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/) \\r\\n💡 [Datacenter physical access security](https://docs.microsoft.com/compliance/assurance/assurance-datacenter-physical-access-security) \\r\\n💡 [Azure Facilities, Premises, and Physical Security](https://docs.microsoft.com/azure/security/fundamentals/physical-security) \\r\\n💡 [Management and Operation of the Azure Production Network](https://docs.microsoft.com/azure/security/fundamentals/infrastructure-operations) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| extend UserPrincipalName = UserId_s\\r\\n| where LabelName_s <> \\\"\\\"\\r\\n| join (SigninLogs) on UserPrincipalName\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor Geolocation of Sensitive Data Access\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Activity_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"City\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Country_Region\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"orange\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isPEL23102Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"PE.L2-3.10.2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isPEVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Physical Protection\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Risk Assessment](https://dodcio.defense.gov/CMMC/)\\r\\n---\\r\\nRisk Assessment ensures a consistent approach to the identification, mitigation, and response to security risks.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Risk Assessments (RA.L2-3.11.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"RAL23111.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Vulnerability Scan (RA.L2-3.11.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"RAL23112.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Vulnerability Remediation (RA.L2-3.11.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"RAL23113.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRAL23111Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"RAL23111.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRAL23112Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"RAL23112.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"80e03675-0c89-4b00-9429-5bbdddcc99be\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRAL23113Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"RAL23113.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a8b29546-b1b5-4787-bc4c-16c98e5b8424\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Risk Assessments (RA.L2-3.11.1)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#periodically-assess-the-risk-to-organizational-operations-including-mission-functions-image-or-reputation-organizational-assets-and-individuals-resulting-from-the-operation-of-organizational-systems-and-the-associated-processing-storage-or-transmission-of-cui)\\r\\n\\r\\nPeriodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n💡[Secure Score: Microsoft Defender for Cloud](https://docs.microsoft.com/azure/defender-for-cloud/secure-score-security-controls) \\r\\n💡[Microsoft Secure Score: Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/defender/microsoft-secure-score) \\r\\n💡[Identity Secure Score: Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/identity-secure-score) \\r\\n💡[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| make-series count() default=0 on DiscoveredTimeUTC from {TimeRange:start} to {TimeRange:end} step 1d by RecommendationSeverity\",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsoft Defender for Cloud: Recommendations over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Medium\",\"color\":\"yellow\"},{\"seriesName\":\"High\",\"color\":\"redBright\"},{\"seriesName\":\"Low\",\"color\":\"blueDark\"}]}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isRAL23111Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"RA.L2-3.11.1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Vulnerability Scan (RA.L2-3.11.2)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#scan-for-vulnerabilities-in-organizational-systems-and-applications-periodically-and-when-new-vulnerabilities-affecting-those-systems-and-applications-are-identified)\\r\\n\\r\\nScan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n✳️ [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure DNS](https://azure.microsoft.com/services/dns/) 🔀[DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityNestedRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitynestedrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n| where type == \\\"microsoft.security/assessments/subassessments\\\"\\r\\n| extend assessmentKey = extract(\\\".*assessments/(.+?)/.*\\\",1, id)\\r\\n| where assessmentKey == \\\"1195afff-c881-495e-9bc5-1486211ae03f\\\"\\r\\n | project Resource = tolower(extract(\\\"([\\\\\\\\s\\\\\\\\S]*?)(/providers/Microsoft.Security.*)\\\",1,id)), ResourceGroup = trim_end(\\\"/\\\",extract(\\\".*resourceGroups/(.+?)/\\\",0,id)), ResourceType = tolower(split(id,\\\"/\\\").[6]), subscriptionId, severity = tostring(parse_json(properties).status.severity), status = tostring(parse_json(properties).status.code), VulnId = tostring(parse_json(properties).id), description = tostring(parse_json(properties).displayName), patchable = parse_json(properties.additionalData).patchable, cve = parse_json(properties.additionalData).cve\\r\\n | where status == 'Unhealthy'\\r\\n | summarize dcount(VulnId) by ResourceGroup, Resource, severity, VulnId, description, tostring(patchable), tostring(cve)\\r\\n | summarize Total = count(dcount_VulnId), sevH=countif(severity=='High'), sevM=countif(severity=='Medium'), sevL=countif(severity=='Low'), patchAvailable = countif(patchable=='true'), CVEcount =countif(cve!='[]') by ResourceGroup, Resource\\r\\n | order by sevH desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Vulnerability Scanning\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"exportFieldName\":\"Resource\",\"exportParameterName\":\"selectedServer\",\"exportDefaultValue\":\"All\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"$gen_group\",\"formatter\":13,\"formatOptions\":{\"linkColumn\":\"Resource\",\"linkTarget\":\"Resource\",\"showIcon\":true,\"customColumnWidthSetting\":\"30ch\"}},{\"columnMatch\":\"ResourceGroup\",\"formatter\":5},{\"columnMatch\":\"Resource\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"Total\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10ch\"}},{\"columnMatch\":\"sevH\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"12ch\"}},{\"columnMatch\":\"sevM\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\",\"customColumnWidthSetting\":\"13ch\"}},{\"columnMatch\":\"sevL\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blueDark\",\"customColumnWidthSetting\":\"10ch\"}},{\"columnMatch\":\"patchAvailable\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\"},\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"CVEcount\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"10ch\"}}],\"rowLimit\":1000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ResourceGroup\"],\"expandTopLevel\":true,\"finalBy\":\"Resource\"},\"labelSettings\":[{\"columnId\":\"ResourceGroup\",\"label\":\"Resource group\"},{\"columnId\":\"sevH\",\"label\":\"High\"},{\"columnId\":\"sevM\",\"label\":\"Medium\"},{\"columnId\":\"sevL\",\"label\":\"Low\"},{\"columnId\":\"patchAvailable\",\"label\":\"Available patches\"},{\"columnId\":\"CVEcount\",\"label\":\"CVEs\"}]}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n| where type == \\\"microsoft.security/assessments/subassessments\\\"\\r\\n| extend assessmentKey = extract(\\\".*assessments/(.+?)/.*\\\",1, id)\\r\\n| where assessmentKey == \\\"1195afff-c881-495e-9bc5-1486211ae03f\\\"\\r\\n| project Resource = tolower(extract(\\\"([\\\\\\\\s\\\\\\\\S]*?)(/providers/Microsoft.Security.*)\\\",1,id)), ResourceGroup = trim_end(\\\"/\\\",extract(\\\".*resourceGroups/(.+?)/\\\",0,id)), ResourceType = tolower(split(id,\\\"/\\\").[6]), subscriptionId, Severity = tostring(parse_json(properties).status.severity), Status = tostring(parse_json(properties).status.code), VulnId = tostring(parse_json(properties).id), Description = tostring(parse_json(properties).displayName), Patchable = parse_json(properties.additionalData).patchable, CVE = properties.additionalData.cve, Category = tostring(properties.category), TimeGenerated = tostring(properties.timeGenerated), Remediation = tostring(properties.remediation), Impact = tostring(properties.impact), Threat = tostring(properties.additionalData.threat)\\r\\n| where Status == 'Unhealthy'\\r\\n| where '{selectedServer}' == 'All' or Resource == '{selectedServer}'\\r\\n| project Severity, VulnId, Description, tostring(Patchable), Category, Resource, ResourceGroup, CVE, TimeGenerated, Remediation, Impact, Threat\\r\\n| mv-expand CveExpand = split (CVE, \\\"},\\\") to typeof(string)\\r\\n| parse CveExpand with * '\\\"title\\\":\\\"' singleCve '\\\"' *\\r\\n| summarize CVEs = tostring(make_list(singleCve)) by Severity, VulnId, Description, tostring(Patchable), Category, Resource, ResourceGroup, TimeGenerated, Threat, Impact, Remediation\",\"size\":0,\"showAnalytics\":true,\"title\":\"Vulnerability Details >> Select Asset in Vulnerability Scanning Panel Above\",\"noDataMessage\":\"Select Asset in Vulnerability Scanning Panel Above\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{selectedServer}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":5},{\"columnMatch\":\"VulnId\",\"formatter\":5},{\"columnMatch\":\"Resource\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"Remediation\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}}],\"rowLimit\":1000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Severity\"],\"expandTopLevel\":true,\"finalBy\":\"VulnId\"},\"labelSettings\":[{\"columnId\":\"ResourceGroup\",\"label\":\"Resource group\"},{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"}]}},\"name\":\"query - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"isRAL23112Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"RA.L2-3.11.2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Vulnerability Remediation (RA.L2-3.11.3)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#remediate-vulnerabilities-in-accordance-with-risk-assessments)\\r\\n\\r\\nRemediate vulnerabilities in accordance with risk assessments.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"vuln\\\"\\r\\n | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isRAL23113Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"RA.L2-3.11.3\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isRMVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Risk Assessment Group\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Assessment](https://dodcio.defense.gov/CMMC/)\\r\\n---\\r\\nSecurity Assessment includes periodic evaluation of security controls for effectiveness.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Control Assessment (CA.L2-3.12.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CAL23121.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Plan of Action (CA.L2-3.12.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CAL23122.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Control Monitoring (CA.L2-3.12.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CAL23123.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"System Security Plan (CA.L2-3.12.4)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CAL23124.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCAL23121Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CAL23121.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCAL23122Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CAL23122.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"8c21e2d6-577c-431b-898e-31005bc5b3dd\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCAL23123Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CAL23123.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"09408af6-93db-4cfc-9896-27464b738854\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCAL23124Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CAL23124.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"c4bd4612-6a08-479b-82db-9afd61582581\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Control Assessment (CA.L2-3.12.1)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#periodically-assess-the-security-controls-in-organizational-systems-to-determine-if-the-controls-are-effective-in-their-application)\\r\\n\\r\\nPeriodically assess the security controls in organizational systems to determine if the controls are effective in their application. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) 🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SecurityProducts = datatable(ProviderName:string, Product:string, Portal:string)\\r\\n[\\r\\n \\\"ASI Scheduled Alerts\\\", \\\"Microsoft Sentinel\\\", \\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n \\\"ASI NRT Alerts\\\", \\\"Microsoft Sentinel\\\", \\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n \\\"Azure Sentinel\\\", \\\"Microsoft Sentinel\\\", \\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n \\\"MCAS\\\", \\\"Microsoft Defender for Cloud Apps\\\", \\\"https://seccxpninja.portal.cloudappsecurity.com/#/policy\\\",\\r\\n \\\"MDATP\\\", \\\"Microsoft Defender for Endpoint\\\", \\\"https://security.microsoft.com/alertpolicies\\\",\\r\\n \\\"Azure Security Center\\\", \\\"Microsoft Defender for Cloud\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/7\\\",\\r\\n \\\"Detection-WarmPathV2\\\", \\\"Microsoft Defender for Cloud\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/7\\\",\\r\\n \\\"MicrosoftThreatProtection\\\", \\\"Microsoft 365 Defender\\\", \\\"https://security.microsoft.com/alertpolicies\\\",\\r\\n \\\"IPC\\\", \\\"Azure Active Directory Identity Protection\\\", \\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/IdentityProtectionMenuBlade/UsersAtRiskAlerts\\\",\\r\\n \\\"Detection-Fusion\\\", \\\"Microsoft Sentinel\\\", \\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n \\\"Sentinel Fusion\\\", \\\"Microsoft Sentinel\\\", \\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n \\\"Azure Advanced Threat Protection\\\", \\\"Microsoft Defender for Identity\\\", \\\"https://security.microsoft.com/settings/identities\\\",\\r\\n \\\"Threat Intelligence Alerts\\\", \\\"Microsoft Sentinel\\\", \\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n \\\"IoTSecurity\\\", \\\"Microsoft Defender for IoT\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Alerts\\\",\\r\\n \\\"MSTIC\\\", \\\"Microsoft Sentinel\\\", \\\"https://portal.azure.com/#blade/HubsExtension/ArgQueryBlade\\\",\\r\\n \\\"AntimalwarePublisher\\\", \\\"Microsoft Defender for Cloud\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/7\\\",\\r\\n \\\"OATP\\\", \\\"Microsoft Defender for Office 365\\\", \\\"https://security.microsoft.com/alertpolicies\\\",\\r\\n \\\"AdaptiveNetworkHardenings\\\", \\\"Microsoft Defender for Cloud\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/f9f0eed0-f143-47bf-b856-671ea2eeed62\\\",\\r\\n \\\"StorageThreatDetection\\\", \\\"Microsoft Defender for Cloud\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/7\\\",\\r\\n \\\"CloudNetworkSecurity\\\", \\\"Azure Network Security\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/overview\\\",\\r\\n \\\"SQLThreatDetection\\\", \\\"Microsoft Defender for Cloud\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SqlVaServersRecommendationDetailsBlade/assessmentKey/82e20e14-edc5-4373-bfc4-f13121257c37\\\"\\r\\n];\\r\\nSecurityIncident\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| where Status==\\\"Closed\\\"\\r\\n| mv-expand AlertIds\\r\\n| extend SystemAlertId=strcat(AlertIds)\\r\\n| join kind=inner (SecurityAlert | extend SystemAlertId=strcat(SystemAlertId)) on SystemAlertId\\r\\n| summarize\\r\\n TruePositive = countif(Classification == \\\"TruePositive\\\"),\\r\\n BenignPositive = countif(Classification == \\\"BenignPositive\\\"),\\r\\n FalsePositive = countif(Classification == \\\"FalsePositive\\\"),\\r\\n Undetermined = countif(Classification == \\\"Undetermined\\\"),\\r\\n Total = countif(Classification == \\\"TruePositive\\\" or Classification == \\\"BenignPositive\\\" or Classification == \\\"FalsePositive\\\") by AlertName, ProviderName1\\r\\n| extend EfficiencyRating = (TruePositive / todouble(Total)) * 100\\r\\n| join kind=leftouter(SecurityProducts) on $left.ProviderName1 == $right.ProviderName\\r\\n| project AlertName, EfficiencyRating, Portal, Product, Total, TruePositive, BenignPositive, FalsePositive, Undetermined\\r\\n| sort by EfficiencyRating, Total desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Alert Efficiency\",\"noDataMessage\":\"No Alerts Observed Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EfficiencyRating\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redGreen\"},\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":0}}},{\"columnMatch\":\"Portal\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Tune Alert >>\"}},{\"columnMatch\":\"Product\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"TruePositive\",\"color\":\"green\"},{\"columnName\":\"BenignPositive\",\"color\":\"orange\"},{\"columnName\":\"FalsePositive\",\"color\":\"redBright\"}]}}}],\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Product\"],\"expandTopLevel\":true,\"finalBy\":\"AlertName\"},\"sortBy\":[{\"itemKey\":\"TruePositive\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TruePositive\",\"sortOrder\":2}]},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCAL23121Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CA.L2-3.12.1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Plan of Action (CA.L2-3.12.2)\\r\\n\\r\\nDevelop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\\r\\n| summarize\\r\\n Failed = countif(RecommendationState == \\\"Unhealthy\\\"),\\r\\n Passed = countif(RecommendationState == \\\"Healthy\\\"),\\r\\n Total = countif(RecommendationState == \\\"Healthy\\\" or RecommendationState == \\\"Unhealthy\\\")\\r\\n by AssessedResourceId\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| project AssessedResourceId, Total, PassedControls, Passed, Failed\\r\\n| sort by Total, Failed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Develop Plan of Action via Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AssessedResourceId\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCAL23122Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CA.L2-3.12.2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Control Monitoring (CA.L2-3.12.3)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#monitor-security-controls-on-an-ongoing-basis-to-ensure-the-continued-effectiveness-of-the-controls)\\r\\n\\r\\nMonitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. \\r\\n## Secondary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SecurityProducts = datatable(ProviderName:string, Product:string)\\r\\n[\\r\\n \\\"ASI Scheduled Alerts\\\", \\\"Microsoft Sentinel\\\", \\r\\n \\\"ASI NRT Alerts\\\", \\\"Microsoft Sentinel\\\", \\r\\n \\\"Azure Sentinel\\\", \\\"Microsoft Sentinel\\\", \\r\\n \\\"MCAS\\\", \\\"Microsoft Defender for Cloud Apps\\\",\\r\\n \\\"MDATP\\\", \\\"Microsoft Defender for Endpoint\\\", \\r\\n \\\"Azure Security Center\\\", \\\"Microsoft Defender for Cloud\\\",\\r\\n \\\"Detection-WarmPathV2\\\", \\\"Microsoft Defender for Cloud\\\", \\r\\n \\\"MicrosoftThreatProtection\\\", \\\"Microsoft 365 Defender\\\",\\r\\n \\\"IPC\\\", \\\"Azure Active Directory Identity Protection\\\", \\r\\n \\\"Detection-Fusion\\\", \\\"Microsoft Sentinel\\\", \\r\\n \\\"Sentinel Fusion\\\", \\\"Microsoft Sentinel\\\", \\r\\n \\\"Azure Advanced Threat Protection\\\", \\\"Microsoft Defender for Identity\\\",\\r\\n \\\"Threat Intelligence Alerts\\\", \\\"Microsoft Sentinel\\\",\\r\\n \\\"IoTSecurity\\\", \\\"Microsoft Defender for IoT\\\", \\r\\n \\\"MSTIC\\\", \\\"Microsoft Sentinel\\\", \\r\\n \\\"AntimalwarePublisher\\\", \\\"Microsoft Defender for Cloud\\\",\\r\\n \\\"OATP\\\", \\\"Microsoft Defender for Office 365\\\", \\r\\n \\\"AdaptiveNetworkHardenings\\\", \\\"Microsoft Defender for Cloud\\\",\\r\\n \\\"StorageThreatDetection\\\", \\\"Microsoft Defender for Cloud\\\", \\r\\n \\\"CloudNetworkSecurity\\\", \\\"Azure Network Security\\\", \\r\\n \\\"SQLThreatDetection\\\", \\\"Microsoft Defender for Cloud\\\"\\r\\n];\\r\\nSecurityAlert\\r\\n| join kind=rightouter(SecurityProducts) on ProviderName\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Product\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor Security Controls for Efficiency >> Spikes Indicate Areas for Investigation+Tuning\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50%\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isCAL23123Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CA.L2-3.12.3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# System Security Plan (CA.L2-3.12.4) \\r\\n\\r\\nDevelop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Virtual Network](https://azure.microsoft.com/services/virtual-network/)\\r\\n\\r\\n## Recommended Resources\\r\\n💡 [Understanding Network Map](https://docs.microsoft.com/azure/security-center/security-center-network-recommendations#understanding-the-network-map) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where OperationName == \\\"NetworkSecurityGroupEvents\\\"\\r\\n| summarize count() by ruleName_s\\r\\n| project NetworkSecurityGroupRule=ruleName_s, FlowCount=count_\\r\\n| sort by FlowCount desc \",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Security Group Flow Counts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"NetworkSecurityGroupRule\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Lateral_Movement\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"FlowCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isCAL23124Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CA.L2-3.12.4\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCAVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Security Assessment Group\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [System & Communications Protection](https://dodcio.defense.gov/CMMC/)\\r\\n---\\r\\nSystem & Communications Protection includes network security for administrative and management functions. The System & Communications Protection Control family includes 32 controls which varying application across the Cloud Service Provider (CSP) model including customer responsibility, service provider responsibility, and shared responsibility.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Boundary Protection (SC.L1-3.13.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL13131.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Public-Access System Separation (SC.L1-3.13.5)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL13135.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 1: Foundational\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL13131Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL13131.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL13135Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL13135.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"253f6dce-cdf2-4808-9298-bea80e2ca395\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Boundary Protection (SC.L1-3.13.1)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#monitor-control-and-protect-communications-ie-information-transmitted-or-received-by-organizational-systems-at-the-external-boundaries-and-key-internal-boundaries-of-organizational-systems)\\r\\n\\r\\nMonitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts) \\r\\n✳️ [Azure ExpressRoute]( https://azure.microsoft.com/services/expressroute/) 🔀[ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits) \\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) \\r\\n✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) 🔀[Load Balancers](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers) \\r\\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) \\r\\n✳️ [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) 🔀[Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways) \\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Customer Lockbox](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview) 🔀[Customer Lockbox](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) 🔀[Microsoft Defender for Identity](https://security.microsoft.com/settings/identities) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"network\\\" or RecommendationName contains \\\"transit\\\" or RecommendationName contains \\\"http\\\" or RecommendationName contains \\\"web\\\" or RecommendationName contains \\\"port\\\" or RecommendationName contains \\\"internet\\\" or RecommendationName contains \\\"comm\\\" or RecommendationName contains \\\"private\\\" or RecommendationName contains \\\"firewall\\\" \\r\\n | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL13131Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L1-3.13.1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Public-Access System Separation (SC.L1-3.13.5)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#implement-subnetworks-for-publicly-accessible-system-components-that-are-physically-or-logically-separated-from-internal-networks)\\r\\n\\r\\nImplement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.\\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts) \\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) \\r\\n✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) 🔀[Load Balancers](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies) \\r\\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"microsoft.network/\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Asset Listing\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL13135Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L1-3.13.5\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 1: Foundational\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Engineering (SC.L2-3.13.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL23132.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Role Separation (SC.L2-3.13.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL23133.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Shared Resource Control (SC.L2-3.13.4)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL23134.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Network Communication by Exception (SC.L2-3.13.6)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL23136.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Split Tunneling (SC.L2-3.13.7)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL23137.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data in Transit (SC.L2-3.13.8)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL23138.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Connections Termination (SC.L2-3.13.9)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL23139.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL23132Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL23132.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL23133Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL23133.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b6f0f37d-776f-42b2-9cf5-123545d93466\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL23134Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL23134.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"240acabd-8dd6-4d2e-a6f3-6158a4d6d315\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL23136Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL23136.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"847a2397-a439-4d5b-8e41-dcef62425b34\"},{\"id\":\"77f0cff6-267c-43d9-8dba-1f53dfe11937\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL23137Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL23137.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL23138Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL23138.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"c7473fda-9fec-4cbd-b5ac-5ec94314abba\"},{\"id\":\"c0a05d48-e50d-4797-bdca-4c936c0ddf50\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL23139Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL23139.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Key Management (SC.L2-3.13.10)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL231310.\\\\\\\" },\\\\r\\\\n { \\\\\\\"Control\\\\\\\": \\\\\\\"CUI Encryption (SC.L2-3.13.11)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL231311.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Collaborative Device Control (SC.L2-3.13.12)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL231312.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Mobile Code (SC.L2-3.13.13)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL231313.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Voice Over Internet Protocol (SC.L2-3.13.14)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL231314.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Communications Authenticity (SC.L2-3.13.15)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL231315.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data at Rest (SC.L2-3.13.16)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SCL231316.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"698a9809-ab71-4cdb-b1c3-94d517877b35\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL231310Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL231310.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL231311Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL231311.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a34361c8-9925-4870-97a7-88aa482a68f1\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL231312Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL231312.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"88e70227-868b-4ed8-8a4f-4291ece1e2e8\"},{\"id\":\"c2ca0248-fbdc-423f-b426-e4ee0c0ec06b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL231313Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL231313.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"4f0a3a4d-c456-4b51-a546-285a15585053\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL231314Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL231314.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"5e809b7f-9a0c-4f39-bc79-0a71a2ccac8b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL231315Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL231315.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"8fc1e556-9d06-4c5b-9510-a99b3df07219\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCL231316Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SCL231316.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Engineering (SC.L2-3.13.2)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#employ-architectural-designs-software-development-techniques-and-systems-engineering-principles-that-promote-effective-information-security-within-organizational-systems)\\r\\n\\r\\nEmploy architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.\\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL23132Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Role Separation (SC.L2-3.13.3)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#separate-user-functionality-from-system-management-functionality)\\r\\n\\r\\nSeparate user functionality from system management functionality. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [AADManagedIdentitySignInLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/aadmanagedidentitysigninlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AADManagedIdentitySignInLogs\\r\\n| summarize count() by ServicePrincipalName, ResourceDisplayName\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Active Directory: Managed Identities\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ServicePrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL23133Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Shared Resource Control (SC.L2-3.13.4)\\r\\n\\r\\nPrevent unauthorized and unintended information transfer via shared \\r\\nsystem resources.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Network Security Groups](https://azure.microsoft.com/services/virtual-network/) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/) 🔀[Web Application Firewall policies (WAF)](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies) \\r\\n✳️ [Azure Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Virtual Network](https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/security/business/microsoft-endpoint-manager) 🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀 [Microsoft 365 Defender](https://security.microsoft.com) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"data\\\" or Title contains \\\"loss\\\" or Title contains \\\"shared\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Shared Data Loss Prevention\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL23134Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Network Communication by Exception (SC.L2-3.13.6)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#deny-network-communications-traffic-by-default-and-allow-network-communications-traffic-by-exception-ie-deny-all-permit-by-exception)\\r\\n\\r\\nDeny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) 🔀[Load Balancers](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies) \\r\\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" \\\" TempDetails\\r\\n| parse TempDetails with \\\"was \\\" Action1 \\\". Reason: \\\" Rule1\\r\\n| parse TempDetails with \\\"to \\\" FQDN \\\":\\\" TargetPortInt:int \\\". Action: \\\" Action2 \\\".\\\" *\\r\\n| parse TempDetails with * \\\". Rule Collection: \\\" RuleCollection2a \\\". Rule:\\\" Rule2a\\r\\n| parse TempDetails with * \\\"Deny.\\\" RuleCollection2b \\\". Proceeding with\\\" Rule2b\\r\\n| extend SourcePort = tostring(SourcePortInt)\\r\\n| extend TargetPort = tostring(TargetPortInt)\\r\\n| extend Action1 = case(Action1 == \\\"Deny\\\",\\\"Deny\\\",\\\"Unknown Action\\\")\\r\\n| extend Action = case(Action2 == \\\"\\\",Action1,Action2),Rule = case(Rule2a == \\\"\\\", case(Rule1 == \\\"\\\",case(Rule2b == \\\"\\\",\\\"N/A\\\", Rule2b),Rule1),Rule2a), \\r\\nRuleCollection = case(RuleCollection2b == \\\"\\\",case(RuleCollection2a == \\\"\\\",\\\"No rule matched\\\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \\\"\\\", \\\"N/A\\\", FQDN),TargetPort = case(TargetPort == \\\"\\\", \\\"N/A\\\", TargetPort)\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Action\\r\\n| render timechart \",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewall: Action Count by Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL23136Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Split Tunneling (SC.L2-3.13.7)\\r\\n\\r\\nPrevent remote devices from simultaneously establishing non-remote \\r\\nconnections with organizational systems and communicating via some other \\r\\nconnection to resources in external networks (i.e., split tunneling).\\r\\n\\r\\n## Primary Services\\r\\n✳️ [VPN Gateway]( https://azure.microsoft.com/services/vpn-gateway/) 🔀[Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworkGateways) \\r\\n✳️ [Azure ExpressRoute](https://azure.microsoft.com/services/expressroute/) 🔀[ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) \\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [VPN Gateway]( https://azure.microsoft.com/services/vpn-gateway/)\\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"privateendpoints\\\" or type contains \\\"privatedns\\\" or type contains \\\"express\\\" or type contains \\\"azurefirewall\\\" or type contains \\\"circuit\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Split Tunneling Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL23137Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data in Transit (SC.L2-3.13.8)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#implement-cryptographic-mechanisms-to-prevent-unauthorized-disclosure-of-cui-during-transmission-unless-otherwise-protected-by-alternative-physical-safeguards)\\r\\n\\r\\nImplement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n\\r\\n\\r\\n# Secondary Services\\r\\n✳️ [Azure ExpressRoute]( https://azure.microsoft.com/services/expressroute/) 🔀[ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits) \\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) 🔀[Load Balancers](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) \\r\\n✳️ [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) 🔀[Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways) \\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft Information Protection](https://www.microsoft.com/security/business/compliance/information-protection) 🔀[Microsoft Information Protection](https://compliance.microsoft.com/informationprotection) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"key\\\" or RecommendationName contains \\\"crypt\\\" or RecommendationName contains \\\"region\\\" or RecommendationName contains \\\"transit\\\" or RecommendationName contains \\\"http\\\" or RecommendationName contains \\\"tls\\\"\\r\\n | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL23138Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Connections Termination (SC.L2-3.13.9)\\r\\n\\r\\nTerminate network connections associated with communications sessions at \\r\\nthe end of the sessions or after a defined period of inactivity.\\r\\n\\r\\n# Secondary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Azure Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) 🔀[Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) 🔷 [AADUserRiskEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/AADUserRiskEvents) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) \\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"IdentityInfo\\r\\n| summarize arg_max(TimeGenerated,*) by AccountUPN\\r\\n| join kind=inner(\\r\\nSigninLogs) on $left.AccountUPN==$right.UserPrincipalName\\r\\n| project SigninTime=TimeGenerated1, UserPrincipalName, AppDisplayName, ResultType, AssignedRoles, Location, UserAgent, AuthenticationRequirement, Country, City, CorrelationId\\r\\n| join kind=inner (\\r\\nAADUserRiskEvents) on CorrelationId\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId), AssignedRoles=strcat(AssignedRoles)\\r\\n| distinct UserPrincipalName, UserProfile, RiskState, RiskLevel, AppDisplayName, ResultType, DetectionTimingType, Location, AssignedRoles, UserAgent, AuthenticationRequirement, Country, City, SigninTime, UserId\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review/Terminate User Risk Event Sessions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"RiskLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AppDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL23139Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Key Management (SC.L2-3.13.10)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#establish-and-manage-cryptographic-keys-for-cryptography-employed-in-organizational-systems)\\r\\n\\r\\nEstablish and manage cryptographic keys for cryptography employed in organizational systems. \\r\\n\\r\\n# Primary Services\\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login) \\r\\n\\r\\n# Secondary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"key\\\" or RecommendationName contains \\\"cert\\\"\\r\\n | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL231310Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.10\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [CUI Encryption (SC.L2-3.13.11)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#employ-fips-validated-cryptography-when-used-to-protect-the-confidentiality-of-cui)\\r\\n\\r\\nEmploy FIPS-validated cryptography when used to protect the confidentiality of CUI. \\r\\n\\r\\n## Primary Services\\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/) \\r\\n\\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"key\\\" or type contains \\\"crypt\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Key Vault & Crytographic Assets Listing\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":1},{\"columnMatch\":\"ControlID\",\"formatter\":1},{\"columnMatch\":\"Recommendation\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >\"}},{\"columnMatch\":\"statusChangeDate\",\"formatter\":6},{\"columnMatch\":\"firstEvaluationDate\",\"formatter\":6}],\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"RecommendationName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL231311Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.11\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Collaborative Device Control (SC.L2-3.13.12) \\r\\n\\r\\nProhibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.\\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Recommended Resources\\r\\n💡 [Group Policy](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings) \\r\\n💡 [Intune/Microsoft Endpoint Manager policy](https://docs.microsoft.com/mem/intune/protect/windows-hello) \\r\\n💡 [Windows Hello biometrics in the enterprise](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise) \\r\\n💡 [View Connected Devices](https://docs.microsoft.com/azure/active-directory/user-help/my-account-portal-devices-page#view-your-connected-devices) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [Event](https://docs.microsoft.com/azure/azure-monitor/reference/tables/event) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Event\\r\\n| where RenderedDescription contains \\\"Hello\\\"\\r\\n| summarize count() by _ResourceId, EventLevelName, RenderedDescription, EventID\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configure Windows Hello for Collaborative Computing Devices & Monitor Event Logs\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL231312Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Mobile Code (SC.L2-3.13.13)\\r\\n\\r\\nControl and monitor the use of mobile code. \\r\\n\\r\\n# Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n# Secondary Services\\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [DeviceFileEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/devicefileevents) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let M365Files = OfficeActivity\\r\\n| where SourceFileName contains \\\".vbx\\\" or SourceFileName contains \\\".js \\\" or SourceFileName contains \\\".dcr\\\" or SourceFileName contains \\\".fla\\\" or SourceFileName contains \\\".flv\\\" or SourceFileName contains \\\".swr\\\"\\r\\n| extend FileName=SourceFileName, FileLocations=OfficeObjectId\\r\\n| summarize count() by FileName, FileLocations;\\r\\nlet FilePathList = DeviceFileEvents\\r\\n//Update file types and mobile code indicators as required\\r\\n| where FileName contains \\\".vbx\\\" or FileName contains \\\".js \\\" or FileName contains \\\".dcr\\\" or FileName contains \\\".fla\\\" or FileName contains \\\".flv\\\" or FileName contains \\\".swr\\\"\\r\\n| extend FileLocations = strcat(\\\"DEVICENAME: \\\",DeviceName,\\\" \\\",\\\"ACCOUNT: \\\",InitiatingProcessAccountName,\\\" \\\",\\\"PATH: \\\",\\\" \\\",FolderPath)\\r\\n| summarize FileLocations = makelist(FileLocations) by FileName\\r\\n| extend FileLocations = tostring(FileLocations);\\r\\nDeviceFileEvents\\r\\n//Update file types and mobile code indicators as required\\r\\n| where FileName contains \\\".vbx\\\" or FileName contains \\\".js \\\" or FileName contains \\\".dcr\\\" or FileName contains \\\".fla\\\" or FileName contains \\\".flv\\\" or FileName contains \\\".swr\\\"\\r\\n| summarize count() by FileName\\r\\n| join (FilePathList) on FileName\\r\\n| project FileName, count_, FileLocations\\r\\n| union M365Files\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Control & Monitor the Use of Mobile Code\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FileName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"File\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"FileLocations\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Folder\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL231313Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.13\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Voice Over Internet Protocol (SC.L2-3.13.14)\\r\\n\\r\\nControl and monitor the use of Voice over Internet Protocol (VoIP) technologies.\\r\\n\\r\\n# Secondary Services\\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [OfficeActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/officeactivity) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"OV\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where RecordType == \\\"MicrosoftTeams\\\"\\r\\n| summarize count() by RecordType, Operation, UserId\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Control & Monitor Microsoft Teams Activity\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecordType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Connect\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"RecommendationName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL231314Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Communications Authenticity (SC.L2-3.13.15)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#protect-the-authenticity-of-communications-sessions)\\r\\n\\r\\nProtect the authenticity of communications sessions.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/) \\r\\n\\r\\n# Secondary Services\\r\\n✳️ [Azure ExpressRoute]( https://azure.microsoft.com/services/expressroute/) 🔀[ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits) \\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) 🔀[Load Balancers](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) \\r\\n✳️ [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) 🔀[Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways) \\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"web\\\" or RecommendationName contains \\\"http\\\" or RecommendationName contains \\\"protocol\\\" or RecommendationName contains \\\"session\\\" or RecommendationName contains \\\"comm\\\"\\r\\n | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL231315Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.15\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data at Rest (SC.L2-3.13.16)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#protect-the-confidentiality-of-cui-at-rest)\\r\\n\\r\\nProtect the confidentiality of CUI at rest.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n\\r\\n# Secondary Services\\r\\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview) \\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"stor\\\" or RecommendationName contains \\\"data\\\" or RecommendationName contains \\\"sql\\\" or RecommendationName contains \\\"crypt\\\" or RecommendationName contains \\\"rest\\\"\\r\\n | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCL231316Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC.L2-3.13.16\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"System & Communications Group\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [System & Information Integrity](https://dodcio.defense.gov/CMMC/)\\r\\n---\\r\\nSystem & Information Integrity includes controls to identify system flaws, combat malware, and identify anomalies.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Flaw Remediation (SI.L1-3.14.1)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SIL13141.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Malicious Code Protection (SI.L1-3.14.2)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SIL13142.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Update Malicious Code Protection (SI.L1-3.14.4)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SIL13144.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"System & File Scanning (SI.L1-3.14.5)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SIL13145.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 1: Foundational\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSIL13141Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SIL13141.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSIL13142Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SIL13142.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"adf5b3f9-8e8d-4de1-b844-59433c7b4a56\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSIL13144Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SIL13144.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"d5518def-74aa-451d-b9b3-0e4f53faaf29\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSIL13145Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SIL13145.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"8956271d-e314-4936-8d67-a14a4bc8ee00\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Flaw Remediation (SI.L1-3.14.1)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#identify-report-and-correct-information-and-information-system-flaws-in-a-timely-manner)\\r\\n\\r\\nIdentify, report, and correct information and information system flaws in a timely manner\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"vuln\\\"\\r\\n | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSIL13141Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI.L1-3.14.1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Malicious Code Protection (SI.L1-3.14.2)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#provide-protection-from-malicious-code-at-appropriate-locations-within-organizational-information-systems)\\r\\n\\r\\nProvide protection from malicious code at appropriate locations within organizational information systems.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies) \\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure DNS](https://azure.microsoft.com/services/dns/) 🔀[DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones) \\r\\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"malware\\\" or RecommendationName contains \\\"EDR\\\" or RecommendationName contains \\\"endpoint protect\\\" or RecommendationName contains \\\"virus\\\"\\r\\n | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSIL13142Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI.L1-3.14.2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Update Malicious Code Protection (SI.L1-3.14.4)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#update-malicious-code-protection-mechanisms-when-new-releases-are-available)\\r\\n\\r\\nUpdate malicious code protection mechanisms when new releases are available.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"signature\\\"\\r\\n | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSIL13144Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI.L1-3.14.4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [System & File Scanning (SI.L1-3.14.5)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#perform-periodic-scans-of-the-information-system-and-real-time-scans-of-files-from-external-sources-as-files-are-downloaded-opened-or-executed)\\r\\n\\r\\nPerform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure DNS](https://azure.microsoft.com/services/dns/) 🔀[DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n | where failedResources + passedResources + skippedResources > 0\\r\\n | join kind = leftouter(\\r\\n securityresources\\r\\n | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n | extend complianceState = properties.state\\r\\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n | extend recommendationId = id1\\r\\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n | extend resourceName = regexResourceId[2]\\r\\n | extend recommendationName = name\\r\\n | extend RecommendationName = properties1.displayName\\r\\n | extend description = properties1.metadata.description\\r\\n | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n | extend severity = properties1.metadata.severity\\r\\n | extend state = properties1.status.code\\r\\n | extend notApplicableReason = properties1.status.cause\\r\\n | extend RecommendationLink = properties1.links.azurePortal\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend controlName = tostring(properties.description)\\r\\n | project controlId = name, controlName\\r\\n | distinct *) on $right.controlId == $left.complianceControlId\\r\\n | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n | extend PassedControls = (Passed/todouble(Total))*100\\r\\n | join kind = leftouter (securityresources\\r\\n | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n | where complianceStandardId == \\\"NIST SP 800 171 R2\\\"\\r\\n | extend RecommendationName = tostring(properties.description)\\r\\n | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n | project RecommendationName, RecommendationLink) on RecommendationName \\r\\n | distinct ControlID, RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n| where RecommendationName contains \\\"defender\\\"\\r\\n | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Microsoft Defender for Cloud Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-171 R2 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSIL13145Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI.L1-3.14.5\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 1: Foundational\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Alerts & Advisories (SI.L2-3.14.3)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SIL23143.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Monitor Communications for Attacks (SI.L2-3.14.6)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SIL23146.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Identify Unauthorized Use (SI.L2-3.14.7)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SIL23147.\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"title\":\"Level 2: Advanced\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSIL23143Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SIL23143.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSIL23146Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SIL23146.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b2d9f468-fd6e-4312-b3f6-1d3dfeb4340d\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSIL23147Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SIL23147.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"1033883e-71d4-4e30-b176-955fe08a9783\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Security Alerts & Advisories (SI.L2-3.14.3)\\r\\n\\r\\nMonitor system security alerts and advisories and take action in response.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"logic\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Automated Security Response (SOAR) Actions Configured\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSIL23143Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI.L2-3.14.3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Monitor Communications for Attacks (SI.L2-3.14.6)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#monitor-organizational-systems-including-inbound-and-outbound-communications-traffic-to-detect-attacks-and-indicators-of-potential-attacks)\\r\\n\\r\\nMonitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure DNS](https://azure.microsoft.com/services/dns/) 🔀[DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones) \\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) \\r\\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) \\r\\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) 🔀[Microsoft Defender for Identity](https://security.microsoft.com/settings/identities) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let IncidentTrending = SecurityIncident \\r\\n| summarize arg_max(TimeGenerated,*) by IncidentNumber \\r\\n| extend IncidentType=Title\\r\\n| make-series Trend = dcount(IncidentNumber) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by IncidentType;\\r\\nSecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| summarize count() by IncidentType=Title, Severity\\r\\n| join kind=inner(IncidentTrending) on IncidentType\\r\\n| sort by count_ desc\\r\\n| project IncidentType, Severity, count_, Trend\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Trending\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSIL23146Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI.L2-3.14.6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Identify Unauthorized Use (SI.L2-3.14.7)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#identify-unauthorized-use-of-organizational-systems)\\r\\n\\r\\nIdentify unauthorized use of organizational systems.\\r\\n\\r\\n## Primary Services\\r\\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) \\r\\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) \\r\\n\\r\\n## Secondary Services\\r\\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts) \\r\\n✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) 🔀[Load Balancers](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers) \\r\\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) \\r\\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) \\r\\n✳️ [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) 🔀[Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways) \\r\\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) \\r\\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) \\r\\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage) \\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [BehaviorAnalytics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/behavioranalytics) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n## Implementation Guidance\\r\\n[Microsoft Technical Reference Guide for CMMC 2.0](https://aka.ms/cmmc/techrefguide)\\r\\n\"},\"customWidth\":\"50\",\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AnomalousSigninActivity = BehaviorAnalytics\\r\\n | where ActionType == \\\"Sign-in\\\"\\r\\n | where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\\r\\n ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\\r\\n or ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\\r\\n | join (\\r\\n SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \\\"none\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indicaiton from AAD\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3', 'c4e39bd9-1100-46d3-8c65-fb160da0071f', '158c047a-c907-4556-b7ef-446551a6b5f7', '62e90394-69f5-4237-9190-012177145e10', 'd29b2b05-8046-44ba-8758-1e26182fcf32', '729827e3-9c14-49f7-bb1b-9608f156bbb8', '966707d0-3269-4727-9be2-8c3a10f19b9d', '194ae4cb-b126-40b2-bd5b-6091b380977d', 'fe930be7-5e62-47db-91af-98c3a49a38b1']);\\r\\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c', '7495fdc4-34c4-4d15-a289-98788ce399fd', 'aaf43236-0c0d-4d5f-883a-6955382ac081', '3edaf663-341e-4475-9f94-5c398ef6c070', '7698a772-787b-4ac8-901f-60d6b08affd2', 'b1be1c3e-b65d-4f19-8427-f6fa0d97feb9', '9f06204d-73c1-4d4c-880a-6edb90606fd8', '29232cdf-9323-42fd-ade2-1d097af3e4de', 'be2f45a1-457d-42af-a067-6ec1fa63bc45', '7be44c8a-adaf-4e2a-84d6-ab2649e08a13', 'e8611ab8-c189-46e8-94e1-60213ab1f814']);//witdstomstl\\r\\nlet AnomalousRoleAssignment = AuditLogs\\r\\n | where TimeGenerated > ago(28d)\\r\\n | where OperationName == \\\"Add member to role\\\"\\r\\n | mv-expand TargetResources\\r\\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n | where isnotempty(RoleName)\\r\\n | extend TargetId = tostring(TargetResources.id)\\r\\n | extend Target = tostring(TargetResources.userPrincipalName)\\r\\n | join kind=inner (\\r\\n BehaviorAnalytics\\r\\n | where ActionType == \\\"Add member to role\\\"\\r\\n | where UsersInsights.BlasrRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n )\\r\\n on $left._ItemId == $right.SourceRecordId\\r\\n | extend AnomalyName = \\\"Anomalous Role Assignemt\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Account Manipulation\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing Add member to priveleged role, or ones that add users for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let LogOns=materialize(\\r\\n BehaviorAnalytics\\r\\n | where ActivityType == \\\"LogOn\\\");\\r\\nlet AnomalousResourceAccess = LogOns\\r\\n | where ActionType == \\\"ResourceAccess\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | extend AnomalyName = \\\"Anomalous Resource Access\\\",\\r\\n Tactic = \\\"Lateral Movement\\\",\\r\\n Technique = \\\"\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousRDPActivity = LogOns\\r\\n | where ActionType == \\\"RemoteInteractiveLogon\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | extend AnomalyName = \\\"Anomalous RDP Activity\\\",\\r\\n Tactic = \\\"Lateral Movement\\\",\\r\\n Technique = \\\"\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousLogintoDevices = LogOns\\r\\n | where ActionType == \\\"InteractiveLogon\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\\r\\n | extend AnomalyName = \\\"Anomalous Login To Devices\\\",\\r\\n Tactic = \\\"Privilege Escalation\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administator users performing an interactive logon (4624:2) to a device for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousPasswordReset = BehaviorAnalytics\\r\\n | where ActionType == \\\"Reset user password\\\"\\r\\n | where ActivityInsights.FirstTimeUserPerformedAction == \\\"True\\\"\\r\\n | join (\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Reset user password\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | mv-expand TargetResources\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Password Reset\\\",\\r\\n Tactic = \\\"Impact\\\",\\r\\n Technique = \\\"Account Access Removal\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n | sort by TimeGenerated desc;\\r\\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\\r\\n | where ActionType == \\\"Sign-in\\\"\\r\\n | where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\\r\\n | join (\\r\\n SigninLogs\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n Tactic = \\\"Initial Access\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousFailedLogon = BehaviorAnalytics\\r\\n | where ActivityType == \\\"LogOn\\\"\\r\\n | where UsersInsights.BlastRadius == \\\"High\\\"\\r\\n | join (\\r\\n SigninLogs \\r\\n | where Status.errorCode == 50126\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Failed Logon\\\",\\r\\n Tactic = \\\"Credential Access\\\",\\r\\n Technique = \\\"Brute Force\\\",\\r\\n SubTechnique = \\\"Password Guessing\\\",\\r\\n Description = \\\"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousAADAccountManipulation = AuditLogs\\r\\n | where OperationName == \\\"Update user\\\"\\r\\n | mv-expand AdditionalDetails\\r\\n | where AdditionalDetails.key == \\\"UserPrincipalName\\\"\\r\\n | mv-expand TargetResources\\r\\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n | where isnotempty(RoleName)\\r\\n | extend TargetId = tostring(TargetResources.id)\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | join kind=inner ( \\r\\n BehaviorAnalytics\\r\\n | where ActionType == \\\"Update user\\\"\\r\\n | where UsersInsights.BlasrRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n )\\r\\n on $left._ItemId == $right.SourceRecordId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName) \\r\\n | extend AnomalyName = \\\"Anomalous Account Manipulation\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Account Manipulation\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to priveleged role, or ones that changed users for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\\r\\n | where ActionType == \\\"Add user\\\"\\r\\n | where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\\r\\n | join(\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Add user\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | mv-expand TargetResources\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | extend DisplayName = tostring(UsersInsights.AccountDisplayName),\\r\\n UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Account Creation\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Create Account\\\",\\r\\n SubTechnique = \\\"Cloud Account\\\",\\r\\n Description = \\\"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\\\"\\t\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n | sort by TimeGenerated desc;\\r\\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\\r\\nlet TopUsersByAnomalies = AnomalyTable\\r\\n | summarize hint.strategy = shuffle AnomalyCount=count() by UserName, UserPrincipalName, tostring(UsersInsights.OnPremSid), tostring(UsersInsights.AccountObjectId)\\r\\n | project Name=tolower(UserName), UPN=tolower(UserPrincipalName), AadUserId=UsersInsights_AccountObjectId, Sid=UsersInsights_OnPremSid, AnomalyCount\\r\\n | sort by AnomalyCount desc;\\r\\nlet TopUsersByIncidents = SecurityIncident\\r\\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\\r\\n | where Status == \\\"New\\\" or Status == \\\"Active\\\"\\r\\n | mv-expand AlertIds\\r\\n | extend AlertId = tostring(AlertIds)\\r\\n | join kind= innerunique ( \\r\\n SecurityAlert \\r\\n )\\r\\n on $left.AlertId == $right.SystemAlertId\\r\\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n | mv-expand todynamic(Entities)\\r\\n | where Entities[\\\"Type\\\"] =~ \\\"account\\\"\\r\\n | extend Name = tostring(tolower(Entities[\\\"Name\\\"])), NTDomain = tostring(Entities[\\\"NTDomain\\\"]), UPNSuffix = tostring(Entities[\\\"UPNSuffix\\\"]), AadUserId = tostring(Entities[\\\"AadUserId\\\"]), AadTenantId = tostring(Entities[\\\"AadTenantId\\\"]), \\r\\n Sid = tostring(Entities[\\\"Sid\\\"]), IsDomainJoined = tobool(Entities[\\\"IsDomainJoined\\\"]), Host = tostring(Entities[\\\"Host\\\"])\\r\\n | extend UPN = iff(Name != \\\"\\\" and UPNSuffix != \\\"\\\", strcat(Name, \\\"@\\\", UPNSuffix), \\\"\\\")\\r\\n | where UPN <> \\\"\\\"\\r\\n | where UPN <> \\\" @ \\\"\\r\\n | union TopUsersByAnomalies\\r\\n | extend \\r\\n AadPivot = iff(isempty(AadUserId), iff(isempty(Sid), Name, Sid), AadUserId),\\r\\n SidPivot = iff(isempty(Sid), iff(isempty(AadUserId), Name, AadUserId), Sid),\\r\\n UPNExists = iff(isempty(UPN), false, true),\\r\\n NameExists = iff(isempty(Name), false, true),\\r\\n SidExists = iff(isempty(Sid), false, true),\\r\\n AADExists = iff(isempty(AadUserId), false, true)\\r\\n | summarize hint.strategy = shuffle IncidentCount=dcount(IncidentNumber, 4), AlertCount=dcountif(AlertId, isnotempty(AlertId), 4), AnomalyCount=sum(AnomalyCount), any(Title, Severity, Status, StartTime, IncidentNumber, IncidentUrl, Owner), UPNAnchor=anyif(UPN, UPNExists == true), NameAnchor=anyif(Name, NameExists == true), AadAnchor=anyif(AadUserId, AADExists == true), SidAnchor=anyif(Sid, SidExists == true), any(SidPivot) by AadPivot\\r\\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), NameAnchor=anyif(NameAnchor, isempty(NameAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_Title, any_Severity, any_StartTime, any_IncidentNumber, any_IncidentUrl) by any_SidPivot\\r\\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_any_Title, any_any_Severity, any_any_StartTime, any_any_IncidentNumber, any_any_IncidentUrl) by NameAnchor\\r\\n | project [\\\"UserName\\\"]=NameAnchor, IncidentCount, AlertCount, AnomalyCount, [\\\"AadUserId\\\"]=AadAnchor, [\\\"OnPremSid\\\"]=SidAnchor, [\\\"UserPrincipalName\\\"]=UPNAnchor;\\r\\nTopUsersByIncidents\\r\\n| where UserPrincipalName !contains \\\"[\\\"\\r\\n| project UserPrincipalName, IncidentCount, AlertCount, AnomalyCount\\r\\n| sort by IncidentCount desc\\r\\n| limit 50\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review User Entity Behavior Analytics for Unauthorized Activity\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}],\"rowLimit\":50,\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_heatmap_IncidentCount_1\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_heatmap_IncidentCount_1\",\"sortOrder\":2}]},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Control Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Implementation Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Implementation Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"## Notes \\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSIL23147Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI.L2-3.14.7\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Level 2: Advanced\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSIVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"System & Information Integrity Group\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"sentinel-CybersecurityMaturityModelCertification(CMMC)2.0\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
@@ -1097,7 +1095,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.1.0",
+ "version": "3.1.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "CybersecurityMaturityModelCertification(CMMC)2.0",
diff --git a/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/ReleaseNotes.md b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/ReleaseNotes.md
index 066bae6ebc0..8b9f681a8f8 100644
--- a/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/ReleaseNotes.md
+++ b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/ReleaseNotes.md
@@ -1,4 +1,5 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|----------------------------------------------------------------|
+| 3.1.1 | 13-01-2026 | Updated non-functional links from Workbook. |
| 3.1.0 | 09-09-2025 | Removed the network map from the **Workbook** |
| 3.0.0 | 29-01-2024 | Updated the solution to fix **Analytic Rules** deployment issue|
\ No newline at end of file
diff --git a/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Workbooks/CybersecurityMaturityModelCertification_CMMCV2.json b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Workbooks/CybersecurityMaturityModelCertification_CMMCV2.json
index bc95b7987ea..8b5bdb61450 100644
--- a/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Workbooks/CybersecurityMaturityModelCertification_CMMCV2.json
+++ b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Workbooks/CybersecurityMaturityModelCertification_CMMCV2.json
@@ -130,7 +130,7 @@
{
"type": 1,
"content": {
- "json": " Please take time to answer a quick survey,\r\n[ click here. ](https://forms.office.com/r/hK7zcBDNp8)"
+ "json": " Please take time to answer a quick survey,\r\n[ click here. ](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR5vpbw39GIlPr6oh7FnjxTFUOVhBOFowTFlaT1pOSTAxVDdRT1pIUDlINy4u)"
},
"name": "Survey"
},
diff --git a/Solutions/Network Threat Protection Essentials/Hunting Queries/UseragentExploitPentest.yaml b/Solutions/Network Threat Protection Essentials/Hunting Queries/UseragentExploitPentest.yaml
index 02b23349409..923cc0d4374 100644
--- a/Solutions/Network Threat Protection Essentials/Hunting Queries/UseragentExploitPentest.yaml
+++ b/Solutions/Network Threat Protection Essentials/Hunting Queries/UseragentExploitPentest.yaml
@@ -1,13 +1,7 @@
id: df75ac6c-7b0b-40d2-82e4-191c012f1a07
name: Exploit and Pentest Framework User Agent
description: |
- 'This query detects suspicious user agent strings used by exploit and pen test frameworks.'
-description-detailed: |
- 'There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to
- compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings
- used by these frameworks in some of the data sources that contain UserAgent field.
- This is based out of sigma rules described in references.
- References: https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_ua_frameworks.yml'
+ 'This query detects suspicious user agent strings used by exploit and pen test frameworks.There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. This is based out of sigma rules described in references. References: https://github.com/SigmaHQ/sigma/blob/master/rules/web/proxy_generic/proxy_ua_frameworks.yml'
requiredDataConnectors:
- connectorId: Office365
dataTypes:
@@ -60,4 +54,4 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: SourceIP
-version: 1.0.2
+version: 1.0.3
diff --git a/Solutions/Network Threat Protection Essentials/Package/3.0.2.zip b/Solutions/Network Threat Protection Essentials/Package/3.0.2.zip
new file mode 100644
index 00000000000..0b28191355d
Binary files /dev/null and b/Solutions/Network Threat Protection Essentials/Package/3.0.2.zip differ
diff --git a/Solutions/Network Threat Protection Essentials/Package/createUiDefinition.json b/Solutions/Network Threat Protection Essentials/Package/createUiDefinition.json
index 94d6165ed24..bcd85644f59 100644
--- a/Solutions/Network Threat Protection Essentials/Package/createUiDefinition.json
+++ b/Solutions/Network Threat Protection Essentials/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Network%20Threat%20Protection%20Essentials/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe **Network Threat Protection Essentials** solution contain queries that identifies suspicious network behavior based on various data sources ingested in Sentinel. The solution contains queries to detect common network-based attacks - things like malicious user agents, mining pools, Base64 encoded IPv4 address in request URL etc. The solution will be constantly updated to add more detection/hunting query as well as other sentinel content.\r\n \r\n**Pre-requisites:**\r\n \r\nThis is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.\r\n \r\n 1. Microsoft 365 \r\n \r\n 2. Amazon Web Services\r\n \r\n 3. Windows Server DNS\r\n \r\n 4. Azure Firewall \r\n \r\n 5. Windows Forwarded Events \r\n \r\n 6. ZScaler Internet Access \r\n \r\n 7. Palo Alto Networks \r\n \r\n 8. Fortinet FortiGate \r\n \r\n 9. Check Point \r\n \r\n**Keywords:** Malicious IP/User agent, DNS, TOR, mining\n\n**Analytic Rules:** 2, **Hunting Queries:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Network%20Threat%20Protection%20Essentials/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe **Network Threat Protection Essentials** solution contain queries that identifies suspicious network behavior based on various data sources ingested in Sentinel. The solution contains queries to detect common network-based attacks - things like malicious user agents, mining pools, Base64 encoded IPv4 address in request URL etc. The solution will be constantly updated to add more detection/hunting query as well as other sentinel content.\r\n \r\n**Pre-requisites:**\r\n \r\nThis is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.\r\n \r\n 1. Microsoft 365 \r\n \r\n 2. Amazon Web Services \r\n \r\n 3. Windows Server DNS \r\n \r\n 4. Azure Firewall \r\n \r\n 5. Windows Forwarded Events \r\n \r\n 6. ZScaler Internet Access \r\n \r\n 7. Palo Alto Networks \r\n \r\n 8. Fortinet FortiGate \r\n \r\n 9. Check Point\r\n \r\n**Keywords:** Malicious IP/User agent, DNS, TOR, mining\n\n**Analytic Rules:** 2, **Hunting Queries:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -86,7 +86,7 @@
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Correlates blocked URLs hosting [malicious] executables with host endpoint data\nto identify potential instances of executables of the same name having been recently run."
+ "text": "Correlates blocked URLs hosting [malicious] executables with host endpoint data to identify potential instances of executables of the same name having been recently run"
}
}
]
@@ -100,7 +100,7 @@
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\nextracts words from user agents to build the baseline and determine rareity rather than perform a\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\nThese new UserAgents could be benign. However, in normally stable environments,\nthese new UserAgents could provide a starting point for investigating malicious activity.\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\nusually stable with low numbers of detections."
+ "text": "Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\nThese new UserAgents could be benign. However, in normally stable environments, these new UserAgents could provide a starting point for investigating malicious activity.\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are usually stable with low numbers of detections."
}
}
]
@@ -138,7 +138,7 @@
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This query detects suspicious user agent strings used by exploit and pen test frameworks. This hunting query depends on Office365 AWS AzureMonitor(IIS) data connector (OfficeActivity AWSCloudTrail W3CIISLog Parser or Table)"
+ "text": "This query detects suspicious user agent strings used by exploit and pen test frameworks.There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. This is based out of sigma rules described in references. References: https://github.com/SigmaHQ/sigma/blob/master/rules/web/proxy_generic/proxy_ua_frameworks.yml This hunting query depends on Office365 AWS AzureMonitor(IIS) data connector (OfficeActivity AWSCloudTrail W3CIISLog Parser or Table)"
}
}
]
diff --git a/Solutions/Network Threat Protection Essentials/Package/mainTemplate.json b/Solutions/Network Threat Protection Essentials/Package/mainTemplate.json
index 42ea3859517..2a2a783e023 100644
--- a/Solutions/Network Threat Protection Essentials/Package/mainTemplate.json
+++ b/Solutions/Network Threat Protection Essentials/Package/mainTemplate.json
@@ -33,11 +33,11 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Network Threat Protection Essentials",
- "_solutionVersion": "3.0.1",
+ "_solutionVersion": "3.0.2",
"solutionId": "azuresentinel.azure-sentinel-solution-networkthreatdetection",
"_solutionId": "[variables('solutionId')]",
"huntingQueryObject1": {
- "huntingQueryVersion1": "1.0.2",
+ "huntingQueryVersion1": "1.0.3",
"_huntingQuerycontentId1": "df75ac6c-7b0b-40d2-82e4-191c012f1a07",
"huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('df75ac6c-7b0b-40d2-82e4-191c012f1a07')))]"
},
@@ -52,18 +52,18 @@
"huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('c46eeb45-c324-4a84-9df1-248c6d1507bb')))]"
},
"analyticRuleObject1": {
- "analyticRuleVersion1": "1.1.5",
+ "analyticRuleVersion1": "1.1.6",
"_analyticRulecontentId1": "01f64465-b1ef-41ea-a7f5-31553a11ad43",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '01f64465-b1ef-41ea-a7f5-31553a11ad43')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('01f64465-b1ef-41ea-a7f5-31553a11ad43')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','01f64465-b1ef-41ea-a7f5-31553a11ad43','-', '1.1.5')))]"
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','01f64465-b1ef-41ea-a7f5-31553a11ad43','-', '1.1.6')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.4",
+ "analyticRuleVersion2": "1.0.5",
"_analyticRulecontentId2": "b725d62c-eb77-42ff-96f6-bdc6745fc6e0",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b725d62c-eb77-42ff-96f6-bdc6745fc6e0')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b725d62c-eb77-42ff-96f6-bdc6745fc6e0')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b725d62c-eb77-42ff-96f6-bdc6745fc6e0','-', '1.0.4')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b725d62c-eb77-42ff-96f6-bdc6745fc6e0','-', '1.0.5')))]"
},
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
@@ -77,7 +77,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "UseragentExploitPentest_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "UseragentExploitPentest_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -98,7 +98,7 @@
"tags": [
{
"name": "description",
- "value": "This query detects suspicious user agent strings used by exploit and pen test frameworks."
+ "value": "This query detects suspicious user agent strings used by exploit and pen test frameworks.There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to compromise an environment and achieve their objective. The query tries to detect suspicious user agent strings used by these frameworks in some of the data sources that contain UserAgent field. This is based out of sigma rules described in references. References: https://github.com/SigmaHQ/sigma/blob/master/rules/web/proxy_generic/proxy_ua_frameworks.yml"
},
{
"name": "tactics",
@@ -148,9 +148,9 @@
"contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"contentKind": "HuntingQuery",
"displayName": "Exploit and Pentest Framework User Agent",
- "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.2')))]",
- "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.2')))]",
- "version": "1.0.2"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.3')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.3')))]",
+ "version": "1.0.3"
}
},
{
@@ -162,7 +162,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "B64IPInURL_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "B64IPInURL_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -247,7 +247,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskyCommandB64EncodedInUrl_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "RiskyCommandB64EncodedInUrl_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -332,7 +332,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NetworkEndpointCorrelation_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "NetworkEndpointCorrelation_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -342,11 +342,11 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
- "apiVersion": "2022-04-01-preview",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Correlates blocked URLs hosting [malicious] executables with host endpoint data\nto identify potential instances of executables of the same name having been recently run.",
+ "description": "Correlates blocked URLs hosting [malicious] executables with host endpoint data to identify potential instances of executables of the same name having been recently run",
"displayName": "Network endpoint to host executable correlation",
"enabled": false,
"query": "let endpointData = \n(union isfuzzy=true\n(SecurityEvent\n | where EventID == 4688\n | extend shortFileName = tolower(tostring(split(NewProcessName, '\\\\')[-1]))\n ),\n (WindowsEvent\n | where EventID == 4688\n | extend NewProcessName = tostring(EventData.NewProcessName)\n | extend shortFileName = tolower(tostring(split(NewProcessName, '\\\\')[-1]))\n | extend TargetUserName = tostring(EventData.TargetUserName)\n ));\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\nCommonSecurityLog\n| where DeviceVendor =~ \"Trend Micro\"\n| where Activity =~ \"Deny List updated\" \n| where RequestURL endswith \".exe\"\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\n| extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))\n| join kind=innerunique (endpointData) on $left.suspectExeName == $right.shortFileName \n| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n",
@@ -485,7 +485,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NewUserAgentLast24h_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "NewUserAgentLast24h_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -495,11 +495,11 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
- "apiVersion": "2022-04-01-preview",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\nextracts words from user agents to build the baseline and determine rareity rather than perform a\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\nThese new UserAgents could be benign. However, in normally stable environments,\nthese new UserAgents could provide a starting point for investigating malicious activity.\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\nusually stable with low numbers of detections.",
+ "description": "Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\nThese new UserAgents could be benign. However, in normally stable environments, these new UserAgents could provide a starting point for investigating malicious activity.\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are usually stable with low numbers of detections.",
"displayName": "New UserAgent observed in last 24 hours",
"enabled": false,
"query": "let starttime = 14d;\nlet endtime = 1d;\nlet UserAgentAll =\n(union isfuzzy=true\n(OfficeActivity\n| where TimeGenerated >= ago(starttime)\n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\n),\n(\nW3CIISLog\n| where TimeGenerated >= ago(starttime)\n| where isnotempty(csUserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\n),\n(\nAWSCloudTrail\n| where TimeGenerated >= ago(starttime)\n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\n))\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\n| extend UserAgentNoHexAlphas = replace(\"([A-Fa-f]{4,})\", \"x\", UserAgent)\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\n| extend Tokens = extract_all(\"([A-Za-z]{4,})\", UserAgentNoHexAlphas)\n// concatenate extracted words to create a summarized user agent for baseline and comparison\n| extend NormalizedUserAgent = strcat_array(Tokens, \"|\")\n| project-away UserAgentNoHexAlphas, Tokens;\nUserAgentAll\n| where StartTime >= ago(endtime)\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\n| join kind=leftanti\n(\nUserAgentAll\n| where StartTime < ago(endtime)\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\n)\non NormalizedUserAgent\n| extend timestamp = StartTime\n| extend Name = tostring(split(Account, '@', 0)[0]), UPNSuffix = tostring(split(Account, '@', 1)[0])\n",
@@ -614,12 +614,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.1",
+ "version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Network Threat Protection Essentials",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "
Note:
• There may be known issues pertaining to this Solution, please refer to them before installing.
\n
The Network Threat Protection Essentials solution contain queries that identifies suspicious network behavior based on various data sources ingested in Sentinel. The solution contains queries to detect common network-based attacks - things like malicious user agents, mining pools, Base64 encoded IPv4 address in request URL etc. The solution will be constantly updated to add more detection/hunting query as well as other sentinel content.
\n
Pre-requisites:
\n
This is a domain solution and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.
• There may be known issues pertaining to this Solution, please refer to them before installing.
\n
The Network Threat Protection Essentials solution contain queries that identifies suspicious network behavior based on various data sources ingested in Sentinel. The solution contains queries to detect common network-based attacks - things like malicious user agents, mining pools, Base64 encoded IPv4 address in request URL etc. The solution will be constantly updated to add more detection/hunting query as well as other sentinel content.
\n
Pre-requisites:
\n
This is a domain solution and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.
\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@@ -668,7 +668,7 @@
"contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
},
- {
+ {
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-office365"
},
diff --git a/Solutions/Network Threat Protection Essentials/ReleaseNotes.md b/Solutions/Network Threat Protection Essentials/ReleaseNotes.md
index c589bcfafe5..7ac1f2a36e3 100644
--- a/Solutions/Network Threat Protection Essentials/ReleaseNotes.md
+++ b/Solutions/Network Threat Protection Essentials/ReleaseNotes.md
@@ -1,4 +1,5 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------------------|
+| 3.0.2 | 13-01-2026 | Updated non-functional links from Exploit and Pentest Framework User Agent **Hunting query** |
| 3.0.1 | 23-02-2024 | Tagged for dependent solutions for deployment |
| 3.0.0 | 19-12-2023 | Corrected typo mistake *Microsoft Windows DNS* to *Windows Server DNS* |
\ No newline at end of file
diff --git a/Solutions/Okta Single Sign-On/Analytic Rules/MFAFatigue.yaml b/Solutions/Okta Single Sign-On/Analytic Rules/MFAFatigue.yaml
index 6f82e31d2ac..2c17d10b6a0 100644
--- a/Solutions/Okta Single Sign-On/Analytic Rules/MFAFatigue.yaml
+++ b/Solutions/Okta Single Sign-On/Analytic Rules/MFAFatigue.yaml
@@ -2,7 +2,7 @@ id: c2697b81-7fe9-4f57-ba1d-de46c6f91f9c
name: MFA Fatigue (OKTA)
description: |
'MFA fatigue attack is a cybersecurity threat where attackers exploit user exhaustion from multi-factor authentication prompts to trick them into providing their MFA details thus compromising their own security. The query identifies MFA fatigue attempts in the Okta data.
- Ref: https://sec.okta.com/everythingisyes.'
+ Ref: https://www.okta.com/blog/identity-security/mfa-fatigue-growing-security-concern/.'
severity: Medium
status: Available
requiredDataConnectors:
@@ -45,5 +45,5 @@ entityMappings:
columnName: actor_alternateId_s
- identifier: DisplayName
columnName: actor_displayName_s
-version: 1.1.1
+version: 1.1.2
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Okta Single Sign-On/Package/3.1.4.zip b/Solutions/Okta Single Sign-On/Package/3.1.4.zip
new file mode 100644
index 00000000000..fd45954296c
Binary files /dev/null and b/Solutions/Okta Single Sign-On/Package/3.1.4.zip differ
diff --git a/Solutions/Okta Single Sign-On/Package/createUiDefinition.json b/Solutions/Okta Single Sign-On/Package/createUiDefinition.json
index 230b5febcd2..bfbe92c4061 100644
--- a/Solutions/Okta Single Sign-On/Package/createUiDefinition.json
+++ b/Solutions/Okta Single Sign-On/Package/createUiDefinition.json
@@ -222,7 +222,7 @@
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "MFA fatigue attack is a cybersecurity threat where attackers exploit user exhaustion from multi-factor authentication prompts to trick them into providing their MFA details thus compromising their own security. The query identifies MFA fatigue attempts in the Okta data. \n Ref: https://sec.okta.com/everythingisyes."
+ "text": "MFA fatigue attack is a cybersecurity threat where attackers exploit user exhaustion from multi-factor authentication prompts to trick them into providing their MFA details thus compromising their own security. The query identifies MFA fatigue attempts in the Okta data. \n Ref: www.okta.com/blog/identity-security/mfa-fatigue-growing-security-concern/."
}
}
]
diff --git a/Solutions/Okta Single Sign-On/Package/mainTemplate.json b/Solutions/Okta Single Sign-On/Package/mainTemplate.json
index ea77899b10a..af3834dc118 100644
--- a/Solutions/Okta Single Sign-On/Package/mainTemplate.json
+++ b/Solutions/Okta Single Sign-On/Package/mainTemplate.json
@@ -55,7 +55,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Okta Single Sign-On",
- "_solutionVersion": "3.1.3",
+ "_solutionVersion": "3.1.4",
"solutionId": "azuresentinel.azure-sentinel-solution-okta",
"_solutionId": "[variables('solutionId')]",
"analyticRuleObject1": {
@@ -94,11 +94,11 @@
"_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','41e843a8-92e7-444d-8d72-638f1145d1e1','-', '1.1.1')))]"
},
"analyticRuleObject6": {
- "analyticRuleVersion6": "1.1.1",
+ "analyticRuleVersion6": "1.1.2",
"_analyticRulecontentId6": "c2697b81-7fe9-4f57-ba1d-de46c6f91f9c",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c2697b81-7fe9-4f57-ba1d-de46c6f91f9c')]",
"analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c2697b81-7fe9-4f57-ba1d-de46c6f91f9c')))]",
- "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c2697b81-7fe9-4f57-ba1d-de46c6f91f9c','-', '1.1.1')))]"
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c2697b81-7fe9-4f57-ba1d-de46c6f91f9c','-', '1.1.2')))]"
},
"analyticRuleObject7": {
"analyticRuleVersion7": "1.1.1",
@@ -248,7 +248,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "FailedLoginsFromUnknownOrInvalidUser_AnalyticalRules Analytics Rule with template version 3.1.3",
+ "description": "FailedLoginsFromUnknownOrInvalidUser_AnalyticalRules Analytics Rule with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -367,7 +367,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "LoginfromUsersfromDifferentCountrieswithin3hours_AnalyticalRules Analytics Rule with template version 3.1.3",
+ "description": "LoginfromUsersfromDifferentCountrieswithin3hours_AnalyticalRules Analytics Rule with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -480,7 +480,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PasswordSpray_AnalyticalRules Analytics Rule with template version 3.1.3",
+ "description": "PasswordSpray_AnalyticalRules Analytics Rule with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -593,7 +593,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PhishingDetection_AnalyticalRules Analytics Rule with template version 3.1.3",
+ "description": "PhishingDetection_AnalyticalRules Analytics Rule with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -720,7 +720,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NewDeviceLocationCriticalOperation_AnalyticalRules Analytics Rule with template version 3.1.3",
+ "description": "NewDeviceLocationCriticalOperation_AnalyticalRules Analytics Rule with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -853,7 +853,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MFAFatigue_AnalyticalRules Analytics Rule with template version 3.1.3",
+ "description": "MFAFatigue_AnalyticalRules Analytics Rule with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -867,7 +867,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "MFA fatigue attack is a cybersecurity threat where attackers exploit user exhaustion from multi-factor authentication prompts to trick them into providing their MFA details thus compromising their own security. The query identifies MFA fatigue attempts in the Okta data. \n Ref: https://sec.okta.com/everythingisyes.",
+ "description": "MFA fatigue attack is a cybersecurity threat where attackers exploit user exhaustion from multi-factor authentication prompts to trick them into providing their MFA details thus compromising their own security. The query identifies MFA fatigue attempts in the Okta data. \n Ref: www.okta.com/blog/identity-security/mfa-fatigue-growing-security-concern/.",
"displayName": "MFA Fatigue (OKTA)",
"enabled": false,
"query": "let PushThreshold = 10;\nOktaSSO\n| where ((eventType_s ==\"user.authentication.auth_via_mfa\" and column_ifexists('debugContext_debugData_factor_s', '') == \"OKTA_VERIFY_PUSH\") or eventType_s == \"system.push.send_factor_verify_push\" or eventType_s == \"user.mfa.okta_verify.deny_push\") \n| summarize IPAddress = make_set(client_ipAddress_s,100), City = make_set(client_geographicalContext_city_s,100),\n successes = countif(eventType_s == \"user.authentication.auth_via_mfa\"),\n denies = countif(eventType_s == \"user.mfa.okta_verify.deny_push\"),\n pushes = countif(eventType_s == \"system.push.send_factor_verify_push\") by TimeGenerated, authenticationContext_externalSessionId_s, actor_alternateId_s,actor_displayName_s, outcome_result_s \n| summarize lasttime = max(TimeGenerated), firsttime = min(TimeGenerated),\n successes = sum(successes), failures = sum(denies), pushes = sum(pushes) by authenticationContext_externalSessionId_s, actor_alternateId_s,actor_displayName_s, outcome_result_s \n| extend seconds = lasttime - firsttime\n| where pushes > (PushThreshold)\n| extend totalattempts = successes + failures\n| extend finding = case(\n failures == pushes and pushes > 1, \"Authentication attempts not successful because multiple pushes denied\",\n totalattempts == 0, \"Multiple pushes sent and ignored\",\n successes > 0 and pushes > 3, \"Multiple pushes sent, eventual successful authentication!\",\n \"Normal authentication pattern\")\n",
@@ -967,7 +967,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "HighRiskAdminActivity_AnalyticalRules Analytics Rule with template version 3.1.3",
+ "description": "HighRiskAdminActivity_AnalyticalRules Analytics Rule with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -1093,7 +1093,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DeviceRegistrationMaliciousIP_AnalyticalRules Analytics Rule with template version 3.1.3",
+ "description": "DeviceRegistrationMaliciousIP_AnalyticalRules Analytics Rule with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -1216,7 +1216,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "UserSessionImpersonation_AnalyticalRules Analytics Rule with template version 3.1.3",
+ "description": "UserSessionImpersonation_AnalyticalRules Analytics Rule with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -1334,7 +1334,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Okta Single Sign-On data connector with template version 3.1.3",
+ "description": "Okta Single Sign-On data connector with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -2690,7 +2690,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AdminPrivilegeGrant_HuntingQueries Hunting Query with template version 3.1.3",
+ "description": "AdminPrivilegeGrant_HuntingQueries Hunting Query with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -2775,7 +2775,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CreateAPIToken_HuntingQueries Hunting Query with template version 3.1.3",
+ "description": "CreateAPIToken_HuntingQueries Hunting Query with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -2860,7 +2860,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ImpersonationSession_HuntingQueries Hunting Query with template version 3.1.3",
+ "description": "ImpersonationSession_HuntingQueries Hunting Query with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -2945,7 +2945,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RareMFAOperation_HuntingQueries Hunting Query with template version 3.1.3",
+ "description": "RareMFAOperation_HuntingQueries Hunting Query with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -3030,7 +3030,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "UserPasswordReset_HuntingQueries Hunting Query with template version 3.1.3",
+ "description": "UserPasswordReset_HuntingQueries Hunting Query with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -3115,7 +3115,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NewDeviceRegistration_HuntingQueries Hunting Query with template version 3.1.3",
+ "description": "NewDeviceRegistration_HuntingQueries Hunting Query with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -3200,7 +3200,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "LoginsVPSProvider_HuntingQueries Hunting Query with template version 3.1.3",
+ "description": "LoginsVPSProvider_HuntingQueries Hunting Query with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -3285,7 +3285,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "LoginNordVPN_HuntingQueries Hunting Query with template version 3.1.3",
+ "description": "LoginNordVPN_HuntingQueries Hunting Query with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@@ -3370,7 +3370,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "LoginFromMultipleLocations_HuntingQueries Hunting Query with template version 3.1.3",
+ "description": "LoginFromMultipleLocations_HuntingQueries Hunting Query with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@@ -3455,7 +3455,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "LegacyAuthentication_HuntingQueries Hunting Query with template version 3.1.3",
+ "description": "LegacyAuthentication_HuntingQueries Hunting Query with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@@ -3540,7 +3540,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OktaCustomConnector Playbook with template version 3.1.3",
+ "description": "OktaCustomConnector Playbook with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@@ -4835,7 +4835,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Okta-EnrichIncidentWithUserDetails Playbook with template version 3.1.3",
+ "description": "Okta-EnrichIncidentWithUserDetails Playbook with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
@@ -5194,7 +5194,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Okta-PromptUser Playbook with template version 3.1.3",
+ "description": "Okta-PromptUser Playbook with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
@@ -5645,7 +5645,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Okta-ResponseFromTeams Playbook with template version 3.1.3",
+ "description": "Okta-ResponseFromTeams Playbook with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion4')]",
@@ -6152,7 +6152,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OktaSingleSignOn Workbook with template version 3.1.3",
+ "description": "OktaSingleSignOn Workbook with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -6248,7 +6248,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OktaSSO Data Parser with template version 3.1.3",
+ "description": "OktaSSO Data Parser with template version 3.1.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -6376,7 +6376,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.1.3",
+ "version": "3.1.4",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Okta Single Sign-On",
diff --git a/Solutions/Okta Single Sign-On/ReleaseNotes.md b/Solutions/Okta Single Sign-On/ReleaseNotes.md
index 08133afd288..1133891e259 100644
--- a/Solutions/Okta Single Sign-On/ReleaseNotes.md
+++ b/Solutions/Okta Single Sign-On/ReleaseNotes.md
@@ -1,5 +1,7 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------------------------|
+| 3.1.4 | 13-01-2026 | Updated non-functional link from MFA Fatigue (OKTA) **Analytic rule** |
+| 3.1.3 | 05-02-2025 | Version Update |
| 3.1.2 | 06-01-2025 | Removing Custom Entity mappings from **Analytic Rule** |
| 3.1.1 | 08-11-2024 | Fixed CCP **Data Connector** connection bug |
| 3.1.0 | 27-11-2024 | Fixed Solution version in Maintemplate and resolved ARM template error |
diff --git a/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml
index 3c190dc5b2e..bd4da42f4f4 100644
--- a/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml
+++ b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml
@@ -5,7 +5,7 @@ description: |
The query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing.
This outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.
Reference Blog:
- http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/
+ https://medium.com/@HuntOperator/detect-beaconing-with-flare-elastic-stack-and-intrusion-detection-systems-110dc74e0c56
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586'
severity: Low
status: Available
@@ -61,5 +61,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: DestinationIP
-version: 1.0.6
+version: 1.0.7
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PaloAlto-PAN-OS/Package/3.0.11.zip b/Solutions/PaloAlto-PAN-OS/Package/3.0.11.zip
new file mode 100644
index 00000000000..66af302ae78
Binary files /dev/null and b/Solutions/PaloAlto-PAN-OS/Package/3.0.11.zip differ
diff --git a/Solutions/PaloAlto-PAN-OS/Package/createUiDefinition.json b/Solutions/PaloAlto-PAN-OS/Package/createUiDefinition.json
index b6b97827c0e..d1cc312e40e 100644
--- a/Solutions/PaloAlto-PAN-OS/Package/createUiDefinition.json
+++ b/Solutions/PaloAlto-PAN-OS/Package/createUiDefinition.json
@@ -184,7 +184,7 @@
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns.\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing.\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\nReference Blog:\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586"
+ "text": "Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns.\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing.\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\nReference Blog:\nhttps://medium.com/@HuntOperator/detect-beaconing-with-flare-elastic-stack-and-intrusion-detection-systems-110dc74e0c56\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586"
}
}
]
diff --git a/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json b/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json
index b8c5048188b..9ca5a5d0075 100644
--- a/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json
+++ b/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json
@@ -49,7 +49,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "PaloAlto-PAN-OS",
- "_solutionVersion": "3.0.10",
+ "_solutionVersion": "3.0.11",
"solutionId": "azuresentinel.azure-sentinel-solution-paloaltopanos",
"_solutionId": "[variables('solutionId')]",
"huntingQueryObject1": {
@@ -97,11 +97,11 @@
"_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2be4ef67-a93f-4d8a-981a-88158cb73abd','-', '1.3.6')))]"
},
"analyticRuleObject4": {
- "analyticRuleVersion4": "1.0.6",
+ "analyticRuleVersion4": "1.0.7",
"_analyticRulecontentId4": "f0be259a-34ac-4946-aa15-ca2b115d5feb",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f0be259a-34ac-4946-aa15-ca2b115d5feb')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f0be259a-34ac-4946-aa15-ca2b115d5feb')))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f0be259a-34ac-4946-aa15-ca2b115d5feb','-', '1.0.6')))]"
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f0be259a-34ac-4946-aa15-ca2b115d5feb','-', '1.0.7')))]"
},
"analyticRuleObject5": {
"analyticRuleVersion5": "1.0.8",
@@ -195,7 +195,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto-HighRiskPorts_HuntingQueries Hunting Query with template version 3.0.10",
+ "description": "PaloAlto-HighRiskPorts_HuntingQueries Hunting Query with template version 3.0.11",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -276,7 +276,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Palo Alto - potential beaconing detected_HuntingQueries Hunting Query with template version 3.0.10",
+ "description": "Palo Alto - potential beaconing detected_HuntingQueries Hunting Query with template version 3.0.11",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -361,7 +361,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAltoOverview Workbook with template version 3.0.10",
+ "description": "PaloAltoOverview Workbook with template version 3.0.11",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -449,7 +449,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAltoNetworkThreat Workbook with template version 3.0.10",
+ "description": "PaloAltoNetworkThreat Workbook with template version 3.0.11",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion2')]",
@@ -537,7 +537,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto-UnusualThreatSignatures_AnalyticalRules Analytics Rule with template version 3.0.10",
+ "description": "PaloAlto-UnusualThreatSignatures_AnalyticalRules Analytics Rule with template version 3.0.11",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -648,7 +648,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto-Top100_NmapScan_AnalyticalRules Analytics Rule with template version 3.0.10",
+ "description": "PaloAlto-Top100_NmapScan_AnalyticalRules Analytics Rule with template version 3.0.11",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -770,7 +770,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "FileHashEntity_Covid19_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.10",
+ "description": "FileHashEntity_Covid19_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.11",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -924,7 +924,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto-NetworkBeaconing_AnalyticalRules Analytics Rule with template version 3.0.10",
+ "description": "PaloAlto-NetworkBeaconing_AnalyticalRules Analytics Rule with template version 3.0.11",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -938,7 +938,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns.\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing.\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\nReference Blog:\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586",
+ "description": "Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns.\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing.\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\nReference Blog:\nhttps://medium.com/@HuntOperator/detect-beaconing-with-flare-elastic-stack-and-intrusion-detection-systems-110dc74e0c56\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586",
"displayName": "Palo Alto - potential beaconing detected",
"enabled": false,
"query": "let starttime = 2d;\nlet endtime = 1d;\nlet TimeDeltaThreshold = 25;\nlet TotalEventsThreshold = 30;\nlet MostFrequentTimeDeltaThreshold = 25;\nlet PercentBeaconThreshold = 80;\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\" and Activity == \"TRAFFIC\"\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where ipv4_is_private(DestinationIP)== false\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\n| serialize\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\n| extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated)\n| where SourceIP == nextSourceIP\n//Whitelisting criteria/ threshold criteria\n| where TimeDeltainSeconds > TimeDeltaThreshold\n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes)\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\n| where TotalEvents > TotalEventsThreshold and MostFrequentTimeDeltaCount > MostFrequentTimeDeltaThreshold\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\n| where BeaconPercent > PercentBeaconThreshold\n",
@@ -1047,7 +1047,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto-PortScanning_AnalyticalRules Analytics Rule with template version 3.0.10",
+ "description": "PaloAlto-PortScanning_AnalyticalRules Analytics Rule with template version 3.0.11",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -1169,7 +1169,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto_PAN-OS_Rest_API_CustomConnector Playbook with template version 3.0.10",
+ "description": "PaloAlto_PAN-OS_Rest_API_CustomConnector Playbook with template version 3.0.11",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@@ -3364,7 +3364,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto_PAN-OS_XML_API_CustomConnector Playbook with template version 3.0.10",
+ "description": "PaloAlto_PAN-OS_XML_API_CustomConnector Playbook with template version 3.0.11",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
@@ -3551,7 +3551,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto-PAN-OS-GetSystemInfo Playbook with template version 3.0.10",
+ "description": "PaloAlto-PAN-OS-GetSystemInfo Playbook with template version 3.0.11",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
@@ -3798,7 +3798,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto-PAN-OS-GetThreatPcap Playbook with template version 3.0.10",
+ "description": "PaloAlto-PAN-OS-GetThreatPcap Playbook with template version 3.0.11",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion4')]",
@@ -4334,7 +4334,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto-PAN-OS-GetURLCategoryInfo Playbook with template version 3.0.10",
+ "description": "PaloAlto-PAN-OS-GetURLCategoryInfo Playbook with template version 3.0.11",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion5')]",
@@ -4772,7 +4772,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto-PAN-OS-BlockIP Playbook with template version 3.0.10",
+ "description": "PaloAlto-PAN-OS-BlockIP Playbook with template version 3.0.11",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion6')]",
@@ -5924,7 +5924,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto-PAN-OS-BlockURL Playbook with template version 3.0.10",
+ "description": "PaloAlto-PAN-OS-BlockURL Playbook with template version 3.0.11",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion7')]",
@@ -7076,7 +7076,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto-PAN-OS-BlockURL-EntityTrigger Playbook with template version 3.0.10",
+ "description": "PaloAlto-PAN-OS-BlockURL-EntityTrigger Playbook with template version 3.0.11",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion8')]",
@@ -8180,7 +8180,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto-PAN-OS-BlockIP-EntityTrigger Playbook with template version 3.0.10",
+ "description": "PaloAlto-PAN-OS-BlockIP-EntityTrigger Playbook with template version 3.0.11",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion9')]",
@@ -9281,7 +9281,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.10",
+ "version": "3.0.11",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "PaloAlto-PAN-OS",
diff --git a/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md b/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md
index 6056e5e77a1..187cb112cda 100644
--- a/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md
+++ b/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.11 | 13-01-2026 | Updated non-functional link from PaloAlto-NetworkBeaconing **Analytic rule** |
| 3.0.10 | 13-11-2025 | Adding New Detection Rule for Nmap Top 100 Port Scan |
| 3.0.9 | 06-01-2025 | Removing Custom Entity mappings from **Analytic Rule** |
| 3.0.8 | 15-11-2024 | Corrected **Data Connector** count in CreateUiDefinition |
diff --git a/Solutions/RiskIQ/Package/3.0.0.zip b/Solutions/RiskIQ/Package/3.0.0.zip
new file mode 100644
index 00000000000..1e1bd7050a1
Binary files /dev/null and b/Solutions/RiskIQ/Package/3.0.0.zip differ
diff --git a/Solutions/RiskIQ/Package/createUiDefinition.json b/Solutions/RiskIQ/Package/createUiDefinition.json
index 39dc532f168..bebfd248c34 100644
--- a/Solutions/RiskIQ/Package/createUiDefinition.json
+++ b/Solutions/RiskIQ/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[RiskIQ Illuminate](https://www.microsoft.com/security/business/siem-and-xdr/microsoft-defender-threat-intelligence) is a complete security intelligence offering, blending attack surface visibility with detailed threat intelligence. With RiskIQ Illuminate, security teams will accelerate their investigations, increase their visibility, respond more effectively to threats, and maximize the impact of their existing security solutions.\n\n**Playbooks:** 27\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/RiskIQ/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[RiskIQ Illuminate](https://www.microsoft.com/security/business/siem-and-xdr/microsoft-defender-threat-intelligence) is a complete security intelligence offering, blending attack surface visibility with detailed threat intelligence. With RiskIQ Illuminate, security teams will accelerate their investigations, increase their visibility, respond more effectively to threats, and maximize the impact of their existing security solutions.\n\n**Playbooks:** 27\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
diff --git a/Solutions/RiskIQ/Package/mainTemplate.json b/Solutions/RiskIQ/Package/mainTemplate.json
index 3f31cce0c9a..93d8d26629b 100644
--- a/Solutions/RiskIQ/Package/mainTemplate.json
+++ b/Solutions/RiskIQ/Package/mainTemplate.json
@@ -30,230 +30,243 @@
}
},
"variables": {
- "solutionId": "azuresentinel.azure-sentinel-solution-riskiq",
- "_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
+ "_solutionName": "RiskIQ",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "azuresentinel.azure-sentinel-solution-riskiq",
+ "_solutionId": "[variables('solutionId')]",
"RiskIQ-Base": "RiskIQ-Base",
"_RiskIQ-Base": "[variables('RiskIQ-Base')]",
+ "TemplateEmptyObject": "[json('{}')]",
"playbookVersion1": "1.0",
"playbookContentId1": "RiskIQ-Base",
"_playbookContentId1": "[variables('playbookContentId1')]",
"playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]",
- "playbookTemplateSpecName1": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1')))]",
+ "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
"RiskIQ-Automated-Triage-alert-trigger": "RiskIQ-Automated-Triage-alert-trigger",
"_RiskIQ-Automated-Triage-alert-trigger": "[variables('RiskIQ-Automated-Triage-alert-trigger')]",
"playbookVersion2": "1.0",
"playbookContentId2": "RiskIQ-Automated-Triage-alert-trigger",
"_playbookContentId2": "[variables('playbookContentId2')]",
"playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]",
- "playbookTemplateSpecName2": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2')))]",
+ "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]",
+ "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]",
"RiskIQ-Automated-Triage-incident-trigger": "RiskIQ-Automated-Triage-incident-trigger",
"_RiskIQ-Automated-Triage-incident-trigger": "[variables('RiskIQ-Automated-Triage-incident-trigger')]",
"playbookVersion3": "1.0",
"playbookContentId3": "RiskIQ-Automated-Triage-incident-trigger",
"_playbookContentId3": "[variables('playbookContentId3')]",
"playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]",
- "playbookTemplateSpecName3": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3')))]",
+ "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]",
+ "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]",
"RiskIQ-Data-PassiveDns-Domain": "RiskIQ-Data-PassiveDns-Domain",
"_RiskIQ-Data-PassiveDns-Domain": "[variables('RiskIQ-Data-PassiveDns-Domain')]",
"playbookVersion4": "1.0",
"playbookContentId4": "RiskIQ-Data-PassiveDns-Domain",
"_playbookContentId4": "[variables('playbookContentId4')]",
"playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]",
- "playbookTemplateSpecName4": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4')))]",
+ "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]",
+ "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]",
"RiskIQ-Data-PassiveDns-Ip": "RiskIQ-Data-PassiveDns-Ip",
"_RiskIQ-Data-PassiveDns-Ip": "[variables('RiskIQ-Data-PassiveDns-Ip')]",
"playbookVersion5": "1.0",
"playbookContentId5": "RiskIQ-Data-PassiveDns-Ip",
"_playbookContentId5": "[variables('playbookContentId5')]",
"playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]",
- "playbookTemplateSpecName5": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5')))]",
+ "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]",
+ "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]",
"RiskIQ-Data-PassiveDns": "RiskIQ-Data-PassiveDns",
"_RiskIQ-Data-PassiveDns": "[variables('RiskIQ-Data-PassiveDns')]",
"playbookVersion6": "1.0",
"playbookContentId6": "RiskIQ-Data-PassiveDns",
"_playbookContentId6": "[variables('playbookContentId6')]",
"playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]",
- "playbookTemplateSpecName6": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6')))]",
+ "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]",
+ "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]",
"RiskIQ-Data-Summary-Domain-alert-trigger": "RiskIQ-Data-Summary-Domain-alert-trigger",
"_RiskIQ-Data-Summary-Domain-alert-trigger": "[variables('RiskIQ-Data-Summary-Domain-alert-trigger')]",
"playbookVersion7": "1.0",
"playbookContentId7": "RiskIQ-Data-Summary-Domain-alert-trigger",
"_playbookContentId7": "[variables('playbookContentId7')]",
"playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]",
- "playbookTemplateSpecName7": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7')))]",
+ "playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]",
+ "_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]",
"RiskIQ-Data-Summary-Domain-incident-trigger": "RiskIQ-Data-Summary-Domain-incident-trigger",
"_RiskIQ-Data-Summary-Domain-incident-trigger": "[variables('RiskIQ-Data-Summary-Domain-incident-trigger')]",
"playbookVersion8": "1.0",
"playbookContentId8": "RiskIQ-Data-Summary-Domain-incident-trigger",
"_playbookContentId8": "[variables('playbookContentId8')]",
"playbookId8": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId8'))]",
- "playbookTemplateSpecName8": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8')))]",
+ "playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))))]",
+ "_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]",
"RiskIQ-Data-Summary-Ip-alert-trigger": "RiskIQ-Data-Summary-Ip-alert-trigger",
"_RiskIQ-Data-Summary-Ip-alert-trigger": "[variables('RiskIQ-Data-Summary-Ip-alert-trigger')]",
"playbookVersion9": "1.0",
"playbookContentId9": "RiskIQ-Data-Summary-Ip-alert-trigger",
"_playbookContentId9": "[variables('playbookContentId9')]",
"playbookId9": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId9'))]",
- "playbookTemplateSpecName9": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId9')))]",
+ "playbookTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId9'))))]",
+ "_playbookcontentProductId9": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId9'),'-', variables('playbookVersion9'))))]",
"RiskIQ-Data-Summary-Ip-incident-trigger": "RiskIQ-Data-Summary-Ip-incident-trigger",
"_RiskIQ-Data-Summary-Ip-incident-trigger": "[variables('RiskIQ-Data-Summary-Ip-incident-trigger')]",
"playbookVersion10": "1.0",
"playbookContentId10": "RiskIQ-Data-Summary-Ip-incident-trigger",
"_playbookContentId10": "[variables('playbookContentId10')]",
"playbookId10": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId10'))]",
- "playbookTemplateSpecName10": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId10')))]",
+ "playbookTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId10'))))]",
+ "_playbookcontentProductId10": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId10'),'-', variables('playbookVersion10'))))]",
"RiskIQ-Data-Summary-alert-trigger": "RiskIQ-Data-Summary-alert-trigger",
"_RiskIQ-Data-Summary-alert-trigger": "[variables('RiskIQ-Data-Summary-alert-trigger')]",
"playbookVersion11": "1.0",
"playbookContentId11": "RiskIQ-Data-Summary-alert-trigger",
"_playbookContentId11": "[variables('playbookContentId11')]",
"playbookId11": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId11'))]",
- "playbookTemplateSpecName11": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId11')))]",
+ "playbookTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId11'))))]",
+ "_playbookcontentProductId11": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId11'),'-', variables('playbookVersion11'))))]",
"RiskIQ-Data-Summary-incident-trigger": "RiskIQ-Data-Summary-incident-trigger",
"_RiskIQ-Data-Summary-incident-trigger": "[variables('RiskIQ-Data-Summary-incident-trigger')]",
"playbookVersion12": "1.0",
"playbookContentId12": "RiskIQ-Data-Summary-incident-trigger",
"_playbookContentId12": "[variables('playbookContentId12')]",
"playbookId12": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId12'))]",
- "playbookTemplateSpecName12": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId12')))]",
+ "playbookTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId12'))))]",
+ "_playbookcontentProductId12": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId12'),'-', variables('playbookVersion12'))))]",
"RiskIQ-Data-Whois-Domain": "RiskIQ-Data-Whois-Domain",
"_RiskIQ-Data-Whois-Domain": "[variables('RiskIQ-Data-Whois-Domain')]",
"playbookVersion13": "1.0",
"playbookContentId13": "RiskIQ-Data-Whois-Domain",
"_playbookContentId13": "[variables('playbookContentId13')]",
"playbookId13": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId13'))]",
- "playbookTemplateSpecName13": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId13')))]",
+ "playbookTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId13'))))]",
+ "_playbookcontentProductId13": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId13'),'-', variables('playbookVersion13'))))]",
"RiskIQ-Data-Whois-IP": "RiskIQ-Data-Whois-IP",
"_RiskIQ-Data-Whois-IP": "[variables('RiskIQ-Data-Whois-IP')]",
"playbookVersion14": "1.0",
"playbookContentId14": "RiskIQ-Data-Whois-IP",
"_playbookContentId14": "[variables('playbookContentId14')]",
"playbookId14": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId14'))]",
- "playbookTemplateSpecName14": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId14')))]",
+ "playbookTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId14'))))]",
+ "_playbookcontentProductId14": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId14'),'-', variables('playbookVersion14'))))]",
"RiskIQ-Data-Whois": "RiskIQ-Data-Whois",
"_RiskIQ-Data-Whois": "[variables('RiskIQ-Data-Whois')]",
"playbookVersion15": "1.0",
"playbookContentId15": "RiskIQ-Data-Whois",
"_playbookContentId15": "[variables('playbookContentId15')]",
"playbookId15": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId15'))]",
- "playbookTemplateSpecName15": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId15')))]",
+ "playbookTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId15'))))]",
+ "_playbookcontentProductId15": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId15'),'-', variables('playbookVersion15'))))]",
"RiskIQ-Intel-Reputation-Domain-alert-trigger": "RiskIQ-Intel-Reputation-Domain-alert-trigger",
"_RiskIQ-Intel-Reputation-Domain-alert-trigger": "[variables('RiskIQ-Intel-Reputation-Domain-alert-trigger')]",
"playbookVersion16": "1.0",
"playbookContentId16": "RiskIQ-Intel-Reputation-Domain-alert-trigger",
"_playbookContentId16": "[variables('playbookContentId16')]",
"playbookId16": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId16'))]",
- "playbookTemplateSpecName16": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId16')))]",
+ "playbookTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId16'))))]",
+ "_playbookcontentProductId16": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId16'),'-', variables('playbookVersion16'))))]",
"RiskIQ-Intel-Reputation-Domain-incident-trigger": "RiskIQ-Intel-Reputation-Domain-incident-trigger",
"_RiskIQ-Intel-Reputation-Domain-incident-trigger": "[variables('RiskIQ-Intel-Reputation-Domain-incident-trigger')]",
"playbookVersion17": "1.0",
"playbookContentId17": "RiskIQ-Intel-Reputation-Domain-incident-trigger",
"_playbookContentId17": "[variables('playbookContentId17')]",
"playbookId17": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId17'))]",
- "playbookTemplateSpecName17": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId17')))]",
+ "playbookTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId17'))))]",
+ "_playbookcontentProductId17": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId17'),'-', variables('playbookVersion17'))))]",
"RiskIQ-Intel-Reputation-Ip-alert-trigger": "RiskIQ-Intel-Reputation-Ip-alert-trigger",
"_RiskIQ-Intel-Reputation-Ip-alert-trigger": "[variables('RiskIQ-Intel-Reputation-Ip-alert-trigger')]",
"playbookVersion18": "1.0",
"playbookContentId18": "RiskIQ-Intel-Reputation-Ip-alert-trigger",
"_playbookContentId18": "[variables('playbookContentId18')]",
"playbookId18": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId18'))]",
- "playbookTemplateSpecName18": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId18')))]",
+ "playbookTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId18'))))]",
+ "_playbookcontentProductId18": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId18'),'-', variables('playbookVersion18'))))]",
"RiskIQ-Intel-Reputation-Ip-incident-trigger": "RiskIQ-Intel-Reputation-Ip-incident-trigger",
"_RiskIQ-Intel-Reputation-Ip-incident-trigger": "[variables('RiskIQ-Intel-Reputation-Ip-incident-trigger')]",
"playbookVersion19": "1.0",
"playbookContentId19": "RiskIQ-Intel-Reputation-Ip-incident-trigger",
"_playbookContentId19": "[variables('playbookContentId19')]",
"playbookId19": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId19'))]",
- "playbookTemplateSpecName19": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId19')))]",
+ "playbookTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId19'))))]",
+ "_playbookcontentProductId19": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId19'),'-', variables('playbookVersion19'))))]",
"RiskIQ-Intel-Reputation-alert-trigger": "RiskIQ-Intel-Reputation-alert-trigger",
"_RiskIQ-Intel-Reputation-alert-trigger": "[variables('RiskIQ-Intel-Reputation-alert-trigger')]",
"playbookVersion20": "1.0",
"playbookContentId20": "RiskIQ-Intel-Reputation-alert-trigger",
"_playbookContentId20": "[variables('playbookContentId20')]",
"playbookId20": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId20'))]",
- "playbookTemplateSpecName20": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId20')))]",
+ "playbookTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId20'))))]",
+ "_playbookcontentProductId20": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId20'),'-', variables('playbookVersion20'))))]",
"RiskIQ-Intel-Reputation-incident-trigger": "RiskIQ-Intel-Reputation-incident-trigger",
"_RiskIQ-Intel-Reputation-incident-trigger": "[variables('RiskIQ-Intel-Reputation-incident-trigger')]",
"playbookVersion21": "1.0",
"playbookContentId21": "RiskIQ-Intel-Reputation-incident-trigger",
"_playbookContentId21": "[variables('playbookContentId21')]",
"playbookId21": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId21'))]",
- "playbookTemplateSpecName21": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId21')))]",
+ "playbookTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId21'))))]",
+ "_playbookcontentProductId21": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId21'),'-', variables('playbookVersion21'))))]",
"RiskIQ-Intel-Summary-Domain-alert-trigger": "RiskIQ-Intel-Summary-Domain-alert-trigger",
"_RiskIQ-Intel-Summary-Domain-alert-trigger": "[variables('RiskIQ-Intel-Summary-Domain-alert-trigger')]",
"playbookVersion22": "1.0",
"playbookContentId22": "RiskIQ-Intel-Summary-Domain-alert-trigger",
"_playbookContentId22": "[variables('playbookContentId22')]",
"playbookId22": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId22'))]",
- "playbookTemplateSpecName22": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId22')))]",
+ "playbookTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId22'))))]",
+ "_playbookcontentProductId22": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId22'),'-', variables('playbookVersion22'))))]",
"RiskIQ-Intel-Summary-Domain-incident-trigger": "RiskIQ-Intel-Summary-Domain-incident-trigger",
"_RiskIQ-Intel-Summary-Domain-incident-trigger": "[variables('RiskIQ-Intel-Summary-Domain-incident-trigger')]",
"playbookVersion23": "1.0",
"playbookContentId23": "RiskIQ-Intel-Summary-Domain-incident-trigger",
"_playbookContentId23": "[variables('playbookContentId23')]",
"playbookId23": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId23'))]",
- "playbookTemplateSpecName23": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId23')))]",
+ "playbookTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId23'))))]",
+ "_playbookcontentProductId23": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId23'),'-', variables('playbookVersion23'))))]",
"RiskIQ-Intel-Summary-Ip-alert-trigger": "RiskIQ-Intel-Summary-Ip-alert-trigger",
"_RiskIQ-Intel-Summary-Ip-alert-trigger": "[variables('RiskIQ-Intel-Summary-Ip-alert-trigger')]",
"playbookVersion24": "1.0",
"playbookContentId24": "RiskIQ-Intel-Summary-Ip-alert-trigger",
"_playbookContentId24": "[variables('playbookContentId24')]",
"playbookId24": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId24'))]",
- "playbookTemplateSpecName24": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId24')))]",
+ "playbookTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId24'))))]",
+ "_playbookcontentProductId24": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId24'),'-', variables('playbookVersion24'))))]",
"RiskIQ-Intel-Summary-Ip-incident-trigger": "RiskIQ-Intel-Summary-Ip-incident-trigger",
"_RiskIQ-Intel-Summary-Ip-incident-trigger": "[variables('RiskIQ-Intel-Summary-Ip-incident-trigger')]",
"playbookVersion25": "1.0",
"playbookContentId25": "RiskIQ-Intel-Summary-Ip-incident-trigger",
"_playbookContentId25": "[variables('playbookContentId25')]",
"playbookId25": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId25'))]",
- "playbookTemplateSpecName25": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId25')))]",
+ "playbookTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId25'))))]",
+ "_playbookcontentProductId25": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId25'),'-', variables('playbookVersion25'))))]",
"RiskIQ-Intel-Summary-alert-trigger": "RiskIQ-Intel-Summary-alert-trigger",
"_RiskIQ-Intel-Summary-alert-trigger": "[variables('RiskIQ-Intel-Summary-alert-trigger')]",
"playbookVersion26": "1.0",
"playbookContentId26": "RiskIQ-Intel-Summary-alert-trigger",
"_playbookContentId26": "[variables('playbookContentId26')]",
"playbookId26": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId26'))]",
- "playbookTemplateSpecName26": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId26')))]",
+ "playbookTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId26'))))]",
+ "_playbookcontentProductId26": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId26'),'-', variables('playbookVersion26'))))]",
"RiskIQ-Intel-Summary-incident-trigger": "RiskIQ-Intel-Summary-incident-trigger",
"_RiskIQ-Intel-Summary-incident-trigger": "[variables('RiskIQ-Intel-Summary-incident-trigger')]",
"playbookVersion27": "1.0",
"playbookContentId27": "RiskIQ-Intel-Summary-incident-trigger",
"_playbookContentId27": "[variables('playbookContentId27')]",
"playbookId27": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId27'))]",
- "playbookTemplateSpecName27": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId27')))]"
+ "playbookTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId27'))))]",
+ "_playbookcontentProductId27": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId27'),'-', variables('playbookVersion27'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Base playbook",
- "displayName": "RiskIQ-Base playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName1'),'/',variables('playbookVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Base Playbook with template version 2.0.0",
+ "description": "RiskIQ-Base Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@@ -334,6 +347,7 @@
},
"triggers": {
"manual": {
+ "inputs": "[variables('TemplateEmptyObject')]",
"kind": "Http",
"type": "Request"
}
@@ -382,7 +396,7 @@
"metadata": {
"comments": "Establish the needed base resources to leverage with all RiskIQ playbooks.",
"title": "RiskIQ-Base",
- "description": "This playbook creates a shared API Connection for all RiskIQ playbooks to leverage. This eases the configuration process for a user during deployment of the RiskIQ solution. In time, this base playbook may be extended to set more functionality. You will need your API credentials (email/secret) when configuring this playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).",
+ "description": "This playbook creates a shared API Connection for all RiskIQ playbooks to leverage. This eases the configuration process for a user during deployment of the RiskIQ solution. In time, this base playbook may be extended to set more functionality. You will need your API credentials (email/secret) when configuring this playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).",
"prerequisites": [
"None"
],
@@ -404,37 +418,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId1')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Base",
+ "contentProductId": "[variables('_playbookcontentProductId1')]",
+ "id": "[variables('_playbookcontentProductId1')]",
+ "version": "[variables('playbookVersion1')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Automated-Triage playbook",
- "displayName": "RiskIQ-Automated-Triage playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName2'),'/',variables('playbookVersion2'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName2'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Automated-Triage Playbook with template version 2.0.0",
+ "description": "RiskIQ-Automated-Triage Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
@@ -932,7 +939,7 @@
"title": "RiskIQ-Automated-Triage-Alert",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Indicators from an incident will be evaluated with RiskIQ reputation data. If any indicators are labeled as 'suspicious', the incident will be tagged as such and its severity will be marked as 'medium'. If any indicators are labeled as 'malicious', the incident will be tagged as such and its severity will be marked as 'high'. Regardless of the reputation state, comments will be added to the incident outlining the reputation details with links to further information if applicable.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"postDeployment": [
@@ -952,37 +959,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId2')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Automated-Triage",
+ "contentProductId": "[variables('_playbookcontentProductId2')]",
+ "id": "[variables('_playbookcontentProductId2')]",
+ "version": "[variables('playbookVersion2')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName3')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Automated-Triage playbook",
- "displayName": "RiskIQ-Automated-Triage playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName3'),'/',variables('playbookVersion3'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName3'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Automated-Triage Playbook with template version 2.0.0",
+ "description": "RiskIQ-Automated-Triage Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
@@ -1463,7 +1463,7 @@
"title": "RiskIQ-Automated-Triage-Incident",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Indicators from an incident will be evaluated with RiskIQ reputation data. If any indicators are labeled as 'suspicious', the incident will be tagged as such and its severity will be marked as 'medium'. If any indicators are labeled as 'malicious', the incident will be tagged as such and its severity will be marked as 'high'. Regardless of the reputation state, comments will be added to the incident outlining the reputation details with links to further information if applicable.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"postDeployment": [
@@ -1483,37 +1483,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId3')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Automated-Triage",
+ "contentProductId": "[variables('_playbookcontentProductId3')]",
+ "id": "[variables('_playbookcontentProductId3')]",
+ "version": "[variables('playbookVersion3')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName4')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Data-PassiveDns-Domain playbook",
- "displayName": "RiskIQ-Data-PassiveDns-Domain playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName4'),'/',variables('playbookVersion4'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName4'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Data-PassiveDns-Domain Playbook with template version 2.0.0",
+ "description": "RiskIQ-Data-PassiveDns-Domain Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion4')]",
@@ -1850,7 +1843,7 @@
"title": "RiskIQ-Data-PassiveDns-Domain",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Passive DNS provides analysts with a means to see DNS data in a historic manner. This history can aid in creating analytical connections, especially if the operational security of a threat actor is poor. Leverage this playbook in order to enrich your incidents with raw passive DNS data related to indicators found within the incident.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"postDeployment": [
@@ -1870,37 +1863,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId4')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Data-PassiveDns-Domain",
+ "contentProductId": "[variables('_playbookcontentProductId4')]",
+ "id": "[variables('_playbookcontentProductId4')]",
+ "version": "[variables('playbookVersion4')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName5')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Data-PassiveDns-Ip playbook",
- "displayName": "RiskIQ-Data-PassiveDns-Ip playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName5'),'/',variables('playbookVersion5'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName5'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Data-PassiveDns-Ip Playbook with template version 2.0.0",
+ "description": "RiskIQ-Data-PassiveDns-Ip Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion5')]",
@@ -2237,7 +2223,7 @@
"title": "RiskIQ-Data-PassiveDns-Ip",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Passive DNS provides analysts with a means to see DNS data in a historic manner. This history can aid in creating analytical connections, especially if the operational security of a threat actor is poor. Leverage this playbook in order to enrich your incidents with raw passive DNS data related to indicators found within the incident.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"entities": [
@@ -2260,37 +2246,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId5')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Data-PassiveDns-Ip",
+ "contentProductId": "[variables('_playbookcontentProductId5')]",
+ "id": "[variables('_playbookcontentProductId5')]",
+ "version": "[variables('playbookVersion5')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName6')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Data-PassiveDns playbook",
- "displayName": "RiskIQ-Data-PassiveDns playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName6'),'/',variables('playbookVersion6'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName6'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Data-PassiveDns Playbook with template version 2.0.0",
+ "description": "RiskIQ-Data-PassiveDns Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion6')]",
@@ -2799,7 +2778,7 @@
"title": "RiskIQ-Data-PassiveDns",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Passive DNS provides analysts with a means to see DNS data in a historic manner. This history can aid in creating analytical connections, especially if the operational security of a threat actor is poor. Leverage this playbook in order to enrich your incidents with raw passive DNS data related to indicators found within the incident.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"postDeployment": [
@@ -2819,37 +2798,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId6')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Data-PassiveDns",
+ "contentProductId": "[variables('_playbookcontentProductId6')]",
+ "id": "[variables('_playbookcontentProductId6')]",
+ "version": "[variables('playbookVersion6')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName7')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Data-Summary-Domain playbook",
- "displayName": "RiskIQ-Data-Summary-Domain playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName7'),'/',variables('playbookVersion7'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName7'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Data-Summary-Domain Playbook with template version 2.0.0",
+ "description": "RiskIQ-Data-Summary-Domain Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion7')]",
@@ -3143,7 +3115,7 @@
"title": "RiskIQ-Data-Summary-Domain-alert",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what RiskIQ knows about a given indicator extracted from the incident in the form of result counts with corresponding data sets. Each data set will be linked, making it easy for an analyst to one-click pivot into a deeper investigation.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"postDeployment": [
@@ -3163,37 +3135,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId7')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Data-Summary-Domain",
+ "contentProductId": "[variables('_playbookcontentProductId7')]",
+ "id": "[variables('_playbookcontentProductId7')]",
+ "version": "[variables('playbookVersion7')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName8')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Data-Summary-Domain playbook",
- "displayName": "RiskIQ-Data-Summary-Domain playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName8'),'/',variables('playbookVersion8'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName8'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Data-Summary-Domain Playbook with template version 2.0.0",
+ "description": "RiskIQ-Data-Summary-Domain Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion8')]",
@@ -3470,7 +3435,7 @@
"title": "RiskIQ-Data-Summary-Domain-incident",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what RiskIQ knows about a given indicator extracted from the incident in the form of result counts with corresponding data sets. Each data set will be linked, making it easy for an analyst to one-click pivot into a deeper investigation.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"postDeployment": [
@@ -3490,37 +3455,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId8')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Data-Summary-Domain",
+ "contentProductId": "[variables('_playbookcontentProductId8')]",
+ "id": "[variables('_playbookcontentProductId8')]",
+ "version": "[variables('playbookVersion8')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName9')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Data-Summary-Ip playbook",
- "displayName": "RiskIQ-Data-Summary-Ip playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName9'),'/',variables('playbookVersion9'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName9'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Data-Summary-Ip Playbook with template version 2.0.0",
+ "description": "RiskIQ-Data-Summary-Ip Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion9')]",
@@ -3824,7 +3782,7 @@
"title": "RiskIQ-Data-Summary-Ip-Alert",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what RiskIQ knows about a given indicator extracted from the incident in the form of result counts with corresponding data sets. Each data set will be linked, making it easy for an analyst to one-click pivot into a deeper investigation.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"entities": [
@@ -3847,37 +3805,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId9')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Data-Summary-Ip",
+ "contentProductId": "[variables('_playbookcontentProductId9')]",
+ "id": "[variables('_playbookcontentProductId9')]",
+ "version": "[variables('playbookVersion9')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName10')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Data-Summary-Ip playbook",
- "displayName": "RiskIQ-Data-Summary-Ip playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName10'),'/',variables('playbookVersion10'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName10'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Data-Summary-Ip Playbook with template version 2.0.0",
+ "description": "RiskIQ-Data-Summary-Ip Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion10')]",
@@ -4164,7 +4115,7 @@
"title": "RiskIQ-Data-Summary-Ip-Incident",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what RiskIQ knows about a given indicator extracted from the incident in the form of result counts with corresponding data sets. Each data set will be linked, making it easy for an analyst to one-click pivot into a deeper investigation.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"entities": [
@@ -4187,37 +4138,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId10')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Data-Summary-Ip",
+ "contentProductId": "[variables('_playbookcontentProductId10')]",
+ "id": "[variables('_playbookcontentProductId10')]",
+ "version": "[variables('playbookVersion10')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName11')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Data-Summary playbook",
- "displayName": "RiskIQ-Data-Summary playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName11'),'/',variables('playbookVersion11'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName11'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Data-Summary Playbook with template version 2.0.0",
+ "description": "RiskIQ-Data-Summary Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion11')]",
@@ -4667,7 +4611,7 @@
"title": "RiskIQ Data Summary Alert",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what RiskIQ knows about a given indicator extracted from the incident in the form of result counts with corresponding data sets. Each data set will be linked, making it easy for an analyst to one-click pivot into a deeper investigation.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"postDeployment": [
@@ -4687,37 +4631,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId11')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Data-Summary",
+ "contentProductId": "[variables('_playbookcontentProductId11')]",
+ "id": "[variables('_playbookcontentProductId11')]",
+ "version": "[variables('playbookVersion11')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName12')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Data-Summary playbook",
- "displayName": "RiskIQ-Data-Summary playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName12'),'/',variables('playbookVersion12'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName12'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Data-Summary Playbook with template version 2.0.0",
+ "description": "RiskIQ-Data-Summary Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion12')]",
@@ -5145,7 +5082,7 @@
"title": "RiskIQ Data Summary Incident",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what RiskIQ knows about a given indicator extracted from the incident in the form of result counts with corresponding data sets. Each data set will be linked, making it easy for an analyst to one-click pivot into a deeper investigation.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"postDeployment": [
@@ -5165,37 +5102,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId12')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Data-Summary",
+ "contentProductId": "[variables('_playbookcontentProductId12')]",
+ "id": "[variables('_playbookcontentProductId12')]",
+ "version": "[variables('playbookVersion12')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName13')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Data-Whois-Domain playbook",
- "displayName": "RiskIQ-Data-Whois-Domain playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName13'),'/',variables('playbookVersion13'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName13'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Data-Whois-Domain Playbook with template version 2.0.0",
+ "description": "RiskIQ-Data-Whois-Domain Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion13')]",
@@ -5408,7 +5338,7 @@
"title": "RiskIQ-Data-Whois-Domain",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. WHOIS is akin to a phone book for the Internet; it reveals the owners behind domain registrations and IP address hosting. Analysts can leverage WHOIS, both active and historic, in order to identify analytical leads. This data can sometimes reveal the threat actor behind a given set of infrastructure or provide deeper context as to what else may be related. This playbook will query for WHOIS data from indicators contained within the incident and post the results in the form of a comment.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"postDeployment": [
@@ -5428,37 +5358,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId13')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Data-Whois-Domain",
+ "contentProductId": "[variables('_playbookcontentProductId13')]",
+ "id": "[variables('_playbookcontentProductId13')]",
+ "version": "[variables('playbookVersion13')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName14')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Data-Whois-Ip playbook",
- "displayName": "RiskIQ-Data-Whois-Ip playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName14'),'/',variables('playbookVersion14'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName14'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Data-Whois-Ip Playbook with template version 2.0.0",
+ "description": "RiskIQ-Data-Whois-Ip Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion14')]",
@@ -5671,7 +5594,7 @@
"title": "RiskIQ-Data-Whois-Ip",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. WHOIS is akin to a phone book for the Internet; it reveals the owners behind domain registrations and IP address hosting. Analysts can leverage WHOIS, both active and historic, in order to identify analytical leads. This data can sometimes reveal the threat actor behind a given set of infrastructure or provide deeper context as to what else may be related. This playbook will query for WHOIS data from indicators contained within the incident and post the results in the form of a comment.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"entities": [
@@ -5694,37 +5617,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId14')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Data-Whois-Ip",
+ "contentProductId": "[variables('_playbookcontentProductId14')]",
+ "id": "[variables('_playbookcontentProductId14')]",
+ "version": "[variables('playbookVersion14')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName15')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Data-Whois playbook",
- "displayName": "RiskIQ-Data-Whois playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName15'),'/',variables('playbookVersion15'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName15'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Data-Whois Playbook with template version 2.0.0",
+ "description": "RiskIQ-Data-Whois Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion15')]",
@@ -6002,7 +5918,7 @@
"title": "RiskIQ-Data-Whois",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. WHOIS is akin to a phone book for the Internet; it reveals the owners behind domain registrations and IP address hosting. Analysts can leverage WHOIS, both active and historic, in order to identify analytical leads. This data can sometimes reveal the threat actor behind a given set of infrastructure or provide deeper context as to what else may be related. This playbook will query for WHOIS data from indicators contained within the incident and post the results in the form of a comment.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"postDeployment": [
@@ -6022,37 +5938,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId15')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Data-Whois",
+ "contentProductId": "[variables('_playbookcontentProductId15')]",
+ "id": "[variables('_playbookcontentProductId15')]",
+ "version": "[variables('playbookVersion15')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName16')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Intel-Reputation-Domain playbook",
- "displayName": "RiskIQ-Intel-Reputation-Domain playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName16'),'/',variables('playbookVersion16'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName16'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Intel-Reputation-Domain Playbook with template version 2.0.0",
+ "description": "RiskIQ-Intel-Reputation-Domain Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion16')]",
@@ -6305,7 +6214,7 @@
"title": "RiskIQ-Intel-Reputation-Domain-Alert",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the RiskIQ platform for more information.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"postDeployment": [
@@ -6325,37 +6234,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId16')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Intel-Reputation-Domain",
+ "contentProductId": "[variables('_playbookcontentProductId16')]",
+ "id": "[variables('_playbookcontentProductId16')]",
+ "version": "[variables('playbookVersion16')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName17')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Intel-Reputation-Domain playbook",
- "displayName": "RiskIQ-Intel-Reputation-Domain playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName17'),'/',variables('playbookVersion17'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName17'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Intel-Reputation-Domain Playbook with template version 2.0.0",
+ "description": "RiskIQ-Intel-Reputation-Domain Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion17')]",
@@ -6591,7 +6493,7 @@
"title": "RiskIQ-Intel-Reputation-Domain-Incident",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the RiskIQ platform for more information.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"postDeployment": [
@@ -6611,37 +6513,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId17')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Intel-Reputation-Domain",
+ "contentProductId": "[variables('_playbookcontentProductId17')]",
+ "id": "[variables('_playbookcontentProductId17')]",
+ "version": "[variables('playbookVersion17')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName18')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Intel-Reputation-Ip playbook",
- "displayName": "RiskIQ-Intel-Reputation-Ip playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName18'),'/',variables('playbookVersion18'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName18'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Intel-Reputation-Ip Playbook with template version 2.0.0",
+ "description": "RiskIQ-Intel-Reputation-Ip Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion18')]",
@@ -6894,7 +6789,7 @@
"title": "RiskIQ-Intel-Reputation-Ip-Alert",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the RiskIQ platform for more information.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"entities": [
@@ -6917,37 +6812,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId18')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Intel-Reputation-Ip",
+ "contentProductId": "[variables('_playbookcontentProductId18')]",
+ "id": "[variables('_playbookcontentProductId18')]",
+ "version": "[variables('playbookVersion18')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName19')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Intel-Reputation-Ip playbook",
- "displayName": "RiskIQ-Intel-Reputation-Ip playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName19'),'/',variables('playbookVersion19'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName19'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Intel-Reputation-Ip Playbook with template version 2.0.0",
+ "description": "RiskIQ-Intel-Reputation-Ip Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion19')]",
@@ -7183,7 +7071,7 @@
"title": "RiskIQ-Intel-Reputation-Ip-Incident",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the RiskIQ platform for more information.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"entities": [
@@ -7206,37 +7094,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId19')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Intel-Reputation-Ip",
+ "contentProductId": "[variables('_playbookcontentProductId19')]",
+ "id": "[variables('_playbookcontentProductId19')]",
+ "version": "[variables('playbookVersion19')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName20')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Intel-Reputation playbook",
- "displayName": "RiskIQ-Intel-Reputation playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName20'),'/',variables('playbookVersion20'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName20'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Intel-Reputation Playbook with template version 2.0.0",
+ "description": "RiskIQ-Intel-Reputation Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion20')]",
@@ -7594,7 +7475,7 @@
"title": "RiskIQ-Intel-Reputation-Alert",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the RiskIQ platform for more information.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"postDeployment": [
@@ -7614,37 +7495,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId20')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Intel-Reputation",
+ "contentProductId": "[variables('_playbookcontentProductId20')]",
+ "id": "[variables('_playbookcontentProductId20')]",
+ "version": "[variables('playbookVersion20')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName21')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Intel-Reputation playbook",
- "displayName": "RiskIQ-Intel-Reputation playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName21'),'/',variables('playbookVersion21'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName21'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Intel-Reputation Playbook with template version 2.0.0",
+ "description": "RiskIQ-Intel-Reputation Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion21')]",
@@ -7980,7 +7854,7 @@
"title": "RiskIQ-Intel-Reputation-Incident",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the RiskIQ platform for more information.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"postDeployment": [
@@ -8000,37 +7874,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId21')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Intel-Reputation",
+ "contentProductId": "[variables('_playbookcontentProductId21')]",
+ "id": "[variables('_playbookcontentProductId21')]",
+ "version": "[variables('playbookVersion21')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName22')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Intel-Summary-Domain playbook",
- "displayName": "RiskIQ-Intel-Summary-Domain playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName22'),'/',variables('playbookVersion22'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName22'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Intel-Summary-Domain Playbook with template version 2.0.0",
+ "description": "RiskIQ-Intel-Summary-Domain Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion22')]",
@@ -8292,7 +8159,7 @@
"title": "RiskIQ-Intel-Summary-Domain-Alert",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities, threat actors, their campaigns or other noteworthy context found from analyzing the Internet. Analysts can leverage this playbook to add context to indicators found within incidents. Each comment added to the incident will link to a more detailed intelligence card from RiskIQ.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"postDeployment": [
@@ -8312,37 +8179,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId22')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Intel-Summary-Domain",
+ "contentProductId": "[variables('_playbookcontentProductId22')]",
+ "id": "[variables('_playbookcontentProductId22')]",
+ "version": "[variables('playbookVersion22')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName23')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Intel-Summary-Domain playbook",
- "displayName": "RiskIQ-Intel-Summary-Domain playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName23'),'/',variables('playbookVersion23'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName23'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Intel-Summary-Domain Playbook with template version 2.0.0",
+ "description": "RiskIQ-Intel-Summary-Domain Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion23')]",
@@ -8587,7 +8447,7 @@
"title": "RiskIQ-Intel-Summary-Domain-Incident",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities, threat actors, their campaigns or other noteworthy context found from analyzing the Internet. Analysts can leverage this playbook to add context to indicators found within incidents. Each comment added to the incident will link to a more detailed intelligence card from RiskIQ.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"postDeployment": [
@@ -8607,37 +8467,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId23')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Intel-Summary-Domain",
+ "contentProductId": "[variables('_playbookcontentProductId23')]",
+ "id": "[variables('_playbookcontentProductId23')]",
+ "version": "[variables('playbookVersion23')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName24')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Intel-Summary-Ip playbook",
- "displayName": "RiskIQ-Intel-Summary-Ip playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName24'),'/',variables('playbookVersion24'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName24'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Intel-Summary-Ip Playbook with template version 2.0.0",
+ "description": "RiskIQ-Intel-Summary-Ip Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion24')]",
@@ -8899,7 +8752,7 @@
"title": "RiskIQ-Intel-Summary-Ip-Alert",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities, threat actors, their campaigns or other noteworthy context found from analyzing the Internet. Analysts can leverage this playbook to add context to indicators found within incidents. Each comment added to the incident will link to a more detailed intelligence card from RiskIQ.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"entities": [
@@ -8922,37 +8775,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId24')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Intel-Summary-Ip",
+ "contentProductId": "[variables('_playbookcontentProductId24')]",
+ "id": "[variables('_playbookcontentProductId24')]",
+ "version": "[variables('playbookVersion24')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName25')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Intel-Summary-Ip playbook",
- "displayName": "RiskIQ-Intel-Summary-Ip playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName25'),'/',variables('playbookVersion25'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName25'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Intel-Summary-Ip Playbook with template version 2.0.0",
+ "description": "RiskIQ-Intel-Summary-Ip Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion25')]",
@@ -9197,7 +9043,7 @@
"title": "RiskIQ-Intel-Summary-Ip-Incident",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities, threat actors, their campaigns or other noteworthy context found from analyzing the Internet. Analysts can leverage this playbook to add context to indicators found within incidents. Each comment added to the incident will link to a more detailed intelligence card from RiskIQ.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"entities": [
@@ -9220,37 +9066,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId25')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Intel-Summary-Ip",
+ "contentProductId": "[variables('_playbookcontentProductId25')]",
+ "id": "[variables('_playbookcontentProductId25')]",
+ "version": "[variables('playbookVersion25')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName26')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Intel-Summary playbook",
- "displayName": "RiskIQ-Intel-Summary playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName26'),'/',variables('playbookVersion26'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName26'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Intel-Summary Playbook with template version 2.0.0",
+ "description": "RiskIQ-Intel-Summary Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion26')]",
@@ -9626,7 +9465,7 @@
"title": "RiskIQ-Intel-Summary-Alert",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities, threat actors, their campaigns or other noteworthy context found from analyzing the Internet. Analysts can leverage this playbook to add context to indicators found within incidents. Each comment added to the incident will link to a more detailed intelligence card from RiskIQ.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"postDeployment": [
@@ -9646,37 +9485,30 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId26')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Intel-Summary",
+ "contentProductId": "[variables('_playbookcontentProductId26')]",
+ "id": "[variables('_playbookcontentProductId26')]",
+ "version": "[variables('playbookVersion26')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName27')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RiskIQ-Intel-Summary playbook",
- "displayName": "RiskIQ-Intel-Summary playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('playbookTemplateSpecName27'),'/',variables('playbookVersion27'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName27'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RiskIQ-Intel-Summary Playbook with template version 2.0.0",
+ "description": "RiskIQ-Intel-Summary Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion27')]",
@@ -10030,7 +9862,7 @@
"title": "RiskIQ-Intel-Summary-Incident",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities, threat actors, their campaigns or other noteworthy context found from analyzing the Internet. Analysts can leverage this playbook to add context to indicators found within incidents. Each comment added to the incident will link to a more detailed intelligence card from RiskIQ.",
"prerequisites": [
- "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."
],
"lastUpdateTime": "2022-08-05T00:00:00Z",
"postDeployment": [
@@ -10050,17 +9882,35 @@
}
]
}
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId27')]",
+ "contentKind": "Playbook",
+ "displayName": "RiskIQ-Intel-Summary",
+ "contentProductId": "[variables('_playbookcontentProductId27')]",
+ "id": "[variables('_playbookcontentProductId27')]",
+ "version": "[variables('playbookVersion27')]"
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "2.0.0",
+ "version": "3.0.0",
"kind": "Solution",
- "contentSchemaVersion": "2.0.0",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "RiskIQ",
+ "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
+ "descriptionHtml": "
Note: Please refer to the following before installing the solution:
• There may be known issues pertaining to this Solution, please refer to them before installing.
\n
RiskIQ Illuminate is a complete security intelligence offering, blending attack surface visibility with detailed threat intelligence. With RiskIQ Illuminate, security teams will accelerate their investigations, increase their visibility, respond more effectively to threats, and maximize the impact of their existing security solutions.
\n",
+ "contentKind": "Solution",
+ "contentProductId": "[variables('_solutioncontentProductId')]",
+ "id": "[variables('_solutioncontentProductId')]",
+ "icon": "",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
diff --git a/Solutions/RiskIQ/Package/testParameters.json b/Solutions/RiskIQ/Package/testParameters.json
new file mode 100644
index 00000000000..e55ec41a9ac
--- /dev/null
+++ b/Solutions/RiskIQ/Package/testParameters.json
@@ -0,0 +1,24 @@
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ }
+}
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Automated-Triage/alert-trigger/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Automated-Triage/alert-trigger/azuredeploy.json
index 2ba725fe118..9887ef3ab29 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Automated-Triage/alert-trigger/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Automated-Triage/alert-trigger/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated triage actions on the Microsoft Sentinels Incident based on RiskIQ Reputation data.",
"title": "RiskIQ-Automated-Triage-Alert",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Indicators from an incident will be evaluated with RiskIQ reputation data. If any indicators are labeled as 'suspicious', the incident will be tagged as such and its severity will be marked as 'medium'. If any indicators are labeled as 'malicious', the incident will be tagged as such and its severity will be marked as 'high'. Regardless of the reputation state, comments will be added to the incident outlining the reputation details with links to further information if applicable.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": [],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Automated-Triage/incident-trigger/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Automated-Triage/incident-trigger/azuredeploy.json
index 227af552da1..09472c29691 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Automated-Triage/incident-trigger/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Automated-Triage/incident-trigger/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated triage actions on the Microsoft Sentinels Incident based on RiskIQ Reputation data.",
"title": "RiskIQ-Automated-Triage-Incident",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Indicators from an incident will be evaluated with RiskIQ reputation data. If any indicators are labeled as 'suspicious', the incident will be tagged as such and its severity will be marked as 'medium'. If any indicators are labeled as 'malicious', the incident will be tagged as such and its severity will be marked as 'high'. Regardless of the reputation state, comments will be added to the incident outlining the reputation details with links to further information if applicable.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": [],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Automated-Triage/readme.md b/Solutions/RiskIQ/Playbooks/RiskIQ-Automated-Triage/readme.md
index 9d17217a71a..463a6005923 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Automated-Triage/readme.md
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Automated-Triage/readme.md
@@ -4,7 +4,7 @@
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Indicators from an incident will be evaluated with RiskIQ reputation data. If any indicators are labeled as "suspicious", the incident will be tagged as such and its severity will be marked as "medium". If any indicators are labeled as "malicious", the incident will be tagged as such and its severity will be marked as "high". Regardless of the reputation state, comments will be added to the incident outlining the reputation details with links to further information if applicable.
## Prerequisites
-This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
+This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
## Deployment
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json
index 50c67199674..86a0b4c3d64 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json
@@ -4,7 +4,7 @@
"metadata": {
"comments": "Establish the needed base resources to leverage with all RiskIQ playbooks.",
"title": "RiskIQ-Base",
- "description": "This playbook creates a shared API Connection for all RiskIQ playbooks to leverage. This eases the configuration process for a user during deployment of the RiskIQ solution. In time, this base playbook may be extended to set more functionality. You will need your API credentials (email/secret) when configuring this playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).",
+ "description": "This playbook creates a shared API Connection for all RiskIQ playbooks to leverage. This eases the configuration process for a user during deployment of the RiskIQ solution. In time, this base playbook may be extended to set more functionality. You will need your API credentials (email/secret) when configuring this playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).",
"prerequisites": ["None"],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Base/readme.md b/Solutions/RiskIQ/Playbooks/RiskIQ-Base/readme.md
index 00a265648d4..40c3e59479c 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Base/readme.md
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Base/readme.md
@@ -1,7 +1,7 @@
# RiskIQ-Base
## Overview
-This playbook creates a shared API Connection for all RiskIQ playbooks to leverage. This eases the configuration process for a user during deployment of the RiskIQ solution. In time, this base playbook may be extended to set more functionality. You will need your API credentials (email/secret) when configuring this playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
+This playbook creates a shared API Connection for all RiskIQ playbooks to leverage. This eases the configuration process for a user during deployment of the RiskIQ solution. In time, this base playbook may be extended to set more functionality. You will need your API credentials (email/secret) when configuring this playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
## Deployment
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns-Domain/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns-Domain/azuredeploy.json
index c852501d62b..c163268eb9e 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns-Domain/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns-Domain/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Internet data.",
"title": "RiskIQ-Data-PassiveDns-Domain",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Passive DNS provides analysts with a means to see DNS data in a historic manner. This history can aid in creating analytical connections, especially if the operational security of a threat actor is poor. Leverage this playbook in order to enrich your incidents with raw passive DNS data related to indicators found within the incident.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": [],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns-Domain/readme.md b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns-Domain/readme.md
index 78c87bb9d61..785e13feed3 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns-Domain/readme.md
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns-Domain/readme.md
@@ -4,7 +4,7 @@
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Passive DNS provides analysts with a means to see DNS data in a historic manner. This history can aid in creating analytical connections, especially if the operational security of a threat actor is poor. Leverage this playbook in order to enrich your incidents with raw passive DNS data related to indicators found within the incident.
## Prerequisites
-This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
+This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
## Deployment
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns-Ip/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns-Ip/azuredeploy.json
index fc8d099b743..022052e815a 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns-Ip/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns-Ip/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Internet data.",
"title": "RiskIQ-Data-PassiveDns-Ip",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Passive DNS provides analysts with a means to see DNS data in a historic manner. This history can aid in creating analytical connections, especially if the operational security of a threat actor is poor. Leverage this playbook in order to enrich your incidents with raw passive DNS data related to indicators found within the incident.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": ["Ip"],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns-Ip/readme.md b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns-Ip/readme.md
index b49694247ca..2a9b5a20638 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns-Ip/readme.md
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns-Ip/readme.md
@@ -4,7 +4,7 @@
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Passive DNS provides analysts with a means to see DNS data in a historic manner. This history can aid in creating analytical connections, especially if the operational security of a threat actor is poor. Leverage this playbook in order to enrich your incidents with raw passive DNS data related to indicators found within the incident.
## Prerequisites
-This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
+This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
## Deployment
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns/azuredeploy.json
index 5064c7a947d..39129fa4b18 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Internet data.",
"title": "RiskIQ-Data-PassiveDns",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Passive DNS provides analysts with a means to see DNS data in a historic manner. This history can aid in creating analytical connections, especially if the operational security of a threat actor is poor. Leverage this playbook in order to enrich your incidents with raw passive DNS data related to indicators found within the incident.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": [],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns/readme.md b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns/readme.md
index 815528c00ff..f5a1d5ec9fa 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns/readme.md
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-PassiveDns/readme.md
@@ -4,7 +4,7 @@
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Passive DNS provides analysts with a means to see DNS data in a historic manner. This history can aid in creating analytical connections, especially if the operational security of a threat actor is poor. Leverage this playbook in order to enrich your incidents with raw passive DNS data related to indicators found within the incident.
## Prerequisites
-This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
+This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
## Deployment
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Domain/alert-trigger/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Domain/alert-trigger/azuredeploy.json
index 67a033bed04..4c90489f9c1 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Domain/alert-trigger/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Domain/alert-trigger/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Internet data.",
"title": "RiskIQ-Data-Summary-Domain-alert",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what RiskIQ knows about a given indicator extracted from the incident in the form of result counts with corresponding data sets. Each data set will be linked, making it easy for an analyst to one-click pivot into a deeper investigation.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": [],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Domain/incident-trigger/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Domain/incident-trigger/azuredeploy.json
index 9dd4a18ac6a..b48b6ade5ea 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Domain/incident-trigger/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Domain/incident-trigger/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Internet data.",
"title": "RiskIQ-Data-Summary-Domain-incident",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what RiskIQ knows about a given indicator extracted from the incident in the form of result counts with corresponding data sets. Each data set will be linked, making it easy for an analyst to one-click pivot into a deeper investigation.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": [],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Domain/readme.md b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Domain/readme.md
index 9611e12f41d..7826832529c 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Domain/readme.md
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Domain/readme.md
@@ -4,7 +4,7 @@
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what RiskIQ knows about a given indicator extracted from the incident in the form of result counts with corresponding data sets. Each data set will be linked, making it easy for an analyst to one-click pivot into a deeper investigation.
## Prerequisites
-This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
+This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
## Deployment
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Ip/alert-trigger/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Ip/alert-trigger/azuredeploy.json
index b5126374a31..229542c48f3 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Ip/alert-trigger/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Ip/alert-trigger/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Internet data.",
"title": "RiskIQ-Data-Summary-Ip-Alert",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what RiskIQ knows about a given indicator extracted from the incident in the form of result counts with corresponding data sets. Each data set will be linked, making it easy for an analyst to one-click pivot into a deeper investigation.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": ["Ip"],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Ip/incident-trigger/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Ip/incident-trigger/azuredeploy.json
index 97976a78255..a93c7758d8f 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Ip/incident-trigger/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Ip/incident-trigger/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Internet data.",
"title": "RiskIQ-Data-Summary-Ip-Incident",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what RiskIQ knows about a given indicator extracted from the incident in the form of result counts with corresponding data sets. Each data set will be linked, making it easy for an analyst to one-click pivot into a deeper investigation.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": ["Ip"],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Ip/readme.md b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Ip/readme.md
index 5da9bbec7e2..2ecb7459c52 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Ip/readme.md
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary-Ip/readme.md
@@ -4,7 +4,7 @@
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what RiskIQ knows about a given indicator extracted from the incident in the form of result counts with corresponding data sets. Each data set will be linked, making it easy for an analyst to one-click pivot into a deeper investigation.
## Prerequisites
-This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
+This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
## Deployment
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary/alert-trigger/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary/alert-trigger/azuredeploy.json
index d3b422cd318..4e3688ab635 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary/alert-trigger/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary/alert-trigger/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Internet data.",
"title": "RiskIQ Data Summary Alert",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what RiskIQ knows about a given indicator extracted from the incident in the form of result counts with corresponding data sets. Each data set will be linked, making it easy for an analyst to one-click pivot into a deeper investigation.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": [],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary/incident-trigger/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary/incident-trigger/azuredeploy.json
index a263e1c93f5..da0d845cd94 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary/incident-trigger/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary/incident-trigger/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Internet data.",
"title": "RiskIQ Data Summary Incident",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what RiskIQ knows about a given indicator extracted from the incident in the form of result counts with corresponding data sets. Each data set will be linked, making it easy for an analyst to one-click pivot into a deeper investigation.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": [],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary/readme.md b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary/readme.md
index 4f59f1ecd3e..16f29f5fb67 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary/readme.md
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Summary/readme.md
@@ -4,7 +4,7 @@
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what RiskIQ knows about a given indicator extracted from the incident in the form of result counts with corresponding data sets. Each data set will be linked, making it easy for an analyst to one-click pivot into a deeper investigation.
## Prerequisites
-This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
+This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
## Deployment
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois-Domain/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois-Domain/azuredeploy.json
index 528c0f4bf20..c42f6299a14 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois-Domain/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois-Domain/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Internet data.",
"title": "RiskIQ-Data-Whois-Domain",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. WHOIS is akin to a phone book for the Internet; it reveals the owners behind domain registrations and IP address hosting. Analysts can leverage WHOIS, both active and historic, in order to identify analytical leads. This data can sometimes reveal the threat actor behind a given set of infrastructure or provide deeper context as to what else may be related. This playbook will query for WHOIS data from indicators contained within the incident and post the results in the form of a comment.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": [],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois-Domain/readme.md b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois-Domain/readme.md
index abf4e5d17f2..55c682f9d39 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois-Domain/readme.md
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois-Domain/readme.md
@@ -4,7 +4,7 @@
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. WHOIS is akin to a phone book for the Internet; it reveals the owners behind domain registrations and IP address hosting. Analysts can leverage WHOIS, both active and historic, in order to identify analytical leads. This data can sometimes reveal the threat actor behind a given set of infrastructure or provide deeper context as to what else may be related. This playbook will query for WHOIS data from indicators contained within the incident and post the results in the form of a comment.
## Prerequisites
-This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
+This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
## Deployment
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois-IP/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois-IP/azuredeploy.json
index 2d7b246283a..159c1f97534 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois-IP/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois-IP/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Internet data.",
"title": "RiskIQ-Data-Whois-Ip",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. WHOIS is akin to a phone book for the Internet; it reveals the owners behind domain registrations and IP address hosting. Analysts can leverage WHOIS, both active and historic, in order to identify analytical leads. This data can sometimes reveal the threat actor behind a given set of infrastructure or provide deeper context as to what else may be related. This playbook will query for WHOIS data from indicators contained within the incident and post the results in the form of a comment.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": ["Ip"],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois-IP/readme.md b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois-IP/readme.md
index 07bbd95fb69..4c8c8aabd84 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois-IP/readme.md
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois-IP/readme.md
@@ -4,7 +4,7 @@
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. WHOIS is akin to a phone book for the Internet; it reveals the owners behind domain registrations and IP address hosting. Analysts can leverage WHOIS, both active and historic, in order to identify analytical leads. This data can sometimes reveal the threat actor behind a given set of infrastructure or provide deeper context as to what else may be related. This playbook will query for WHOIS data from indicators contained within the incident and post the results in the form of a comment.
## Prerequisites
-This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
+This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
## Deployment
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois/azuredeploy.json
index e49eb821713..f0101140d45 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Internet data.",
"title": "RiskIQ-Data-Whois",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. WHOIS is akin to a phone book for the Internet; it reveals the owners behind domain registrations and IP address hosting. Analysts can leverage WHOIS, both active and historic, in order to identify analytical leads. This data can sometimes reveal the threat actor behind a given set of infrastructure or provide deeper context as to what else may be related. This playbook will query for WHOIS data from indicators contained within the incident and post the results in the form of a comment.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": [],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois/readme.md b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois/readme.md
index 94664fcfe9b..7c6dfe5e014 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois/readme.md
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Data-Whois/readme.md
@@ -4,7 +4,7 @@
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. WHOIS is akin to a phone book for the Internet; it reveals the owners behind domain registrations and IP address hosting. Analysts can leverage WHOIS, both active and historic, in order to identify analytical leads. This data can sometimes reveal the threat actor behind a given set of infrastructure or provide deeper context as to what else may be related. This playbook will query for WHOIS data from indicators contained within the incident and post the results in the form of a comment.
## Prerequisites
-This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
+This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
## Deployment
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Domain/alert-trigger/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Domain/alert-trigger/azuredeploy.json
index 2b4f13268aa..1197cec4ca0 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Domain/alert-trigger/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Domain/alert-trigger/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Reputation data.",
"title": "RiskIQ-Intel-Reputation-Domain-Alert",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the RiskIQ platform for more information.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": [],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Domain/incident-trigger/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Domain/incident-trigger/azuredeploy.json
index 0c96f0fdb19..3f9abed0dcb 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Domain/incident-trigger/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Domain/incident-trigger/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Reputation data.",
"title": "RiskIQ-Intel-Reputation-Domain-Incident",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the RiskIQ platform for more information.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": [],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Domain/readme.md b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Domain/readme.md
index 1f8055577c9..baa2f499d68 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Domain/readme.md
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Domain/readme.md
@@ -4,7 +4,7 @@
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the RiskIQ platform for more information.
## Prerequisites
-This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
+This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
## Deployment
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Ip/alert-trigger/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Ip/alert-trigger/azuredeploy.json
index 1f5e8883ab7..bc1b210b399 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Ip/alert-trigger/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Ip/alert-trigger/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Reputation data.",
"title": "RiskIQ-Intel-Reputation-Ip-Alert",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the RiskIQ platform for more information.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": ["Ip"],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Ip/incident-trigger/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Ip/incident-trigger/azuredeploy.json
index d83848f25ba..c3b07da9a1d 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Ip/incident-trigger/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Ip/incident-trigger/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Reputation data.",
"title": "RiskIQ-Intel-Reputation-Ip-Incident",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the RiskIQ platform for more information.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": ["Ip"],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Ip/readme.md b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Ip/readme.md
index d4fc20c6cfe..5bcc0d7e145 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Ip/readme.md
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation-Ip/readme.md
@@ -4,7 +4,7 @@
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the RiskIQ platform for more information.
## Prerequisites
-This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
+This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
## Deployment
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation/alert-trigger/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation/alert-trigger/azuredeploy.json
index 20238cf6747..58899ff5bf3 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation/alert-trigger/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation/alert-trigger/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Reputation data.",
"title": "RiskIQ-Intel-Reputation-Alert",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the RiskIQ platform for more information.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": [],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation/incident-trigger/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation/incident-trigger/azuredeploy.json
index 96caca6f2f4..037af1734a5 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation/incident-trigger/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation/incident-trigger/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Reputation data.",
"title": "RiskIQ-Intel-Reputation-Incident",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the RiskIQ platform for more information.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": [],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation/readme.md b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation/readme.md
index d763904bc1e..079cd0cf308 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation/readme.md
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Reputation/readme.md
@@ -4,7 +4,7 @@
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the RiskIQ platform for more information.
## Prerequisites
-This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
+This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
## Deployment
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Domain/alert-trigger/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Domain/alert-trigger/azuredeploy.json
index d8a3731f2d2..10b7f451e80 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Domain/alert-trigger/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Domain/alert-trigger/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Intelligence data.",
"title": "RiskIQ-Intel-Summary-Domain-Alert",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities, threat actors, their campaigns or other noteworthy context found from analyzing the Internet. Analysts can leverage this playbook to add context to indicators found within incidents. Each comment added to the incident will link to a more detailed intelligence card from RiskIQ.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": [],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Domain/incident-trigger/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Domain/incident-trigger/azuredeploy.json
index 13d51c212cc..c1c92c4bd70 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Domain/incident-trigger/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Domain/incident-trigger/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Intelligence data.",
"title": "RiskIQ-Intel-Summary-Domain-Incident",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities, threat actors, their campaigns or other noteworthy context found from analyzing the Internet. Analysts can leverage this playbook to add context to indicators found within incidents. Each comment added to the incident will link to a more detailed intelligence card from RiskIQ.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": [],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Domain/readme.md b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Domain/readme.md
index 536bbb957a6..92f572b60ca 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Domain/readme.md
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Domain/readme.md
@@ -4,7 +4,7 @@
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities, threat actors, their campaigns or other noteworthy context found from analyzing the Internet. Analysts can leverage this playbook to add context to indicators found within incidents. Each comment added to the incident will link to a more detailed intelligence card from RiskIQ.
## Prerequisites
-This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
+This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
## Deployment
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Ip/alert-trigger/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Ip/alert-trigger/azuredeploy.json
index 5c3fa4aa751..94c4aa8e3b6 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Ip/alert-trigger/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Ip/alert-trigger/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Intelligence data.",
"title": "RiskIQ-Intel-Summary-Ip-Alert",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities, threat actors, their campaigns or other noteworthy context found from analyzing the Internet. Analysts can leverage this playbook to add context to indicators found within incidents. Each comment added to the incident will link to a more detailed intelligence card from RiskIQ.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": ["Ip"],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Ip/incident-trigger/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Ip/incident-trigger/azuredeploy.json
index 9d2c35c8fb8..6b7588bcaec 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Ip/incident-trigger/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Ip/incident-trigger/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Intelligence data.",
"title": "RiskIQ-Intel-Summary-Ip-Incident",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities, threat actors, their campaigns or other noteworthy context found from analyzing the Internet. Analysts can leverage this playbook to add context to indicators found within incidents. Each comment added to the incident will link to a more detailed intelligence card from RiskIQ.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": ["Ip"],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Ip/readme.md b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Ip/readme.md
index 0c1c7568da3..900fffede8d 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Ip/readme.md
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary-Ip/readme.md
@@ -4,7 +4,7 @@
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities, threat actors, their campaigns or other noteworthy context found from analyzing the Internet. Analysts can leverage this playbook to add context to indicators found within incidents. Each comment added to the incident will link to a more detailed intelligence card from RiskIQ.
## Prerequisites
-This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
+This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
## Deployment
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary/alert-trigger/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary/alert-trigger/azuredeploy.json
index 77662d873e4..9899cddbee7 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary/alert-trigger/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary/alert-trigger/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Intelligence data.",
"title": "RiskIQ-Intel-Summary-Alert",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities, threat actors, their campaigns or other noteworthy context found from analyzing the Internet. Analysts can leverage this playbook to add context to indicators found within incidents. Each comment added to the incident will link to a more detailed intelligence card from RiskIQ.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": [],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary/incident-trigger/azuredeploy.json b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary/incident-trigger/azuredeploy.json
index ae963cc1ab9..0d5222c5556 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary/incident-trigger/azuredeploy.json
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary/incident-trigger/azuredeploy.json
@@ -5,7 +5,7 @@
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on RiskIQ Intelligence data.",
"title": "RiskIQ-Intel-Summary-Incident",
"description": "This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities, threat actors, their campaigns or other noteworthy context found from analyzing the Internet. Analysts can leverage this playbook to add context to indicators found within incidents. Each comment added to the incident will link to a more detailed intelligence card from RiskIQ.",
- "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
+ "prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com)."],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": [],
"tags": [],
diff --git a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary/readme.md b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary/readme.md
index 806163bca6e..eec2e38a5c3 100644
--- a/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary/readme.md
+++ b/Solutions/RiskIQ/Playbooks/RiskIQ-Intel-Summary/readme.md
@@ -4,7 +4,7 @@
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities, threat actors, their campaigns or other noteworthy context found from analyzing the Internet. Analysts can leverage this playbook to add context to indicators found within incidents. Each comment added to the incident will link to a more detailed intelligence card from RiskIQ.
## Prerequisites
-This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
+This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [RiskIQ-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/RiskIQ/Playbooks/RiskIQ-Base/azuredeploy.json) prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
## Deployment
diff --git a/Solutions/RiskIQ/Playbooks/readme.md b/Solutions/RiskIQ/Playbooks/readme.md
index 3b6ae24fbed..1b4383ebae5 100644
--- a/Solutions/RiskIQ/Playbooks/readme.md
+++ b/Solutions/RiskIQ/Playbooks/readme.md
@@ -19,7 +19,7 @@ RiskIQ's security SaaS platform taps into our global Internet Intelligence graph
## Authentication
-You need a valid community or enterprise in order to use the connector and playbook. To learn more about the service and request a trial key, [register for free](https://community.riskiq.com/) or see the [API documentation](https://api.passivetotal.org/index.html). Credentials can be found on your [account settings](https://community.riskiq.com/settings) page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
+You need a valid community or enterprise in order to use the connector and playbook. To learn more about the service and request a trial key, [register for free](https://community.riskiq.com/) or see the [API documentation](https://api.passivetotal.org/index.html). Credentials can be found on your account settings page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
diff --git a/Solutions/RiskIQ/ReleaseNotes.md b/Solutions/RiskIQ/ReleaseNotes.md
new file mode 100644
index 00000000000..46deaff3566
--- /dev/null
+++ b/Solutions/RiskIQ/ReleaseNotes.md
@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------------------------------------------------|
+| 3.0.0 | 13-01-2026 | Updating Playbooks to remove non-functional hyperlinks. |
\ No newline at end of file
diff --git a/Workbooks/ExchangeCompromiseHunting.json b/Workbooks/ExchangeCompromiseHunting.json
index 7ad0ff7f0c2..68751dda1b3 100644
--- a/Workbooks/ExchangeCompromiseHunting.json
+++ b/Workbooks/ExchangeCompromiseHunting.json
@@ -4,7 +4,7 @@
{
"type": 1,
"content": {
- "json": "## Exchange server compromise hunting\n----------------------------------------------------------------------------------------------------------------------------\n\nThis workbook is intended to help defenders in responding to the Excahnge Server vulnerabilities disclosed in March 2021, as well as hunting for potential compromise activity. More details on these vulnearbilities can be found at: https://aka.ms/exchangevulns\n"
+ "json": "## Exchange server compromise hunting\n----------------------------------------------------------------------------------------------------------------------------\n\nThis workbook is intended to help defenders in responding to the Excahnge Server vulnerabilities disclosed in March 2021, as well as hunting for potential compromise activity. More details on these vulnearbilities can be found at: https://www.microsoft.com/en-us/msrc/blog/2021/03/multiple-security-updates-released-for-exchange-server\n"
},
"name": "text - 2"
},
![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\")
\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Network%20Threat%20Protection%20Essentials/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe **Network Threat Protection Essentials** solution contain queries that identifies suspicious network behavior based on various data sources ingested in Sentinel. The solution contains queries to detect common network-based attacks - things like malicious user agents, mining pools, Base64 encoded IPv4 address in request URL etc. The solution will be constantly updated to add more detection/hunting query as well as other sentinel content.\r\n \r\n**Pre-requisites:**\r\n \r\nThis is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.\r\n \r\n 1. Microsoft 365 \r\n \r\n 2. Amazon Web Services\r\n \r\n 3. Windows Server DNS\r\n \r\n 4. Azure Firewall \r\n \r\n 5. Windows Forwarded Events \r\n \r\n 6. ZScaler Internet Access \r\n \r\n 7. Palo Alto Networks \r\n \r\n 8. Fortinet FortiGate \r\n \r\n 9. Check Point \r\n \r\n**Keywords:** Malicious IP/User agent, DNS, TOR, mining\n\n**Analytic Rules:** 2, **Hunting Queries:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\")
\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[RiskIQ Illuminate](https://www.microsoft.com/security/business/siem-and-xdr/microsoft-defender-threat-intelligence) is a complete security intelligence offering, blending attack surface visibility with detailed threat intelligence. With RiskIQ Illuminate, security teams will accelerate their investigations, increase their visibility, respond more effectively to threats, and maximize the impact of their existing security solutions.\n\n**Playbooks:** 27\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "