diff --git a/Solutions/NISTSP80053/Package/mainTemplate.json b/Solutions/NISTSP80053/Package/mainTemplate.json
index 8b263fc782e..664b8fdd5f0 100644
--- a/Solutions/NISTSP80053/Package/mainTemplate.json
+++ b/Solutions/NISTSP80053/Package/mainTemplate.json
@@ -921,7 +921,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook1-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Getting Started\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\",\"value\":\"No\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"314d02bf-4691-43fa-af59-d67073c8b8fa\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2592000000}],\"allowCustom\":true},\"value\":{\"durationMs\":604800000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"<svg viewBox=\\\"0 0 19 19\\\" width=\\\"20\\\" class=\\\"fxt-escapeShadow\\\" role=\\\"presentation\\\" focusable=\\\"false\\\" xmlns:svg=\\\"http://www.w3.org/2000/svg\\\" xmlns:xlink=\\\"http://www.w3.org/1999/xlink\\\" aria-hidden=\\\"true\\\"><g><path fill=\\\"#1b93eb\\\" d=\\\"M16.82 8.886c0 4.81-5.752 8.574-7.006 9.411a.477.477 0 01-.523 0C8.036 17.565 2.18 13.7 2.18 8.886V3.135a.451.451 0 01.42-.419C7.2 2.612 6.154.625 9.5.625s2.3 1.987 6.8 2.091a.479.479 0 01.523.419z\\\"></path><path fill=\\\"url(#0024423711759027356)\\\" d=\\\"M16.192 8.99c0 4.392-5.333 7.947-6.483 8.575a.319.319 0 01-.418 0c-1.15-.732-6.483-4.183-6.483-8.575V3.762a.575.575 0 01.313-.523C7.2 3.135 6.258 1.357 9.4 1.357s2.2 1.882 6.274 1.882a.45.45 0 01.419.418z\\\"></path><path d=\\\"M9.219 5.378a.313.313 0 01.562 0l.875 1.772a.314.314 0 00.236.172l1.957.284a.314.314 0 01.174.535l-1.416 1.38a.312.312 0 00-.09.278l.334 1.949a.313.313 0 01-.455.33l-1.75-.92a.314.314 0 00-.292 0l-1.75.92a.313.313 0 01-.455-.33L7.483 9.8a.312.312 0 00-.09-.278L5.977 8.141a.314.314 0 01.174-.535l1.957-.284a.314.314 0 00.236-.172z\\\" class=\\\"msportalfx-svg-c01\\\"></path></g></svg>&nbsp;<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> Please take time to answer a quick survey,\\r\\n</span>[<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> click here. </span>](https://forms.office.com/r/nEbCCA5rcn)\"},\"name\":\"Survey\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Getting Started\\r\\nThis solution is designed to augment staffing through automation, machine learning, query/alerting generation, and visualizations. This workbook leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with NIST SP 800-53 control requirements. A filter set is available for custom reporting by guides, subscriptions, workspaces, time-filtering, control family, and controls. This offering telemetry from 25+ Microsoft Security products, while only Microsoft Sentinel/Microsoft Defender for Cloud are required to get started, each offering provides additional enrichment for aligning with control requirements. Each NIST SP 800-53 control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads. \\r\\n\\r\\n### [Recommended Microsoft Sentinel Roles](https://docs.microsoft.com/azure/sentinel/roles) / [Recommended Microsoft Defender for Cloud Roles](https://docs.microsoft.com/azure/defender-for-cloud/permissions#roles-and-allowed-actions)\\r\\n| <strong> Roles </strong> | <strong> Rights </strong> | \\r\\n|:--|:--|\\r\\n|Security Reader | View Workbooks, Analytics, Hunting, Security Recommendations |\\r\\n|Security Contributor| Deploy/Modify Workbooks, Analytics, Hunting Queries, Apply Security Recommendations |\\r\\n|Automation Contributor| Deploy/Modify Playbooks & Automation Rules |\\r\\n|Owner| Assign Regulatory Compliance Initiatives|\\r\\n\\r\\n### Onboarding Prerequisites \\r\\n1️⃣ [Access Microsoft 365 Compliance Manager: Assessments](https://compliance.microsoft.com/compliancemanager?viewid=Assessments)<br>\\r\\n2️⃣  [Onboard Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)<br>\\r\\n3️⃣  [Onboard Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-get-started)<br>\\r\\n4️⃣ [Add the Microsoft Defender for Cloud: NIST SP 800-53 R4 & R5 Assessments to Your Dashboard](https://docs.microsoft.com/azure/security-center/update-regulatory-compliance-packages#add-a-regulatory-standard-to-your-dashboard)<br>\\r\\n5️⃣ [Continuously Export Security Center Data to Log Analytics Workspace](https://docs.microsoft.com/azure/security-center/continuous-export)<br>\\r\\n6️⃣ [Extend Microsoft Sentinel Across Workspaces and Tenants](https://docs.microsoft.com/azure/sentinel/extend-sentinel-across-workspaces-tenants)<br>\\r\\n7️⃣ [Configure Auto Provisioning of Microsoft Defender for Cloud Agents](https://docs.microsoft.com/azure/defender-for-cloud/enable-data-collection)<br>\\r\\n8️⃣ [Review Microsoft Service Trust Portal Documentation/Audit/Resources](https://servicetrust.microsoft.com/)<br>\\r\\n\\r\\n### Print/Export Report\\r\\n1️⃣ Set Background Theme: Settings > Appearance > Theme: Azure > Apply<br>\\r\\n2️⃣ Print/Export Report: More Content Actions (...) > Print Content<br>\\r\\n3️⃣ Settings: Layout (Landscape), Pages (All), Print (One Sided), Scale (60), Pages Per Sheet (1), Quality (1,200 DPI), Margins (None) > Print<br>\\r\\n4️⃣ Executive Summary: Microsoft Defender for Cloud > Regulatory Compliance > Download Report > Report Standard (NIST SP 800 53 R4), Format (PDF)\\r\\n\\r\\n### Important\\r\\nEach control below is associated with one or more 💡[Azure Policy](https://docs.microsoft.com/azure/governance/policy/overview) definitions. These policies may help you 💡[Assess Compliance](https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data) with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the 💡[GitHub Commit History](https://github.com/Azure/azure-policy/commits/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/NIST80053_audit.json). For more information, see 💡[Details of the NIST SP 800-53 Regulatory Compliance built-in initiative](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4)\\r\\n\\r\\nCustomer experience will vary by user and some panels may require additional configurations for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective requirements. This workbook does not address all controls within the framework. It should be considered a supplemental tool to gain visibility of technical controls within cloud, multi-cloud, and hybrid networks. For the full listing of respective controls, see the💡[Microsoft Cloud Service Trust Portal](https://servicetrust.microsoft.com/)\\r\\n\",\"style\":\"info\"},\"name\":\"Help\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 30\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [NIST SP 800-53 Solution](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4)\\n---\\n\\nThis Solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This Solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. The Microsoft Sentinel: NIST SP 800-53 Solution demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. All requirements, validations, and controls are governed by the 💡[National Institute of Standards and Technology (NIST)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final)\\n\"},\"name\":\"Workbook Overview\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-nist-sp-800-53-solution/ba-p/3381485\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/ju9hxtYnj7s\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NISTSP80053\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"79\",\"name\":\"group - 22\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"customWidth\":\"20\",\"name\":\"Microsoft Sentinel Logo\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Executive Summary\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Assessment\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Controls Crosswalk\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Azure Lighthouse for Multi-Tenant\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AL\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Access Control [AC]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Audit & Accountability [AU]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AU\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Security Assessment & Authorization [CA]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CA\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Configuration Management [CM]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Contingency Planning [CP]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CP\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"Control Family \",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7b682fc9-cb6b-4475-a24c-41dcb43d0cef\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAssessmentVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Assessment\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"295d01be-8a71-4186-8584-a3091ea8ca61\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isALVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AL\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"844962c7-7d4e-4761-badd-869852e4a3a1\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"07022701-185b-43a6-815f-a61176ddd405\"},{\"id\":\"c01e6494-1f74-4194-88b3-c98bbabdf84f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAUVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AU\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"e85f9ad6-e6ae-4525-817c-50ddfa04ed68\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCAVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CA\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCMVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"02596750-83d0-48ad-b9e0-2897e262ab29\"},{\"id\":\"a932ee8a-1039-4482-9fc8-ed79fe6f2ebb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCPVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CP\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\t\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Identification & Authentication [IA]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IA\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Incident Response [IR]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IR\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Media Protection [MP]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MP\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Risk Assessment [RA]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"RA\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"System & Communications Protection [SC]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"System & Information Integrity [SI]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SI\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Recommended Data Connectors\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Recommended Content\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"GC\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"Control Family  - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"63b30cf4-73c6-413b-9728-18a2684ae7cd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IA\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIRVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IR\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9a923dbe-b3ea-48ef-b8fa-ab28651209e7\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMPVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MP\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9da202ed-b5c8-4e37-ab27-ac112511cd9f\"},{\"id\":\"0af0cea9-8f28-4850-b48e-93a195efa02b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRAVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"RA\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"c16d4f92-ce1a-4ff0-9576-23b39836e95d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSIVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SI\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9637281c-861a-4ba6-90cd-6650f187f00c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"35ede265-e571-41b9-bdc6-49af189a9a2c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isGCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"GC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"87b43444-cd60-469b-8433-c62927ed9b1e\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Executive Summary](https://docs.microsoft.com/azure/defender-for-cloud/regulatory-compliance-dashboard)\\r\\n---\\r\\n\\r\\nThis section leverages Microsoft Defender for Cloud: Regulatory Compliance for policy assessments. Find, fix, and resolve recommendations aligned to the NIST SP 800-53 Regulatory Compliance Initiative. A selector provides capability to filter by all, specific, or groups of controls by level. Upon selection, subordinate panels will summarize recommendations by control family, status over time, recommendations, and resources identified.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"99a47f97-1aa4-4840-91ee-119aad6d6217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ComplianceDomain\",\"label\":\"Control Family\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityRegulatoryCompliance\\r\\n| where ComplianceStandard == \\\"NIST-SP-800-53-R4\\\"\\r\\n| extend ComplianceDomain=iff(ComplianceControl contains \\\"AC.\\\", \\\"Access Control\\\", iff(ComplianceControl contains \\\"AT.\\\", \\\"Security Awareness & Training\\\", iff(ComplianceControl contains \\\"AU.\\\", \\\"Audit & Accountability\\\", iff(ComplianceControl contains \\\"CA.\\\", \\\"Security Assessment\\\", iff(ComplianceControl contains \\\"CM.\\\", \\\"Configuration Management\\\", iff(ComplianceControl contains \\\"CP.\\\", \\\"Contingency Planning\\\", iff(ComplianceControl contains \\\"IA.\\\", \\\"Identification & Authentication\\\", iff(ComplianceControl contains \\\"IR.\\\", \\\"Incident Response\\\", iff(ComplianceControl contains \\\"MA.\\\", \\\"System Maintenance\\\", iff(ComplianceControl contains \\\"MP.\\\", \\\"Media Protection\\\", iff(ComplianceControl contains \\\"PE.\\\", \\\"Physical Protection\\\", iff(ComplianceControl contains \\\"PL.\\\", \\\"Security Planning\\\", iff(ComplianceControl contains \\\"PS.\\\", \\\"Personnel Security\\\",iff(ComplianceControl contains \\\"RA.\\\", \\\"Risk Assessment\\\",iff(ComplianceControl contains \\\"SA.\\\", \\\"System & Services Acquisition\\\",iff(ComplianceControl contains \\\"SC.\\\", \\\"System & Communications Protection\\\",iff(ComplianceControl contains \\\"SI.\\\", \\\"System & Information Integrity\\\",\\\"Other\\\")))))))))))))))))\\r\\n| summarize count() by ComplianceDomain\\r\\n| sort by count_ desc\\r\\n| project-away count_\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"40\",\"name\":\"parameters - 26\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n| join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName\\r\\n    | extend ComplianceDomain=iff(controlId contains \\\"AC.\\\", \\\"Access Control\\\", iff(controlId contains \\\"AT.\\\", \\\"Security Awareness & Training\\\", iff(controlId contains \\\"AU.\\\", \\\"Audit & Accountability\\\", iff(controlId contains \\\"CA.\\\", \\\"Security Assessment\\\", iff(controlId contains \\\"CM.\\\", \\\"Configuration Management\\\", iff(controlId contains \\\"CP.\\\", \\\"Contingency Planning\\\", iff(controlId contains \\\"IA.\\\", \\\"Identification & Authentication\\\", iff(controlId contains \\\"IR.\\\", \\\"Incident Response\\\", iff(controlId contains \\\"MA.\\\", \\\"System Maintenance\\\", iff(controlId contains \\\"MP.\\\", \\\"Media Protection\\\", iff(controlId contains \\\"PE.\\\", \\\"Physical Protection\\\", iff(controlId contains \\\"PL.\\\", \\\"Security Planning\\\", iff(controlId contains \\\"PS.\\\", \\\"Personnel Security\\\",iff(controlId contains \\\"RA.\\\", \\\"Risk Assessment\\\",iff(controlId contains \\\"SA.\\\", \\\"System & Services Acquisition\\\",iff(controlId contains \\\"SC.\\\", \\\"System & Communications Protection\\\",iff(controlId contains \\\"SI.\\\", \\\"System & Information Integrity\\\",\\\"Other\\\")))))))))))))))))\\r\\n| where ComplianceDomain in ({ComplianceDomain}) \\r\\n  | distinct RecommendationName, ComplianceDomain, tostring(RecommendationLink), tostring(state), tostring(complianceState)\\r\\n  | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"), NotApplicable = countif(state == \\\"NotApplicable\\\"), Applicable = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"),Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\" or state == \\\"NotApplicable\\\") by ComplianceDomain\\r\\n    | extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n    | project ControlFamily=ComplianceDomain, Total, PassedControls, Passed, Failed, Applicable, NotApplicable\\r\\n    | sort by Total, Passed desc\\r\\n \",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations by Control Family\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 3-5\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Remediate >>\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"), NotApplicable = countif(state == \\\"NotApplicable\\\"), Applicable = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"),Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\" or state == \\\"NotApplicable\\\") by RecommendationName, ControlID = controlId\\r\\n    | extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink, name) on RecommendationName\\r\\n    | extend ComplianceDomain=iff(ControlID contains \\\"AC.\\\", \\\"Access Control\\\", iff(ControlID contains \\\"AT.\\\", \\\"Security Awareness & Training\\\", iff(ControlID contains \\\"AU.\\\", \\\"Audit & Accountability\\\", iff(ControlID contains \\\"CA.\\\", \\\"Security Assessment\\\", iff(ControlID contains \\\"CM.\\\", \\\"Configuration Management\\\", iff(ControlID contains \\\"CP.\\\", \\\"Contingency Planning\\\", iff(ControlID contains \\\"IA.\\\", \\\"Identification & Authentication\\\", iff(ControlID contains \\\"IR.\\\", \\\"Incident Response\\\", iff(ControlID contains \\\"MA.\\\", \\\"System Maintenance\\\", iff(ControlID contains \\\"MP.\\\", \\\"Media Protection\\\", iff(ControlID contains \\\"PE.\\\", \\\"Physical Protection\\\", iff(ControlID contains \\\"PL.\\\", \\\"Security Planning\\\", iff(ControlID contains \\\"PS.\\\", \\\"Personnel Security\\\",iff(ControlID contains \\\"RA.\\\", \\\"Risk Assessment\\\",iff(ControlID contains \\\"SA.\\\", \\\"System & Services Acquisition\\\",iff(ControlID contains \\\"SC.\\\", \\\"System & Communications Protection\\\",iff(ControlID contains \\\"SI.\\\", \\\"System & Information Integrity\\\",\\\"Other\\\")))))))))))))))))\\r\\n| where ComplianceDomain in ({ComplianceDomain}) \\r\\n    | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, NotApplicable, Applicable, name\\r\\n    | sort by Total, Passed desc\\r\\n    | limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations \",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 3-5\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"name\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"name\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend ComplianceDomain=iff(controlId contains \\\"AC.\\\", \\\"Access Control\\\", iff(controlId contains \\\"AT.\\\", \\\"Security Awareness & Training\\\", iff(controlId contains \\\"AU.\\\", \\\"Audit & Accountability\\\", iff(controlId contains \\\"CA.\\\", \\\"Security Assessment\\\", iff(controlId contains \\\"CM.\\\", \\\"Configuration Management\\\", iff(controlId contains \\\"CP.\\\", \\\"Contingency Planning\\\", iff(controlId contains \\\"IA.\\\", \\\"Identification & Authentication\\\", iff(controlId contains \\\"IR.\\\", \\\"Incident Response\\\", iff(controlId contains \\\"MA.\\\", \\\"System Maintenance\\\", iff(controlId contains \\\"MP.\\\", \\\"Media Protection\\\", iff(controlId contains \\\"PE.\\\", \\\"Physical Protection\\\", iff(controlId contains \\\"PL.\\\", \\\"Security Planning\\\", iff(controlId contains \\\"PS.\\\", \\\"Personnel Security\\\",iff(controlId contains \\\"RA.\\\", \\\"Risk Assessment\\\",iff(controlId contains \\\"SA.\\\", \\\"System & Services Acquisition\\\",iff(controlId contains \\\"SC.\\\", \\\"System & Communications Protection\\\",iff(controlId contains \\\"SI.\\\", \\\"System & Information Integrity\\\",\\\"Other\\\")))))))))))))))))\\r\\n| where ComplianceDomain in ({ComplianceDomain}) \\r\\n| distinct RecommendationName, resourceId, tostring(state), tostring(complianceState)\\r\\n| summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"), NotApplicable = countif(state == \\\"NotApplicable\\\"), Applicable = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"),Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\" or state == \\\"NotApplicable\\\") by resourceId\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| where Failed > 0\\r\\n| project AssessedResourceId=resourceId, Total, PassedControls, Passed, Failed, Applicable, NotApplicable\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations by Asset\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 3-5\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AssessedResourceId\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"resourceId\",\"formatter\":13,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Remediate >>\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRegulatoryCompliance\\r\\n| where ComplianceStandard == \\\"NIST-SP-800-53-R4\\\"\\r\\n| extend ComplianceDomain=iff(ComplianceControl contains \\\"AC.\\\", \\\"Access Control\\\", iff(ComplianceControl contains \\\"AT.\\\", \\\"Security Awareness & Training\\\", iff(ComplianceControl contains \\\"AU.\\\", \\\"Audit & Accountability\\\", iff(ComplianceControl contains \\\"CA.\\\", \\\"Security Assessment\\\", iff(ComplianceControl contains \\\"CM.\\\", \\\"Configuration Management\\\", iff(ComplianceControl contains \\\"CP.\\\", \\\"Contingency Planning\\\", iff(ComplianceControl contains \\\"IA.\\\", \\\"Identification & Authentication\\\", iff(ComplianceControl contains \\\"IR.\\\", \\\"Incident Response\\\", iff(ComplianceControl contains \\\"MA.\\\", \\\"System Maintenance\\\", iff(ComplianceControl contains \\\"MP.\\\", \\\"Media Protection\\\", iff(ComplianceControl contains \\\"PE.\\\", \\\"Physical Protection\\\", iff(ComplianceControl contains \\\"PL.\\\", \\\"Security Planning\\\", iff(ComplianceControl contains \\\"PS.\\\", \\\"Personnel Security\\\",iff(ComplianceControl contains \\\"RA.\\\", \\\"Risk Assessment\\\",iff(ComplianceControl contains \\\"SA.\\\", \\\"System & Services Acquisition\\\",iff(ComplianceControl contains \\\"SC.\\\", \\\"System & Communications Protection\\\",iff(ComplianceControl contains \\\"SI.\\\", \\\"System & Information Integrity\\\",\\\"Other\\\")))))))))))))))))\\r\\n| where ComplianceDomain in ({ComplianceDomain})\\r\\n| where State == \\\"Failed\\\"\\r\\n| make-series count() default=0 on TimeGenerated from startofday({TimeRange:start}) to startofday({TimeRange:end}) step 1d by ComplianceDomain\\r\\n| render timechart \",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations over Time\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 3-5\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AssessedResourceId\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationDisplayName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend azurePortalRecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | where state == \\\"Unhealthy\\\"\\r\\n    | extend Recommendation = strcat(\\\"https://\\\",azurePortalRecommendationLink), ResourceID = resourceId, ResourceType = resourceType, ResourceGroup = resourceGroup1, Severity = severity, State = state, ControlID = controlId\\r\\n    | extend ComplianceDomain=iff(ControlID contains \\\"AC.\\\", \\\"Access Control\\\", iff(ControlID contains \\\"AT.\\\", \\\"Security Awareness & Training\\\", iff(ControlID contains \\\"AU.\\\", \\\"Audit & Accountability\\\", iff(ControlID contains \\\"CA.\\\", \\\"Security Assessment\\\", iff(ControlID contains \\\"CM.\\\", \\\"Configuration Management\\\", iff(ControlID contains \\\"CP.\\\", \\\"Contingency Planning\\\", iff(ControlID contains \\\"IA.\\\", \\\"Identification & Authentication\\\", iff(ControlID contains \\\"IR.\\\", \\\"Incident Response\\\", iff(ControlID contains \\\"MA.\\\", \\\"System Maintenance\\\", iff(ControlID contains \\\"MP.\\\", \\\"Media Protection\\\", iff(ControlID contains \\\"PE.\\\", \\\"Physical Protection\\\", iff(ControlID contains \\\"PL.\\\", \\\"Security Planning\\\", iff(ControlID contains \\\"PS.\\\", \\\"Personnel Security\\\",iff(ControlID contains \\\"RA.\\\", \\\"Risk Assessment\\\",iff(ControlID contains \\\"SA.\\\", \\\"System & Services Acquisition\\\",iff(ControlID contains \\\"SC.\\\", \\\"System & Communications Protection\\\",iff(ControlID contains \\\"SI.\\\", \\\"System & Information Integrity\\\",\\\"Other\\\")))))))))))))))))\\r\\n    | extend FirstObserved = properties1.status.statusChangeDate\\r\\n    | where ComplianceDomain in ({ComplianceDomain})\\r\\n    | project ResourceID, RecommendationName=RecommendationDisplayName, ControlFamily=ComplianceDomain, ControlID, Severity=tostring(Severity), CurrentState=State, RecommendationLink=Recommendation, name, FirstObserved\\r\\n| extend Rank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, 0)))\\r\\n| sort by Rank desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Current Recommendation Details\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 3-5\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ResourceID\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlID\",\"formatter\":1},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":1},{\"columnMatch\":\"Recommendation\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"name\"}]}}},{\"columnMatch\":\"name\",\"formatter\":5},{\"columnMatch\":\"FirstObserved\",\"formatter\":6},{\"columnMatch\":\"Rank\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"name\":\"query - 8\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAssessmentVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Assessment\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Controls Crosswalk](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-nist-sp-800-53-solution/ba-p/3381485)\\r\\n---\\r\\nControls crosswalk provides a mapping of NIST SP 800-53 controls across respective offerings. This provides free-text search capabilities mapping NIST SP 800-53 controls to Microsoft offerings.\"},\"customWidth\":\"40\",\"name\":\"Controls Mapping\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Crosswalk = datatable([\\\"Control Name\\\"]: string, [\\\"Control ID\\\"]: string, [\\\"Control Family\\\"]: string, [\\\"Microsoft Offerings\\\"]: string) [\\r\\n\\\"Account Management\\\", \\\"AC-2\\\", \\\"Access Control\\\", \\\"Azure Active Directory | Microsoft Defender for Cloud | Microsoft Sentinel\\\",\\r\\n\\\"Access Enforcement\\\", \\\"AC-3\\\", \\\"Access Control\\\", \\\"Microsoft Defender for Cloud\\\",\\r\\n\\\"Information Flow Enforcement\\\", \\\"AC-4\\\", \\\"Access Control\\\", \\\"Microsoft Defender for Cloud | Azure WAF | Front Door | Microsoft Information Protection | Microsoft Endpoint Manager \\\",\\r\\n\\\"Separation of Duties\\\", \\\"AC-5\\\", \\\"Access Control\\\", \\\"Azure Active Directory | Microsoft Sentinel | Privileged Identity Management\\\",\\r\\n\\\"Least Privilege\\\", \\\"AC-6\\\", \\\"Access Control\\\", \\\"Azure Active Directory | Privileged Identity Management\\\",\\r\\n\\\"Unsuccessful Logon Attempts\\\", \\\"AC-7\\\", \\\"Access Control\\\", \\\"Azure Active Directory | Privileged Identity Management | M365 Compliance Manager | Microsoft Endpoint Manager\\\",\\r\\n\\\"System Use Notification\\\", \\\"AC-8\\\", \\\"Access Control\\\", \\\"Azure Active Directory | Microsoft Defender for Cloud | Microsoft Endpoint Manager\\\",\\r\\n\\\"Session Lock\\\", \\\"AC-11\\\", \\\"Access Control\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager\\\",\\r\\n\\\"Session Termination\\\", \\\"AC-12\\\", \\\"Access Control\\\", \\\"Azure Active Directory\\\",\\r\\n\\\"Security Attributes\\\", \\\"AC-16\\\", \\\"Access Control\\\", \\\"Azure Active Directory | Azure Information Protection\\\",\\r\\n\\\"Remote Access\\\", \\\"AC-17\\\", \\\"Access Control\\\", \\\"Microsoft Defender for Cloud | Azure Active Directory | Front Door | Azure Bastion | ExpressRoute | Azure WAF | Microsoft Endpoint Manager\\\",\\r\\n\\\"Wireless Access\\\", \\\"AC-18\\\", \\\"Access Control\\\", \\\"Microsoft Endpoint Manager | Azure Active Directory | Microsoft Defender for Cloud\\\",\\r\\n\\\"Access Control for Mobile Devices\\\", \\\"AC-19\\\", \\\"Access Control\\\", \\\"Azure Active Directory | Microsoft Endpoint Manager\\\",\\r\\n\\\"Use of External Information Systems\\\", \\\"AC-20\\\", \\\"Access Control\\\", \\\"Microsoft Defender for Cloud | Azure Active Directory | Microsoft Defender for Cloud Apps\\\",\\r\\n\\\"Audit Events\\\", \\\"AU-2\\\", \\\"Audit & Accountability\\\", \\\"Azure Monitor | Microsoft 365 Defender\\\",\\r\\n\\\"Content of Audit Records\\\", \\\"AU-3\\\", \\\"Audit & Accountability\\\", \\\"Azure Monitor | Azure Active Directory\\\",\\r\\n\\\"Response to Audit Processing Failures\\\", \\\"AU-5\\\", \\\"Audit & Accountability\\\", \\\"Azure Monitor | Microsoft Sentinel\\\",\\r\\n\\\"Audit Review, Analysis, & Reporting\\\", \\\"AU-6\\\", \\\"Audit & Accountability\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager | Microsoft 365 Compliance Manager | Azure Active Directory | Azure Monitor\\\",\\r\\n\\\"Audit Reduction & Report Generation\\\", \\\"AU-7\\\", \\\"Audit & Accountability\\\", \\\"Microsoft Sentinel\\\",\\r\\n\\\"Time Stamps\\\", \\\"AU-8\\\", \\\"Audit & Accountability\\\", \\\"Microsoft Defender for Cloud\\\",\\r\\n\\\"Protection of Audit Information\\\", \\\"AU-9\\\", \\\"Audit & Accountability\\\", \\\"Microsoft Sentinel | Azure Monitor | Microsoft Defender for Cloud | Azure Active Directory | Key Vault | Microsoft 365 Compliance Manager\\\",\\r\\n\\\"Audit Record Retention\\\", \\\"AU-11\\\", \\\"Audit & Accountability\\\", \\\"Microsoft Sentinel | Azure Monitor | Azure Data Explorer\\\",\\r\\n\\\"Audit Generation\\\", \\\"AU-12\\\", \\\"Audit & Accountability\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager | Microsoft 365 Compliance Manager | Azure Active Directory | Azure Monitor\\\",\\r\\n\\\"Security Assessments\\\", \\\"CA-2\\\", \\\"Security Assessment & Authorization\\\", \\\"Microsoft Defender for Cloud | Microsoft 365 Defender\\\",\\r\\n\\\"System Interconnections\\\", \\\"CA-3\\\", \\\"Security Assessment & Authorization\\\", \\\"Virtual Network | Network Security Groups | Network Watcher | Azure Firewall | ExpressRoute | Traffic Manager | VPN Gateway\\\",\\r\\n\\\"Continuous Monitoring\\\", \\\"CA-4\\\", \\\"Security Assessment & Authorization\\\", \\\"Microsoft Defender for Cloud | Microsoft Sentinel\\\",\\r\\n\\\"Baseline Configuration\\\", \\\"CM-2\\\", \\\"Configuration Management\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager\\\",\\r\\n\\\"Configuration Change Control\\\", \\\"CM-3\\\", \\\"Configuration Management\\\", \\\"Virtual Machines | Automation Accounts\\\",\\r\\n\\\"Security Impact Analysis\\\", \\\"CM-4\\\", \\\"Configuration Management\\\", \\\"Microsoft Defender for Cloud | Azure Active Directory | Microsoft Endpoint Manager\\\",\\r\\n\\\"Access Restrictions for Change\\\", \\\"CM-5\\\", \\\"Configuration Management\\\", \\\"Azure Active Directory | Privileged Identity Management | Microsoft Endpoint Manager\\\",\\r\\n\\\"Configuration Settings\\\", \\\"CM-6\\\", \\\"Configuration Management\\\", \\\"Microsoft Defender for Cloud | Azure Policy | Microsoft Endpoint Manager\\\",\\r\\n\\\"Least Functionality\\\", \\\"CM-7\\\", \\\"Configuration Management\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager | Azure Active Directory | Managed Identities\\\",\\r\\n\\\"System Component Inventory\\\", \\\"CM-8\\\", \\\"Configuration Management\\\", \\\"Microsoft Defender for Cloud | Microsoft 365 Defender\\\",\\r\\n\\\"Configuration Management Plan\\\", \\\"CM-9\\\", \\\"Configuration Management\\\", \\\"Maintenance Configurations | Auto-manage | Automation Accounts | File Integrity Monitoring | Inventory\\\",\\r\\n\\\"Software Usage Restrictions\\\", \\\"CM-10\\\", \\\"Configuration Management\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager | Azure Active Directory | Automation Accounts\\\",\\r\\n\\\"User-Installed Software\\\", \\\"CM-11\\\", \\\"Configuration Management\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager | Azure Active Directory | Automation Accounts\\\",\\r\\n\\\"Alternate Storage Site\\\", \\\"CP-6\\\", \\\"Contingency Planning\\\", \\\"Storage Accounts | SQL Databases | Microsoft Defender for Cloud\\\",\\r\\n\\\"Alternate Processing Site\\\", \\\"CP-7\\\", \\\"Contingency Planning\\\", \\\"Microsoft Defender for Cloud | Availability Sets | Virtual Machine Scale Sets\\\",\\r\\n\\\"Information System Backup\\\", \\\"CP-9\\\", \\\"Contingency Planning\\\", \\\"Backup Center | Recovery Services Vaults | Key Vault\\\",\\r\\n\\\"Organizational Users\\\", \\\"IA-2\\\", \\\"Identification & Authentication\\\", \\\"Azure Active Directory | Microsoft Defender for Cloud\\\",\\r\\n\\\"Identifier Management\\\", \\\"IA-4\\\", \\\"Identification & Authentication\\\", \\\"Azure Active Directory | Microsoft Defender for Cloud | Microsoft Defender for Cloud Apps\\\",\\r\\n\\\"Authenticator Management\\\", \\\"IA-5\\\", \\\"Identification & Authentication\\\", \\\"Azure Active Directory | Microsoft Defender for Cloud | Microsoft Endpoint Manager | Key Vault\\\",\\r\\n\\\"Authenticator Feedback\\\", \\\"IA-6\\\", \\\"Identification & Authentication\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager\\\",\\r\\n\\\"Cryptographic Module Authentication\\\", \\\"IA-7\\\", \\\"Identification & Authentication\\\", \\\"Azure Active Directory | Microsoft Defender for Cloud\\\",\\r\\n\\\"Non-Organizational Users\\\", \\\"IA-8\\\", \\\"Identification & Authentication\\\", \\\"Azure Active Directory | Microsoft Defender for Cloud\\\",\\r\\n\\\"Incident Response Testing\\\", \\\"IR-3\\\", \\\"Incident Response\\\", \\\"Microsoft Sentinel | Microsoft 365 Defender\\\",\\r\\n\\\"Incident Handling\\\", \\\"IR-4\\\", \\\"Incident Response\\\", \\\"Microsoft Sentinel | Microsoft 365 Defender\\\",\\r\\n\\\"Incident Monitoring\\\", \\\"IR-5\\\", \\\"Incident Response\\\", \\\"Microsoft Sentinel | Microsoft 365 Defender\\\",\\r\\n\\\"Incident Reporting\\\", \\\"IR-6\\\", \\\"Incident Response\\\", \\\"Microsoft Sentinel | Microsoft 365 Defender\\\",\\r\\n\\\"Media Access\\\", \\\"MP-2\\\", \\\"Media Protection\\\", \\\"Azure Information Protection | Microsoft Defender for Cloud Apps | Microsoft 365 Compliance Manager\\\",\\r\\n\\\"Media Marking \\\", \\\"MP-3\\\", \\\"Media Protection\\\", \\\"Azure Information Protection\\\",\\r\\n\\\"Media Transport\\\", \\\"MP-5\\\", \\\"Media Protection\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager | Key Vault | Customer Lockbox\\\",\\r\\n\\\"Media Sanitization\\\", \\\"MP-6\\\", \\\"Media Protection\\\", \\\"Microsoft Defender for Cloud | Key Vault\\\",\\r\\n\\\"Media Use\\\", \\\"MP-7\\\", \\\"Media Protection\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager\\\",\\r\\n\\\"Security Categorization\\\", \\\"RA-2\\\", \\\"Risk Assessment\\\", \\\"Microsoft Defender for Cloud | Microsoft 365 Defender\\\",\\r\\n\\\"Risk Assessment\\\", \\\"RA-3\\\", \\\"Risk Assessment\\\", \\\"Microsoft Defender for Cloud | Azure Active Directory | Microsoft Sentinel\\\",\\r\\n\\\"Vulnerability Scanning\\\", \\\"RA-5\\\", \\\"Risk Assessment\\\", \\\"Microsoft Defender for Cloud | Microsoft 365 Defender\\\",\\r\\n\\\"Security Function Isolation\\\", \\\"SC-3\\\", \\\"System & Communications Protection\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager | Microsoft 365 Defender\\\",\\r\\n\\\"Denial of Service Protection\\\", \\\"SC-5\\\", \\\"System & Communications Protection\\\", \\\"Azure DDoS\\\",\\r\\n\\\"Resource Availability\\\", \\\"SC-6\\\", \\\"System & Communications Protection\\\", \\\"Load Balancers | Traffic Manager | Front Door | Application Gateway | Virtual Machine Scale Sets | SQL Databases\\\",\\r\\n\\\"Boundary Protection\\\", \\\"SC-7\\\", \\\"System & Communications Protection\\\", \\\"Virtual Networks | Network Security Groups | Virtual Network Gateways | ExpressRoute | Azure Firewall | Azure WAF | Application Gateway | Network Watcher\\\",\\r\\n\\\"Transmission Confidentiality & Integrity\\\", \\\"SC-8\\\", \\\"System & Communications Protection\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager | Azure Active Directory | Key Vault | Virtual Network Gateway | ExpressRoute\\\",\\r\\n\\\"Network Disconnect\\\", \\\"SC-10\\\", \\\"System & Communications Protection\\\", \\\"Azure Active Directory | Virtual Network Gateways | Microsoft Defender for Cloud\\\",\\r\\n\\\"Cryptographic Key Management\\\", \\\"SC-12\\\", \\\"System & Communications Protection\\\", \\\"Microsoft Defender for Cloud | Key Vault\\\",\\r\\n\\\"Cryptographic Protection\\\", \\\"SC-13\\\", \\\"System & Communications Protection\\\", \\\"Microsoft Defender for Cloud | Key Vault\\\",\\r\\n\\\"Public Key Infrastructure Certificates\\\", \\\"SC-17\\\", \\\"System & Communications Protection\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager | Key Vault | Azure Active Directory\\\",\\r\\n\\\"Mobile Code\\\", \\\"SC-18\\\", \\\"System & Communications Protection\\\", \\\"Microsoft 365 Defender | Microsoft Endpoint Manager\\\",\\r\\n\\\"Voice Over Internet Protocol\\\", \\\"SC-19\\\", \\\"System & Communications Protection\\\", \\\"Microsoft Teams\\\",\\r\\n\\\"Secure Name Resolution Service\\\", \\\"SC-21\\\", \\\"System & Communications Protection\\\", \\\"Microsoft Defender for Cloud | Azure DNS\\\",\\r\\n\\\"Provisioning Address Resolution Service\\\", \\\"SC-22\\\", \\\"System & Communications Protection\\\", \\\"Microsoft Defender for Cloud | Azure DNS\\\",\\r\\n\\\"Session Authenticity\\\", \\\"SC-23\\\", \\\"System & Communications Protection\\\", \\\"Microsoft Defender for Cloud | Azure Active Directory\\\",\\r\\n\\\"Honeypots\\\", \\\"SC-26\\\", \\\"System & Communications Protection\\\", \\\"Microsoft Sentinel | Key Vault\\\",\\r\\n\\\"Protection of Information at Rest\\\", \\\"SC-28\\\", \\\"System & Communications Protection\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager | Key Vault | SQL Databases\\\",\\r\\n\\\"Flaw Remediation\\\", \\\"SI-2\\\", \\\"System & Information Integrity\\\", \\\"Microsoft Defender for Cloud | Microsoft 365 Defender | Microsoft Endpoint Manager\\\",\\r\\n\\\"Malicious Code Protection\\\", \\\"SI-3\\\", \\\"System & Information Integrity\\\", \\\"Microsoft Sentinel | Microsoft Defender for Cloud | Microsoft 365 Defender | Microsoft Endpoint Manager\\\",\\r\\n\\\"Information System Monitoring\\\", \\\"SI-4\\\", \\\"System & Information Integrity\\\", \\\"Microsoft Sentinel | Microsoft Defender for Cloud\\\",\\r\\n\\\"Security Alerts, Advisories, & Directives\\\", \\\"SI-5\\\", \\\"System & Information Integrity\\\", \\\"Microsoft Defender for Cloud | Microsoft Sentinel\\\",\\r\\n\\\"Software, Firmware, & Information Integrity\\\", \\\"SI-7\\\", \\\"System & Information Integrity\\\", \\\"Microsoft Defender for Cloud | Azure Active Directory | Automation Accounts\\\",\\r\\n\\\"Spam Protection\\\", \\\"SI-8\\\", \\\"System & Information Integrity\\\", \\\"Microsoft Defender for Office 365\\\",\\r\\n\\\"Information Handling & Retention\\\", \\\"SI-12\\\", \\\"System & Information Integrity\\\", \\\"Microsoft Sentinel | Azure Monitor\\\",\\r\\n\\\"Memory Protection\\\", \\\"SI-16\\\", \\\"System & Information Integrity\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager\\\"\\r\\n];\\r\\nCrosswalk\\r\\n| project [\\\"Control Name\\\"],[\\\"Control ID\\\"],[\\\"Control Family\\\"],[\\\"Microsoft Offerings\\\"]\",\"size\":0,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Control Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Control Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Microsoft Offerings\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Controls Mapping\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/)\\r\\n---\\r\\nAzure Lighthouse helps service providers simplify customer engagement and onboarding experiences, while managing delegated resources at scale with agility and precision. Authorized users, groups, and service principals can work directly in the context of a customer subscription without having an account in that customer's Microsoft Entra ID tenant or being a co-owner of the customer's tenant. The mechanism used to support this access is called Azure delegated resource management. \"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"1cf637a7-121d-4722-b511-b0c460625e31\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Access Azure Lighthouse\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"LighthouseBlade\",\"extensionName\":\"Microsoft_Azure_CustomerHub\"}}]},\"customWidth\":\"50\",\"name\":\"links - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"managedservicesresources\\r\\n| where type == \\\"microsoft.managedservices/registrationassignments\\\"\\r\\n| where properties.provisioningState == \\\"Succeeded\\\"\\r\\n| extend ManageeTenantName = properties.registrationDefinition.properties.manageeTenantName\\r\\n| extend ManagedByTenantName = properties.registrationDefinition.properties.managedByTenantName\\r\\n| extend ManagedByTenantId = properties.registrationDefinition.properties.managedByTenantId\\r\\n| extend ManageeTenantId = tostring(properties.registrationDefinition.properties.manageeTenantId)\\r\\n| extend PermanentAccess = properties.registrationDefinition.properties.authorizations\\r\\n| extend JITAccess = properties.registrationDefinition.properties.eligibleAuthorizations\\r\\n| extend AddedDate = properties.registrationDefinition.systemData.createdAt\\r\\n| extend CreatedBy = systemData.createdBy\\r\\n| project ManageeTenantName, ManageeTenantId, ManagedByTenantName, ManagedByTenantId, AddedDate, CreatedBy\",\"size\":1,\"showAnalytics\":true,\"title\":\"Azure Lighthouse Delegations\",\"noDataMessage\":\"No Azure Lighthouse Delegations/Customers Detected\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ManageeTenantName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Download\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ManageeTenantId\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"ManagedByTenantName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Upload\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ManagedByTenantId\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"AddedDate\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Clock\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"CreatedBy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"PermanentAccess\",\"formatter\":1},{\"columnMatch\":\"JITAccess\",\"formatter\":1}],\"filter\":true}},\"name\":\"query - 21 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isALVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"group - 21\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/controls?version=5.1&family=AC)\\r\\n---\\r\\nAccess Control is the process of authorizing users, groups, and computers to access objects on a network, asset, and/or cloud. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Account Management [AC-2]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-2.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Access Enforcement [AC-3]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-3\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Information Flow Enforcement [AC-4]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-4\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Separation of Duties [AC-5]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-5\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Least Privilege [AC-6]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-6\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Unsuccessful Logon Attempts [AC-7]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-7\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"System Use Notification [AC-8]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-8\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC2Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-2.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC3Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-3\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4e1641a6-9ed2-4725-aab9-7ae3212d2a5d\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC4Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-4\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"11b9dffc-183e-4365-9db9-f0b027e497a9\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC5Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-5\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a97dabbf-ffa2-4ca0-8fff-eccb9e5b096c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC6Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-6\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"06ae683e-fd15-455b-be2d-0d0822287dfa\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC7Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-7\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"6a82c6f2-dde9-45d9-acf4-23e96b5b2647\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC8Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-8\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"32eef6d6-6f06-421b-b88e-216496da06fa\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Session Lock [AC-11]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-11\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Session Termination [AC-12]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-12\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Attributes [AC-16]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-16\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Remote Access [AC-17]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-17\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Wireless Access [AC-18]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-18\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Access Control for Mobile Devices [AC-19]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-19\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Use of External Information Systems [AC-20]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-20\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c2c9eb47-127a-427a-b53d-25edd282b137\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC11Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-11\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC12Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-12\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"73feb40f-e952-4fad-b176-4b91cbc959f1\"},{\"id\":\"77350ee2-df63-4aab-937e-9d7a77ec458c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC16Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-16\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"d23f23ae-55d4-4905-b76d-7e2c73bff732\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC17Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-17\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"9a183985-6073-4d09-8fd2-20078b1cd218\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC18Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-18\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"331f130c-8c5b-4a7e-9baf-e944146c3d6c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC19Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-19\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"6483c9b8-9174-49e3-9f98-2e9cca2ed7eb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC20Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-20\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Account Management (AC-2)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#account-management) \\r\\n\\r\\n\\ta. Define and document the types of accounts allowed and specifically prohibited for use within the system;\\r\\n\\tb. Assign account managers;\\r\\n\\tc. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership;\\r\\n\\td. Specify:\\r\\n\\t\\t1. Authorized users of the system;\\r\\n\\t\\t2. Group and role membership; and\\r\\n\\t\\t3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account;\\r\\n\\te. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts;\\r\\n\\tf. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];\\r\\n\\tg. Monitor the use of accounts;\\r\\n\\th. Notify account managers and [Assignment: organization-defined personnel or roles] within:\\r\\n\\t\\t1. [Assignment: organization-defined time period] when accounts are no longer required;\\r\\n\\t\\t2. [Assignment: organization-defined time period] when users are terminated or transferred; and\\r\\n\\t\\t3. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual;\\r\\n\\ti. Authorize access to the system based on:\\r\\n\\t\\t1. A valid access authorization;\\r\\n\\t\\t2. Intended system usage; and\\r\\n\\t\\t3. [Assignment: organization-defined attributes (as required)];\\r\\n\\tj. Review accounts for compliance with account management requirements [Assignment: organization-defined frequency];\\r\\n\\tk. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and\\r\\n\\tl. Align account management processes with personnel termination and transfer processes.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) 🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) 🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Microsoft Entra ID feature deployment guide](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-deployment-checklist-p2)<br>\\r\\n💡 [Deploying Active Directory Federation Services in Azure](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs)<br>\\r\\n💡 [User sign-in with Microsoft Entra ID Pass-through Authentication](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-pta)<br>\\r\\n💡 [Tutorial: Grant a user access to Azure resources using the Azure portal](https://docs.microsoft.com/azure/role-based-access-control/quickstart-assign-role-user-portal)<br>\\r\\n💡 [Azure RBAC documentation](https://docs.microsoft.com/azure/role-based-access-control/)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Privileged Identity Management](https://ms.portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://ms.portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22) <br>\\r\\n\\r\\n### NIST SP 800-53 R5 Guidance\\r\\n[AC-2]( https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-2)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"AC.2.*\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n| parse RecommendationLink with * '#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *\\r\\n| distinct RecommendationName, ControlID, Total, RecommendationLink, PassedControls, Passed, Failed, assessmentKey\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-2] Account Management -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where ResultType == \\\"0\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| summarize LastSignIn = datetime_diff(\\\"day\\\", now(), max(TimeGenerated)) by UserPrincipalName, LastSignInTime=TimeGenerated, UserId\\r\\n| where LastSignIn >= 28\\r\\n| project UserPrincipalName, LastSignIn, LastSignInTime, AADProfile=UserId\\r\\n| sort by LastSignIn desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-2(3)] Account Management | Disable Accounts -- Inactive Microsoft Entra ID Accounts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LastSignIn\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"},\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"AADProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"AADProfile\"}]}}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"SignInsBeforeInactive\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let PreviousRoles = IdentityInfo\\r\\n| where TimeGenerated > ago(7d)\\r\\n| extend UserPrincipalName = AccountUPN;\\r\\nIdentityInfo\\r\\n| extend UserPrincipalName = AccountUPN\\r\\n| join (PreviousRoles) on UserPrincipalName\\r\\n| extend ChangedRoles = set_difference(AssignedRoles, AssignedRoles1)\\r\\n| extend ChangedGroups = set_difference(GroupMembership, GroupMembership1)\\r\\n| where ChangedRoles contains \\\"security\\\" or ChangedRoles contains \\\"admin\\\" or ChangedGroups contains \\\"security\\\" or ChangedGroups contains \\\"admin\\\"\\r\\n| join (SigninLogs| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)|project UserPrincipalName, UserProfile, UserId) on UserPrincipalName\\r\\n| project UserPrincipalName, UserProfile, ChangedRoles, ChangedGroups, ChangeObservedTime=TimeGenerated, UserId\\r\\n| extend ChangedRoles=strcat(ChangedRoles)\\r\\n| extend ChangedGroups=strcat(ChangedGroups)\\r\\n| distinct UserPrincipalName, UserProfile, ChangedRoles, ChangedGroups, ChangeObservedTime, UserId\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-2(7)] Account Management | Privileged User Accounts  -- Microsoft Entra ID Privileged Role/Attribute Changes\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"LastSignIn\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"},\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"SignInsBeforeInactive\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| where OperationName contains \\\"PIM\\\"\\r\\n| extend PIM = strcat(\\\"https://ms.portal.azure.com/#blade/Microsoft_Azure_PIMCommon/MyAuditsMenuBlade/aadmigratedroles\\\")\\r\\n| distinct OperationName, Identity, AADOperationType, PIM, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-2(7)] Account Management | Privileged User Accounts  -- Privileged Identity Management (PIM) Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"OperationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Identity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"PIM\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Privileged Identity Management >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"MyAuditsMenuBlade\",\"extensionName\":\"Microsoft_Azure_PIMCommon\"}}},{\"columnMatch\":\"GrantedTo\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go To: AAD Profile >\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"name\":\"query - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"[AC-2] Account Management  -- Review Roles & Groups by Usage\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"IdentityInfo\\r\\n| summarize arg_max(TimeGenerated, *) by AccountUPN\\r\\n| mv-expand AssignedRoles\\r\\n| summarize count() by AssignedRoles=strcat(AssignedRoles)\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assigned Roles by User Count\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"IdentityInfo\\r\\n| summarize arg_max(TimeGenerated, *) by AccountUPN\\r\\n| mv-expand GroupMembership\\r\\n| summarize count() by GroupMembership=strcat(GroupMembership)\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Group Memberships by User Count\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9 - Copy\"}]},\"name\":\"group - 5\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC2Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Enforcement (AC-3)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#access-enforcement)\\r\\n\\r\\nEnforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [What is Azure role-based access control (Azure RBAC)?](https://docs.microsoft.com/azure/role-based-access-control/overview)<br>\\r\\n💡 [Microsoft Entra ID Identity Governance documentation](https://docs.microsoft.com/azure/active-directory/governance/)<br>\\r\\n💡 [What is Microsoft Entra ID Privileged Identity Management?](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\\r\\n💡 [Enable and request just-in-time access for Azure Managed Applications](https://docs.microsoft.com/azure/azure-resource-manager/managed-applications/request-just-in-time-access)<br>\\r\\n💡 [How it works: Microsoft Entra ID Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-3](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-3)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"AC.3\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-3] Access Enforcement -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC3Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Information Flow Enforcement (AC-4)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#information-flow-enforcement)\\r\\n\\r\\nEnforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [How to configure the policy settings for Azure Information Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-settings)<br>\\r\\n💡 [Tutorial: Create a Web Application Firewall policy on Azure Front Door using the Azure portal](https://docs.microsoft.com/azure/web-application-firewall/afds/waf-front-door-create-portal)<br>\\r\\n💡 [What is Azure Front Door?](https://docs.microsoft.com/azure/frontdoor/front-door-overview)<br>\\r\\n💡 [Microsoft Endpoint Manager overview](https://docs.microsoft.com/mem/endpoint-manager-overview)<br>\\r\\n💡 [Network access control (NAC) integration with Intune](https://docs.microsoft.com/mem/intune/protect/network-access-control-integrate)<br>\\r\\n💡 [What are common ways to use Conditional Access with Intune?](https://docs.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use)<br>\\r\\n💡 [Prevent data leaks on non-managed devices using Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/data-leak-prevention)<br>\\r\\n💡 [App protection policies overview](https://docs.microsoft.com/mem/intune/apps/app-protection-policy)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Azure Web Application Firewall](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies) <br>\\r\\n🔀 [Front Doors](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/frontdoors) <br>\\r\\n🔀 [Microsoft Information Protection](https://compliance.microsoft.com/informationprotection?viewid=overview) <br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/) <br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-4](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-4)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"AC.4\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-4] Information Flow Enforcement -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC4Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Separation of Duties (AC-5)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#separation-of-duties)\\r\\n\\r\\n\\ta. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and\\r\\n\\tb. Define system access authorizations to support separation of duties.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation\\r\\n💡 [What is Azure role-based access control (Azure RBAC)?](https://docs.microsoft.com/azure/role-based-access-control/overview)<br>\\r\\n💡 [Azure custom roles](https://docs.microsoft.com/azure/role-based-access-control/custom-roles)<br>\\r\\n💡 [Steps to assign an Azure role](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-steps)<br>\\r\\n💡 [What is Microsoft Entra ID Privileged Identity Management?](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\\r\\n💡 [Enable and request just-in-time access for Azure Managed Applications](https://docs.microsoft.com/azure/azure-resource-manager/managed-applications/request-just-in-time-access)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Entra ID: Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) <br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-5](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-5)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Roles = IdentityInfo\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName=AccountUPN\\r\\n| project UserPrincipalName, AssignedRoles=strcat(AssignedRoles), GroupMemberships=strcat(GroupMembership);\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| join (Roles) on UserPrincipalName\\r\\n| project UserPrincipalName, UserProfile, AssignedRoles, GroupMemberships, UserId\\r\\n| sort by UserPrincipalName asc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-5] Separation of Duties  -- Review User Roles and Groups\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"LastSignIn\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"},\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"SignInsBeforeInactive\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":2500,\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC5Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Least Privilege (AC-6)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#least-privilege)\\r\\n\\r\\nEmploy the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs?WT.mc_id=Portal-fx) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [What is Azure role-based access control (Azure RBAC)?](https://docs.microsoft.com/azure/role-based-access-control/overview)<br>\\r\\n💡 [What is Microsoft Entra ID Privileged Identity Management?](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\\r\\n💡 [Enable and request just-in-time access for Azure Managed Applications](https://docs.microsoft.com/azure/azure-resource-manager/managed-applications/request-just-in-time-access)<br>\\r\\n💡 [Office 365 Security & Compliance: Enable Auditing for Admins](https://docs.microsoft.com/microsoft-365/compliance/turn-audit-log-search-on-or-off)<br>\\r\\n💡 [Audited Activities](https://docs.microsoft.com/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance)<br>\\r\\n💡 [Use audit logs to track and monitor events in Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/monitor-audit-logs)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [ Microsoft Entra ID : Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) <br>\\r\\n🔀 [Microsoft 365 Compliance: Audit](https://compliance.microsoft.com/auditlogsearch?viewid=Test%20Tab) <br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/) <br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-6](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-6)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| where OperationName contains \\\"PIM\\\"\\r\\n| extend PIM = strcat(\\\"https://ms.portal.azure.com/#blade/Microsoft_Azure_PIMCommon/MyAuditsMenuBlade/aadmigratedroles\\\")\\r\\n| distinct OperationName, Identity, AADOperationType, PIM, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-6] Least Privilege  -- Privileged Identity Management (PIM) Elevations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"OperationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Identity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"PIM\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Privileged Identity Management >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"MyAuditsMenuBlade\",\"extensionName\":\"Microsoft_Azure_PIMCommon\"}}},{\"columnMatch\":\"GrantedTo\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go To: AAD Profile >\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC6Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Unsuccessful Logon Attempts (AC-7)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#unsuccessful-logon-attempts)\\r\\n\\r\\n\\ta. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and\\r\\n\\tb. Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm]; notify system administrator; take other [Assignment: organization-defined action]] when the maximum number of unsuccessful attempts is exceeded.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Protect user accounts from attacks with Microsoft Entra ID smart lockout](https://docs.microsoft.com/azure/active-directory/authentication/howto-password-smart-lockout)<br>\\r\\n💡 [Manage Microsoft Entra ID smart lockout values](https://docs.microsoft.com/azure/active-directory/authentication/howto-password-smart-lockout#manage-azure-ad-smart-lockout-values)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-7](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-7)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SignInFailures = SigninLogs\\r\\n| where ResultType <> 0\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| summarize count() by UserPrincipalName, UserId, UserProfile\\r\\n| extend FailedSignInCount=count_;\\r\\nlet LastObserved = SigninLogs\\r\\n| where ResultType <> 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastFailedSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| where ResultType <> 0\\r\\n| make-series Trend = dcount(ResultType) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by UserPrincipalName\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| join (SignInFailures) on UserPrincipalName\\r\\n| project UserPrincipalName, UserProfile, FailedSignInCount, Trend, LastFailedSignIn, UserId\\r\\n| sort by FailedSignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-7] Unsuccessful Logon Attempts -- Monitor Logon Failures\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"FailedSignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC7Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [System Use Notification (AC-8)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#system-use-notification)\\r\\n\\r\\n\\ta. Display [Assignment: organization-defined system use notification message or banner] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:\\r\\n\\t\\t1. Users are accessing a U.S. Government system;\\r\\n\\t\\t2. System usage may be monitored, recorded, and subject to audit;\\r\\n\\t\\t3. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and\\r\\n\\t\\t4. Use of the system indicates consent to monitoring and recording;\\r\\n\\tb. Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and\\r\\n\\tc. For publicly accessible systems:\\r\\n\\t\\t1. Display system use information [Assignment: organization-defined conditions], before granting further access to the publicly accessible system;\\r\\n\\t\\t2. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and\\r\\n\\t\\t3. Include a description of the authorized uses of the system.\\r\\n\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Microsoft Entra ID terms of use](https://docs.microsoft.com/azure/active-directory/conditional-access/terms-of-use)<br>\\r\\n💡 [Create terms and conditions](https://docs.microsoft.com/mem/intune/enrollment/terms-and-conditions-create#create-terms-and-conditions)<br>\\r\\n💡 [Choosing the right Terms solution for your organization](https://techcommunity.microsoft.com/t5/intune-customer-success/choosing-the-right-terms-solution-for-your-organization/ba-p/280180)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID: Conditional Access - Terms of Use](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/TermsOfUse)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center: Terms & Conditions](https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/TenantAdminMenu/termsAndConditions)<br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-8](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-8)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"banner\\\" or Description contains \\\"agree\\\" or Description contains \\\"notification\\\" or Description contains \\\"terms\\\" or Description contains \\\"privacy\\\" or Description contains \\\"notice\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"banner\\\" or Description contains \\\"agree\\\" or Description contains \\\"notification\\\" or Description contains \\\"terms\\\" or Description contains \\\"privacy\\\" or Description contains \\\"notice\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"banner\\\" or Description contains \\\"agree\\\" or Description contains \\\"notification\\\" or Description contains \\\"terms\\\" or Description contains \\\"privacy\\\" or Description contains \\\"notice\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-8] System Use Notifications -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC8Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Session Control (AC-11)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#session-lock)\\r\\n\\r\\n\\ta. Prevent further access to the system by [Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended]; and\\r\\n\\tb. Retain the device lock until the user reestablishes access using established identification and authentication procedures.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Require device to be marked as compliant](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-grant#require-device-to-be-marked-as-compliant)<br>\\r\\n💡 [Locked screen experience](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#locked-screen-experience)<br>\\r\\n💡 [Password box](https://docs.microsoft.com/windows/apps/design/controls/password-box)<br>\\r\\n💡 [Policy CSP - CredentialsUI](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialsui)<br>\\r\\n💡 [Interactive logon: Machine inactivity limit](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit)<br>\\r\\n💡 [Account Lockout Policy](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/account-lockout-policy)<br>\\r\\n💡 [Disable Password Reveal Option](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialsui#credentialsui-disablepasswordreveal)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) <br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-11](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-11)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"lock\\\" or Description contains \\\"pattern\\\" or Description contains \\\"screen\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"lock\\\" or Description contains \\\"pattern\\\" or Description contains \\\"screen\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"lock\\\" or Description contains \\\"pattern\\\" or Description contains \\\"screen\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-11] Session Control -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC11Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-11\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Session Termination (AC-12)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#session-termination)\\r\\n\\r\\nAutomatically terminate a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AADUserRiskEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/aaduserriskevents) ✳️ [](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Conditional Access: Sign-in risk-based Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-risk)<br>\\r\\n💡 [Conditional Access: User risk-based Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-risk-user)<br>\\r\\n💡 [Continuous access evaluation](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation)<br>\\r\\n💡 [Account lockout threshold](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/account-lockout-threshold)<br>\\r\\n💡 [Protecting your organization against password spray attacks](https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/)<br>\\r\\n💡 [Protect user accounts from attacks with Microsoft Entra ID smart lockout](https://docs.microsoft.com/azure/active-directory/authentication/howto-password-smart-lockout)<br>\\r\\n💡 [AD FS Extranet Lockout and Extranet Smart Lockout](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID: Risky Sign-Ins](https://portal.azure.com/#blade/Microsoft_AAD_IAM/RiskySignInsBlade) <br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-12](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-12)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"IdentityInfo\\r\\n| summarize arg_max(TimeGenerated,*) by AccountUPN\\r\\n| join kind=inner(\\r\\nSigninLogs) on $left.AccountUPN==$right.UserPrincipalName\\r\\n| project SigninTime=TimeGenerated1, UserPrincipalName, AppDisplayName, ResultType, AssignedRoles, Location, UserAgent, AuthenticationRequirement, Country, City, CorrelationId\\r\\n| join kind=inner (\\r\\nAADUserRiskEvents) on CorrelationId\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId), AssignedRoles=strcat(AssignedRoles)\\r\\n| distinct UserPrincipalName, UserProfile,  RiskLevel, AppDisplayName, AssignedRoles, Country, SigninTime, UserId\\r\\n| extend Rank=iff(RiskLevel == \\\"high\\\", 3, iff(RiskLevel == \\\"medium\\\", 2, iff(RiskLevel == \\\"low\\\", 1, 0)))\\r\\n| sort by Rank desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-12] Review/Terminate User Session Risk Events\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"RiskLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AppDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"Rank\",\"formatter\":5},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC12Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Attributes (AC-16)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#security-attributes)\\r\\n\\r\\n\\ta. Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission;\\r\\n\\tb. Ensure that the attribute associations are made and retained with the information;\\r\\n\\tc. Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for [Assignment: organization-defined systems]: [Assignment: organization-defined security and privacy attributes];\\r\\n\\td. Determine the following permitted attribute values or ranges for each of the established attributes: [Assignment: organization-defined attribute values or ranges for established attributes];\\r\\n\\te. Audit changes to attributes; and\\r\\n\\tf. Review [Assignment: organization-defined security and privacy attributes] for applicability [Assignment: organization-defined frequency].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionEvents](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [What is Azure attribute-based access control (Azure ABAC)?](https://docs.microsoft.com/azure/role-based-access-control/conditions-overview)<br>\\r\\n💡 [Azure role assignment conditions](https://docs.microsoft.com/azure/storage/common/storage-auth-abac-examples)<br>\\r\\n💡 [Apply a sensitivity label to content automatically](https://docs.microsoft.com/microsoft-365/compliance/apply-sensitivity-label-automatically?)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID: Custom Security attributes](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/CustomAttributesCatalog)<br>\\r\\n🔀 [Azure Information Protection: Labels](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/globalBlade)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-16](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-16)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionEvents\\r\\n| extend AIP = strcat(\\\"https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/ActivityLogsBlade\\\")\\r\\n| project User, AIP, LabelName, Activity, ItemName, ItemPath, Platform, ApplicationName, ProtectionOwner, IpAddress, Time\\r\\n| sort by Time desc\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-16] Security Attributes -- Azure Information Protection DLP Logs\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LabelName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AIP\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Information Protection >>\",\"bladeOpenContext\":{\"bladeName\":\"DataClassGroupEditBlade\",\"extensionName\":\"Microsoft_Azure_InformationProtection\"}}},{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProtectionOwner\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"PersonWithFriend\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC16Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-16\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Remote Access (AC-17)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#security-attributes)\\r\\n\\r\\n\\ta. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and\\r\\n\\tb. Authorize each type of remote access to the system prior to allowing such connections.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n🔷 [resources](https://docs.microsoft.com/azure/governance/resource-graph/overview) ✳️ [Azure Front Door](https://azure.microsoft.com/services/frontdoor/)\\r\\n✳️ [Azure ExpressRoute](https://azure.microsoft.com/services/expressroute/) ✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) ✳️ [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) ✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [What is Azure Bastion?](https://docs.microsoft.com/azure/bastion/bastion-overview)<br>\\r\\n💡 [Create a bastion host](https://docs.microsoft.com/azure/bastion/tutorial-create-host-portal#createhost)<br>\\r\\n💡 [Network access control (NAC) integration with Intune](https://docs.microsoft.com/mem/intune/protect/network-access-control-integrate)<br>\\r\\n💡 [Create a Conditional Access policy](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa#create-a-conditional-access-policy)<br>\\r\\n💡 [What is Azure ExpressRoute?](https://docs.microsoft.com/azure/expressroute/expressroute-introduction)<br>\\r\\n💡 [Configuring a VPN Gateway](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpngateways#configuring)<br>\\r\\n💡 [Using the location condition in a Conditional Access policy](https://docs.microsoft.com/azure/active-directory/conditional-access/location-condition)<br>\\r\\n💡 [Customize Web Application Firewall rules using the Azure portal](https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-customize-waf-rules-portal)<br>\\r\\n💡 [What is Azure Front Door?](https://docs.microsoft.com/azure/frontdoor/front-door-overview)<br>\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Entra ID: Conditional Access - Named Locations](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/NamedLocations)<br>\\r\\n🔀 [Front Door](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/frontdoors)<br>\\r\\n🔀 [Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FbastionHosts)<br>\\r\\n🔀 [ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits)<br>\\r\\n🔀 [Web Application Firewall policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-17](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-17)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"AC.17.*\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-17] Remote Access -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"bastion\\\" or type contains \\\"applicationgateways\\\" or type contains \\\"front\\\" or type contains \\\"private\\\" or type contains \\\"express\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-17] Remote Access (Bastion, Front Door, ExpressRoute, WAF, VPN Gateways)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where Location <> \\\"\\\"\\r\\n| where ResultType == 0\\r\\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude)\\r\\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)\\r\\n| extend city_ = tostring(LocationDetails.city)\\r\\n\",\"size\":2,\"title\":\"[AC-17] Remote Access -- Sign-Ins by Geolocation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":12,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\",\"heatmapMax\":100},\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}}},\"customWidth\":\"50\",\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC17Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-17\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Wireless Access (AC-18)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#wireless-access)\\r\\n\\r\\n\\ta. Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and\\r\\n\\tb. Authorize each type of wireless access to the system prior to allowing such connections.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Microsoft Endpoint Manager overview](https://docs.microsoft.com/mem/endpoint-manager-overview)<br>\\r\\n💡 [Network access control (NAC) integration with Intune](https://docs.microsoft.com/mem/intune/protect/network-access-control-integrate)<br>\\r\\n💡 [What are common ways to use Conditional Access with Intune?](https://docs.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use)<br>\\r\\n💡 [Add and use Wi-Fi settings on your devices in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/wi-fi-settings-configure)<br>\\r\\n💡 [Add Wi-Fi settings for Windows 10 and newer devices in Intune](https://docs.microsoft.com/mem/intune/configuration/wi-fi-settings-windows)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Microsoft Entra ID: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)<br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-18](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-18)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"wire\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"wire\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"wire\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-18] Wireless Access -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC18Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-18\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control for Mobile Devices (AC-19)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#access-control-for-mobile-devices)\\r\\n\\r\\n\\ta. Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and\\r\\n\\tb. Authorize the connection of mobile devices to organizational systems.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [App management capabilities by platform](https://docs.microsoft.com/mem/intune/apps/app-management#app-management-capabilities-by-platform)<br>\\r\\n💡 [Microsoft Intune protected apps](https://docs.microsoft.com/mem/intune/apps/apps-supported-intune-apps)<br>\\r\\n💡 [Network access control (NAC) integration with Intune](https://docs.microsoft.com/mem/intune/protect/network-access-control-integrate)<br>\\r\\n💡 [What are common ways to use Conditional Access with Intune?](https://docs.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use)<br>\\r\\n💡 [How to create and assign app protection policies](https://docs.microsoft.com/mem/intune/apps/app-protection-policies)<br>\\r\\n💡 [Android app protection policy settings in Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/app-protection-policy-settings-android)<br>\\r\\n💡 [iOS app protection policy settings](https://docs.microsoft.com/mem/intune/apps/app-protection-policy-settings-ios)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center: Devices](https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesMenu/overview)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-19](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-19)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where ResultType == 0\\r\\n| extend OperatingSystem = tostring(DeviceDetail.operatingSystem)\\r\\n| extend Browser = tostring(DeviceDetail.browser)\\r\\n| where OperatingSystem contains \\\"Android\\\" or OperatingSystem contains \\\"iOS\\\"\\r\\n| summarize count() by OperatingSystem, Browser, AppDisplayName\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-19] Access Control for Mobile Devices -- Monitor Mobile Device Access\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"OperatingSystem\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Command and Control\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC19Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-19\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Use of External Information Systems (AC-20)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#use-of-external-information-systems)\\r\\n\\r\\n\\ta. [Selection (one or more): Establish [Assignment: organization-defined terms and conditions]; Identify [Assignment: organization-defined controls asserted to be implemented on external systems]], consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:\\r\\n\\t\\t1. Access the system from external systems; and\\r\\n\\t\\t2. Process, store, or transmit organization-controlled information using external systems; or\\r\\n\\tb. Prohibit the use of [Assignment: organizationally-defined types of external systems].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Conditional Access: Block access by location](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-location)<br>\\r\\n💡 [Microsoft Entra ID Conditional Access documentation](https://docs.microsoft.com/azure/active-directory/conditional-access/)<br>\\r\\n💡 [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)<br>\\r\\n💡 [Microsoft Defender for Cloud Apps overview](https://docs.microsoft.com/defender-cloud-apps/what-is-defender-for-cloud-apps)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft Entra ID: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)<br>\\r\\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-20](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-20)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n   | distinct RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink\\r\\n    | where RecommendationName contains \\\"external\\\" or RecommendationName contains \\\"private\\\" or RecommendationName contains \\\"internet\\\" or RecommendationName contains \\\"public\\\" or RecommendationName contains \\\"firewall\\\"\\r\\n    | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-20] Use of External Information Systems -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where RuleSetting contains \\\"DisableRemovableDriveScanning\\\" or RuleSetting contains \\\"NoDriveTypeAutoRun\\\" or RuleSetting contains \\\"EnableInstallerDetection\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where RuleSetting contains \\\"DisableRemovableDriveScanning\\\" or RuleSetting contains \\\"NoDriveTypeAutoRun\\\" or RuleSetting contains \\\"EnableInstallerDetection\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where RuleSetting contains \\\"DisableRemovableDriveScanning\\\" or RuleSetting contains \\\"NoDriveTypeAutoRun\\\" or RuleSetting contains \\\"EnableInstallerDetection\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-20(2)] Portable Storage Devices -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true}},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC20Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-20\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isACVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Access Control Family\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Audit & Accountability](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/controls?version=5.1&family=AU)\\r\\n---\\r\\nAudit & Accountability involves the evaluation of configurable security and logging options to help identify gaps in security policies and mechanisms. \"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Audit Events [AU-2]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AU-2\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Content of Audit Records [AU-3]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AU-3\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Response to Audit Processing Failures [AU-5]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AU-5\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Audit Review, Analysis, & Reporting [AU-6]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AU-6\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Audit Reduction & Report Generation [AU-7]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AU-7\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"08e0e1cd-ecba-4272-845b-5222e3663f99\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAU2Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AU-2\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"88dfbbbd-0e93-49b0-a137-3fb16359c32c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAU3Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AU-3\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"db4691d5-4576-401b-9ca8-69652d4a654c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAU5Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AU-5\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"5ae1d8fa-8261-4f63-a365-5905d355cdad\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAU6Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AU-6\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAU7Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AU-7\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e98e5e7a-0206-449e-8370-f3acaa083b09\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Time Stamps [AU-8]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AU-8\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Protection of Audit Information [AU-9]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AU-9\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Audit Record Retention [AU-11]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AU-11\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Audit Generation [AU-12]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AU-12\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"eff2d5b1-f90d-4651-bb10-d1a7c297a305\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAU8Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AU-8\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"77d29821-4e6d-4b82-8603-c0a88687a78a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAU9Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AU-9\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"cf4f3461-2ff3-4613-9625-6cd9fcaea68d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAU11Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AU-11\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"cfd61ba8-00ad-4d6c-b6cc-20bfb32a4ed1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAU12Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AU-12\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Audit Events (AU-2)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#audit-events)\\r\\n\\r\\n\\ta. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging];\\r\\n\\tb. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;\\r\\n\\tc. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type];\\r\\n\\td. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and\\r\\n\\te. Review and update the event types selected for logging [Assignment: organization-defined frequency].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) <br>\\r\\n🔷 [OfficeActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/officeactivity) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br> \\r\\n🔷 [SecurityEvent](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br> \\r\\n🔷 [CommonSecurityLog](https://docs.microsoft.com/azure/azure-monitor/reference/tables/CommonSecurityLog) ✳️ [Syslog/CEF Connector](https://docs.microsoft.com/azure/sentinel/connect-log-forwarder?tabs=rsyslog)<br> \\r\\n🔷 [AWSCloudTrail](https://docs.microsoft.com/azure/azure-monitor/reference/tables/AWSCloudTrail) ✳️ [AWS CloudTrail](https://docs.microsoft.com/azure/sentinel/connect-aws?tabs=s3)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Azure Activity Log](https://docs.microsoft.com/azure/azure-monitor/essentials/activity-log)<br>\\r\\n💡 [Connect data from Microsoft 365 Defender to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender?tabs=MDE)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview)<br>\\r\\n🔀 [Microsoft 365 Defender: Audit](https://security.microsoft.com/auditlogsearch?viewid=Test%20Tab)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AU-2](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AU-2)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-2] Audit Events (Azure Activity)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-2] Audit Events (Office Activity)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-2] Audit Events (Security Events)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-2] Audit Events (Linux/Unix)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AWSCloudTrail\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-2] Audit Events (AWS CloudTrail)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAU2Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU-2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Content of Audit Records (AU-3)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#content-of-audit-records)\\r\\n\\r\\n\\tEnsure that audit records contain information that establishes the following:\\r\\n\\ta. What type of event occurred;\\r\\n\\tb. When the event occurred;\\r\\n\\tc. Where the event occurred;\\r\\n\\td. Source of the event;\\r\\n\\te. Outcome of the event; and\\r\\n\\tf. Identity of any individuals, subjects, or objects/entities associated with the event.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) ✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Audit logs in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs)<br>\\r\\n💡 [Connect Microsoft Entra ID data to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AU-3](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AU-3)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Usage\\r\\n| summarize count() by DataType\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-3] Content of Audit Records -- Log Entries by Type\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Backlog\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAU3Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU-3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Response to Audit Processing Failures (AU-5)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#response-to-audit-processing-failures)\\r\\n\\r\\n\\ta. Alert [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] in the event of an audit logging process failure; and\\r\\n\\tb. Take the following additional actions: [Assignment: organization-defined additional actions].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Heartbeat](https://docs.microsoft.com/azure/azure-monitor/reference/tables/heartbeat) 🔷 [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) <br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Monitor the health of your data connectors with this Microsoft Sentinel workbook](https://docs.microsoft.com/azure/sentinel/monitor-data-connector-health)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AU-5](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AU-5)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastLogTime = union withsource = _TableName *\\r\\n| summarize LastLog_Time = arg_max(TimeGenerated, *) by _TableName;\\r\\nunion withsource = _TableName *\\r\\n| summarize last_log = datetime_diff(\\\"second\\\",now(), max(TimeGenerated)) by _TableName\\r\\n| where last_log > 0\\r\\n| join kind=inner (LastLogTime) on _TableName\\r\\n| project DataTable = _TableName, ['Last Log Received'] = last_log, LastLog_Time\\r\\n| where DataTable !contains \\\"SRCH\\\"\\r\\n| order by ['Last Log Received'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-5] Response to Audit Processing Failures -- Monitor/Alert on DataTable Failures\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataTable\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Last Log Received\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":0}}},{\"columnMatch\":\"MaturityLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Event Logging (EL0)\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Basic Event Logging (EL1)\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Intermediate Event Logging (EL2)\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Advanced Event Logging\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Ellipsis\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Last Record Received\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\"}}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_bar_Last Log Received_1\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_Last Log Received_1\",\"sortOrder\":2}]},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastHeartbeatTime = Heartbeat\\r\\n| summarize LastHeartbeat_Time = arg_max(TimeGenerated, *) by ResourceId;\\r\\nHeartbeat\\r\\n| summarize LastHeartbeat = datetime_diff(\\\"second\\\",now(), max(TimeGenerated)) by ResourceId\\r\\n| where ResourceId <> \\\"\\\"\\r\\n| where ResourceId <> \\\"None\\\"\\r\\n| join kind=inner (LastHeartbeatTime) on ResourceId\\r\\n| project ResourceId, LastHeartbeat, LastHeartbeat_Time\\r\\n| sort by LastHeartbeat desc\\r\\n| limit 250\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-5] Response to Audit Processing Failures -- Monitor/Alert on Heartbeat Failures\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LastHeartbeat\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":0}}},{\"columnMatch\":\"Computer\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OSType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Windows\",\"representation\":\"blue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Linux\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"mac\",\"representation\":\"magenta\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Category\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"trenddown\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAU5Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU-5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Audit Review, Analysis, and Reporting (AU-6)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#audit-review-analysis-and-reporting)\\r\\n\\r\\n\\ta. Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity;\\r\\n\\tb. Report findings to [Assignment: organization-defined personnel or roles]; and\\r\\n\\tc. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Connect Microsoft Entra ID data to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)<br>\\r\\n💡 [Use Azure Monitor workbooks to visualize and monitor your data](https://docs.microsoft.com/azure/sentinel/monitor-your-data)<br>\\r\\n💡 [Create new workbook](https://docs.microsoft.com/azure/sentinel/monitor-your-data#create-new-workbook)<br>\\r\\n💡 [Microsoft Sentinel data connectors](https://docs.microsoft.com/azure/sentinel/connect-data-sources)<br>\\r\\n💡 [Turn auditing on or off](https://docs.microsoft.com/microsoft-365/compliance/turn-audit-log-search-on-or-off?#turn-on-audit-log-search)<br>\\r\\n💡 [Security & Compliance Center](https://docs.microsoft.com/office365/servicedescriptions/office-365-platform-service-description/office-365-securitycompliance-center)<br>\\r\\n💡 [Audited activities](https://docs.microsoft.com/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?#audited-activities)<br>\\r\\n💡 [Use audit logs to track and monitor events in Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/monitor-audit-logs)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Microsoft 365 Compliance Manager](https://compliance.microsoft.com/homepage)<br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n🔀 [Azure Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview)<br>\\r\\n\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AU-6](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AU-6)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"AU.6.\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-6] Audit Review, Analysis, & Reporting -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAU6Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU-6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Audit Reduction and Report Generation (AU-7)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#audit-reduction-and-report-generation)\\r\\n\\r\\n\\tProvide and implement an audit record reduction and report generation capability that:\\r\\n\\ta. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and\\r\\n\\tb. Does not alter the original content or time ordering of audit records.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Investigate incidents with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/investigate-cases)<br>\\r\\n💡 [Audit logs in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs)<br>\\r\\n💡 [Azure security logging and auditing](https://docs.microsoft.com/azure/security/fundamentals/log-audit)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AU-7](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AU-7)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * 'https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-7] Audit Reduction and Report Generation -- Microsoft Sentinel: Security Incidents\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAU7Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU-7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Time Stamps (AU-8)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#time-stamps)\\r\\n\\r\\n\\ta. Use internal system clocks to generate time stamps for audit records; and\\r\\n\\tb. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Time sync for Windows VMs in Azure](https://docs.microsoft.com/azure/virtual-machines/windows/time-sync)<br>\\r\\n💡 [Windows Time service tools and settings](https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings)<br>\\r\\n💡 [How to configure an authoritative time server in Windows Server](https://docs.microsoft.com/troubleshoot/windows-server/identity/configure-authoritative-time-server)<br>\\r\\n💡 [Time sync for Linux VMs in Azure](https://docs.microsoft.com/azure/virtual-machines/linux/time-sync)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AU-8](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AU-8)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"NTP\\\" or Description contains \\\"clock\\\" or Description contains \\\"time\\\" or Description contains \\\"sync\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"NTP\\\" or Description contains \\\"clock\\\" or Description contains \\\"time\\\" or Description contains \\\"sync\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"NTP\\\" or Description contains \\\"clock\\\" or Description contains \\\"time\\\" or Description contains \\\"sync\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-8] Time Stamps -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAU8Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU-8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Protection of Audit Information (AU-9)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#protection-of-audit-information)\\r\\n\\r\\n\\ta. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and\\r\\n\\tb. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) 🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Audit logging overview](https://docs.microsoft.com/compliance/assurance/assurance-audit-logging)<br>\\r\\n💡 [Audit logs for Azure Attestation](https://docs.microsoft.com/azure/attestation/audit-logs)<br>\\r\\n💡 [Permissions in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/roles)<br>\\r\\n💡 [Set up Microsoft Sentinel customer-managed key](https://docs.microsoft.com/azure/sentinel/customer-managed-keys)<br>\\r\\n💡 [Search the audit log in the compliance center](https://docs.microsoft.com/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Azure Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview)<br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n🔀 [Key Vault](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)<br>\\r\\n🔀 [Microsoft 365 Compliance Manager: Audit](https://compliance.microsoft.com/auditlogsearch?viewid=Test%20Tab)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AU-9](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AU-9)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Roles = IdentityInfo\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName=AccountUPN\\r\\n| where AssignedRoles contains \\\"Reader\\\" or AssignedRoles contains \\\"Admin\\\" or AssignedRoles contains \\\"Contributor\\\" or AssignedRoles contains \\\"Owner\\\" or AssignedRoles contains \\\"Security\\\" \\r\\n| project UserPrincipalName, AssignedRoles=strcat(AssignedRoles);\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| join (Roles) on UserPrincipalName\\r\\n| project UserPrincipalName, UserProfile, AssignedRoles, UserId\\r\\n| sort by UserPrincipalName asc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-9] Protection of Audit Information -- Users with Access to Audit Information\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"LastSignIn\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"},\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"SignInsBeforeInactive\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"audit\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"audit\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"audit\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-9] Protection of Audit Information -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| where OperationNameValue contains \\\"insights\\\" or OperationNameValue contains \\\"cluster\\\" or OperationNameValue contains \\\"storage\\\"\\r\\n| where OperationName contains \\\"Delete\\\" or OperationName contains \\\"Remove\\\"\\r\\n| summarize count() by OperationName, Caller\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-9] Protection of Audit Information -- Monitor Delete Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"OperationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Caller\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Last Record Received\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\"}}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAU9Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU-9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Audit Record Retention (AU-11)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#audit-record-retention)\\r\\n\\r\\nRetain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) <br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Change Data Retention Period](https://docs.microsoft.com/azure/azure-monitor/logs/manage-cost-storage#change-the-data-retention-period)<br>\\r\\n💡 [Move Your Microsoft Sentinel Logs to Long-Term Storage with Ease](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/move-your-microsoft-sentinel-logs-to-long-term-storage-with-ease/ba-p/1407153)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Azure Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview)<br>\\r\\n🔀 [Azure Data Explorer](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Kusto%2Fclusters)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AU-11](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AU-11)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces' \\r\\n| extend state = trim(' ', tostring(properties.provisioningState))\\r\\n\\t\\t,sku   = trim(' ', tostring(properties.sku.name))\\r\\n        ,skuUpdate = trim(' ', tostring(properties.sku.lastSkuUpdate))\\r\\n\\t\\t,retentionDays = trim(' ', tostring(properties.retentionInDays))\\r\\n\\t\\t,dailyquotaGB  = trim(' ', tostring(properties.workspaceCapping.dailyQuotaGb))\\r\\n| extend dailyquotaGB = iif(dailyquotaGB !=-1.0, dailyquotaGB,\\\"Not set\\\")\\r\\n| extend skuUpdate    = iif(strlen(skuUpdate) > 0, skuUpdate,\\\"Unknown\\\")\\r\\n| extend sentinel     = iif(toint(retentionDays) < 90,\\\"If you have Sentinel, you can change your retention to 90days (free)?\\\",\\\"\\\")\\r\\n| project LogAnalyticsWorkspace=id, ['Resource Group']=resourceGroup, \\t\\r\\nLogRetention_Days=retentionDays\\r\\n\",\"size\":2,\"showAnalytics\":true,\"title\":\"[AU-11] Retains Audit Records -- Log Retention Settings\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogRetention_Days\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"is Empty\",\"representation\":\"4\",\"text\":\"{0}{1}\"},{\"operator\":\"<=\",\"thresholdValue\":\"363\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"364\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Data Retention(days)\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orangeBlue\"}},{\"columnMatch\":\"Computer\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_LogRetention_Days_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_LogRetention_Days_2\",\"sortOrder\":2}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"type\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAU11Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU-11\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Audit Generation (AU-12)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#audit-record-retention)\\r\\n\\r\\n\\ta. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components];\\r\\n\\tb. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and\\r\\n\\tc. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Connect Microsoft Entra ID data to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)<br>\\r\\n💡 [Use Azure Monitor workbooks to visualize and monitor your data](https://docs.microsoft.com/azure/sentinel/monitor-your-data)<br>\\r\\n💡 [Create new workbook](https://docs.microsoft.com/azure/sentinel/monitor-your-data#create-new-workbook)<br>\\r\\n💡 [Microsoft Sentinel data connectors](https://docs.microsoft.com/azure/sentinel/connect-data-sources)<br>\\r\\n💡 [Turn auditing on or off](https://docs.microsoft.com/microsoft-365/compliance/turn-audit-log-search-on-or-off?#turn-on-audit-log-search)<br>\\r\\n💡 [Security & Compliance Center](https://docs.microsoft.com/office365/servicedescriptions/office-365-platform-service-description/office-365-securitycompliance-center)<br>\\r\\n💡 [Audited activities](https://docs.microsoft.com/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?#audited-activities)<br>\\r\\n💡 [Use audit logs to track and monitor events in Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/monitor-audit-logs)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Microsoft 365 Compliance Manager](https://compliance.microsoft.com/homepage)<br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n🔀 [Azure Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AU-12](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AU-12)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"AU.12\\\" and complianceControlId !contains \\\"*\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-12] Audit Generation -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAU12Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU-12\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isAUVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Audit & Accountability Family - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Assessment & Authorization](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/controls?version=5.1&family=CA)\\r\\n---\\r\\nSecurity Assessment includes periodic evaluation of security controls for effectiveness.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Assessments [CA-2]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CA-2\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"System Interconnections [CA-3]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CA-3\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Continuous Monitoring [CA-7]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CA-7\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCA2Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CA-2\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"cb0f25c4-5ae6-42c2-9977-c4f30293e804\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCA3Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CA-3\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"51fa60cc-b672-48a5-9eb3-af9c5d0a8446\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCA7Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CA-7\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e74e5218-b420-40cd-adf5-bac6df74b383\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Assessments (CA-2)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#security-assessments)\\r\\n\\r\\n\\ta. Select the appropriate assessor or assessment team for the type of assessment to be conducted;\\r\\n\\tb. Develop a control assessment plan that describes the scope of the assessment including:\\r\\n\\t\\t1. Controls and control enhancements under assessment;\\r\\n\\t\\t2. Assessment procedures to be used to determine control effectiveness; and\\r\\n\\t\\t3. Assessment environment, assessment team, and assessment roles and responsibilities;\\r\\n\\tc. Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;\\r\\n\\td. Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;\\r\\n\\te. Produce a control assessment report that document the results of the assessment; and\\r\\n\\tf. Provide the results of the control assessment to [Assignment: organization-defined individuals or roles].\\t\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecureScores](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securescores) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Secure Score in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/defender-for-cloud/secure-score-security-controls)<br>\\r\\n💡 [Microsoft Secure Score](https://docs.microsoft.com/microsoft-365/security/defender/microsoft-secure-score?)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft 365 Defender: Secure Scores](https://security.microsoft.com/securescore)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CA-2](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CA-2)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecureScores\\r\\n| where MaxScore>0\\r\\n| extend subscriptionScore = CurrentScore/MaxScore \\r\\n| extend subScoreXsubWeight = subscriptionScore*Weight \\r\\n| extend Day = startofday(TimeGenerated) \\r\\n| summarize upperValue = sum(subScoreXsubWeight), underValue = sum(todouble(Weight)) by Day\\r\\n| extend OverallScore = 100*((upperValue)/(underValue))\\r\\n| project OverallScore, Day\",\"size\":0,\"aggregation\":5,\"showAnnotations\":true,\"title\":\"[CA-2] Security Assessments --  Secure Score Over Time\",\"noDataMessage\":\"No data available. Check your continuous export configuration for the selected workspaces.\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"timeBrushExportOnlyWhenBrushed\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"ControlId\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"WeightedAvgPerControl\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"overallScore\",\"label\":\"Overall Score\",\"color\":\"lightBlue\"}],\"ySettings\":{\"min\":0,\"max\":100}}},\"customWidth\":\"50\",\"showPin\":true,\"name\":\"ScoreOvertime\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCA2Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CA-2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [System Interconnections (CA-3)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#security-assessments)\\r\\n\\r\\n\\ta. Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreements; [Assignment: organization-defined type of agreement]];\\r\\n\\tb. Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and\\r\\n\\tc. Review and update the agreements [Assignment: organization-defined frequency].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) ✳️ [Network Watcher](https://azure.microsoft.com/services/network-watcher/) ✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) ✳️ [ExpressRoute]( https://azure.microsoft.com/services/expressroute/)  ✳️ [Traffic Manager]( https://azure.microsoft.com/services/traffic-manager/) ✳️ [VPN Gateway]( https://azure.microsoft.com/services/vpn-gateway/) \\r\\n\\r\\n### Implementation\\r\\n💡 [Quickstart: Create a virtual network using the Azure portal](https://docs.microsoft.com/azure/virtual-network/quick-create-portal)<br>\\r\\n💡 [Create, change, or delete a network security group](https://docs.microsoft.com/azure/virtual-network/manage-network-security-group)<br>\\r\\n💡 [Quickstart: Diagnose a virtual machine network traffic filter problem using the Azure portal](https://docs.microsoft.com/azure/network-watcher/diagnose-vm-network-traffic-filtering-problem)<br>\\r\\n💡 [Tutorial: Deploy and configure Azure Firewall and policy using the Azure portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal-policy)<br>\\r\\n💡 [Quickstart: Create and modify an ExpressRoute circuit](https://docs.microsoft.com/azure/expressroute/expressroute-howto-circuit-portal-resource-manager)<br>\\r\\n💡 [Quickstart: Create a Traffic Manager profile using the Azure portal](https://docs.microsoft.com/azure/traffic-manager/quickstart-create-traffic-manager-profile)<br>\\r\\n💡 [Tutorial: Create and manage a VPN gateway using Azure portal](https://docs.microsoft.com/azure/vpn-gateway/tutorial-create-gateway-portal)<br>\\r\\n💡 [Find your Microsoft Sentinel data connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Virtual Network](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks)<br>\\r\\n🔀 [Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)<br>\\r\\n🔀 [Network Watcher](https://portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/overview)<br>\\r\\n🔀 [Azure Firewall](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)<br>\\r\\n🔀 [ExpressRoute](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits)<br>\\r\\n🔀 [Traffic Manager](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/TrafficManagers)<br>\\r\\n🔀 [VPN Gateway](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworkGateways)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CA-3](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CA-3)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"Microsoft.Network\\\" \\r\\n| summarize count() by type\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CA-3] System Interconnections -- Control/Montitor System Interconnections via Network Controls\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"type\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCA3Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CA-3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Continuous Monitoring (CA-7)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#continuous-monitoring)\\r\\n\\r\\n\\tDevelop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:\\r\\n\\ta. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics];\\r\\n\\tb. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness;\\r\\n\\tc. Ongoing control assessments in accordance with the continuous monitoring strategy;\\r\\n\\td. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;\\r\\n\\te. Correlation and analysis of information generated by control assessments and monitoring;\\r\\n\\tf. Response actions to address results of the analysis of control assessment and monitoring information; and\\r\\n\\tg. Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Onboard Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-get-started)<br>\\r\\n💡 [Add the Microsoft Defender for Cloud: NIST SP 800-53 R4 Assessment to Your Dashboard](https://docs.microsoft.com/azure/security-center/update-regulatory-compliance-packages#add-a-regulatory-standard-to-your-dashboard)<br>\\r\\n💡 [Automatically create incidents from Microsoft security alerts](https://docs.microsoft.com/azure/sentinel/create-incidents-from-alerts)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CA-7](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CA-7)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n| join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName\\r\\n    | extend ComplianceDomain=iff(controlId contains \\\"AC.\\\", \\\"Access Control\\\", iff(controlId contains \\\"AT.\\\", \\\"Security Awareness & Training\\\", iff(controlId contains \\\"AU.\\\", \\\"Audit & Accountability\\\", iff(controlId contains \\\"CA.\\\", \\\"Security Assessment\\\", iff(controlId contains \\\"CM.\\\", \\\"Configuration Management\\\", iff(controlId contains \\\"CP.\\\", \\\"Contingency Planning\\\", iff(controlId contains \\\"IA.\\\", \\\"Identification & Authentication\\\", iff(controlId contains \\\"IR.\\\", \\\"Incident Response\\\", iff(controlId contains \\\"MA.\\\", \\\"System Maintenance\\\", iff(controlId contains \\\"MP.\\\", \\\"Media Protection\\\", iff(controlId contains \\\"PE.\\\", \\\"Physical Protection\\\", iff(controlId contains \\\"PL.\\\", \\\"Security Planning\\\", iff(controlId contains \\\"PS.\\\", \\\"Personnel Security\\\",iff(controlId contains \\\"RA.\\\", \\\"Risk Assessment\\\",iff(controlId contains \\\"SA.\\\", \\\"System & Services Acquisition\\\",iff(controlId contains \\\"SC.\\\", \\\"System & Communications Protection\\\",iff(controlId contains \\\"SI.\\\", \\\"System & Information Integrity\\\",\\\"Other\\\"))))))))))))))))) \\r\\n  | distinct RecommendationName, ComplianceDomain, tostring(RecommendationLink), tostring(state), tostring(complianceState)\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\" or complianceState == \\\"Failed\\\"), Passed = countif(state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\" or complianceState == \\\"Failed\\\") by ComplianceDomain\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | project ControlFamily=ComplianceDomain, Total, PassedControls, Passed, Failed\\r\\n    | sort by Total, Passed desc\\r\\n \",\"size\":0,\"showAnalytics\":true,\"title\":\"[CA-7] Continuous Monitoring -- Monitor/Alert on Compliance Posture Deviations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Remediate >>\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SecurityProducts = datatable(ProviderName: string, Product: string, Capability: string, Portal: string) [\\r\\n    \\\"ASI Scheduled Alerts\\\", \\\"Microsoft Sentinel\\\",\\\"Security Information Event Management (SIEM)\\\", \\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n    \\\"MCAS\\\", \\\"Microsoft Cloud App Security\\\",\\\"Cloud Application Security Broker (CASB)\\\",\\\"https://portal.cloudappsecurity.com/\\\",\\r\\n    \\\"MDATP\\\", \\\"Microsoft Defender for Endpoint\\\", \\\"Endpoint Detection & Response (EDR)\\\",\\\"https://security.microsoft.com/homepage\\\",\\r\\n    \\\"Azure Security Center\\\", \\\"Microsoft Defender for Cloud\\\", \\\"Cloud Workload Protection Platform (CWPP)\\\",\\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0\\\",\\r\\n    \\\"Detection-WarmPathV2\\\", \\\"Microsoft Defender for Cloud\\\", \\\"Cloud Workload Protection Platform (CWPP)\\\",\\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0\\\",\\r\\n    \\\"MicrosoftThreatProtection\\\", \\\"Microsoft 365 Defender\\\", \\\"Extensible Detection & Response (XDR)\\\",\\\"https://security.microsoft.com/homepage\\\",\\r\\n    \\\"IPC\\\", \\\"Azure Active Directory Identity Protection\\\", \\\"Identity & Access Management (IAM)\\\",\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/IdentityProtectionMenuBlade/Overview\\\",\\r\\n    \\\"Detection-Fusion\\\", \\\"Machine Learning Fusion Alert\\\", \\\"Machine Learning (ML)\\\",\\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n    \\\"Sentinel Fusion\\\", \\\"Machine Learning Fusion Alert\\\", \\\"Machine Learning (ML)\\\",\\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n    \\\"Azure Advanced Threat Protection\\\", \\\"Microsoft Defender for Identity\\\", \\\"Identity Protection (IP)\\\",\\\"https://security.microsoft.com/settings/identities\\\",\\r\\n    \\\"Threat Intelligence Alerts\\\", \\\"Threat Intelligence\\\", \\\"Threat Intelligence (TI)\\\",\\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n    \\\"IoTSecurity\\\", \\\"Azure Defender for IoT\\\", \\\"Industrial IoT Platform\\\",\\\"https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started\\\",\\r\\n    \\\"MSTIC\\\", \\\"Microsoft Intelligent Security Graph\\\", \\\"Threat Intelligence (TI)\\\",\\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n    \\\"AntimalwarePublisher\\\", \\\"Microsoft Anti-Malware\\\", \\\"Anti-Virus (AV)\\\",\\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0\\\", \\r\\n    \\\"OATP\\\", \\\"Microsoft Defender for Office 365\\\", \\\"Email Defense\\\",\\\"https://security.microsoft.com/homepage\\\",\\r\\n    \\\"AdaptiveNetworkHardenings\\\", \\\"ASC Adaptive Network Hardening\\\", \\\"Network Detection & Response (NDR)\\\",\\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0\\\",\\r\\n    \\\"StorageThreatDetection\\\", \\\"Azure Defender for Storage\\\", \\\"Storage Protection\\\",\\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0\\\",\\r\\n    \\\"CloudNetworkSecurity\\\", \\\"Azure Network Security\\\",\\\"Network Detection & Response (NDR)\\\",\\\"https://portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/overview\\\",\\r\\n    \\\"SQLThreatDetection\\\", \\\"Azure Defender for SQL\\\", \\\"Database Protection\\\",\\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0\\\"\\r\\n];\\r\\nSecurityAlert\\r\\n| join kind=inner SecurityProducts on ProviderName\\r\\n| summarize count() by Product, Capability, Portal\\r\\n| project Product, Capability, AlertsCount=count_, Portal\\r\\n| sort by AlertsCount desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CA-7] Continuous Monitoring -- Monitor/Respond to Security Alerts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Product\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Capability\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertsCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Portal\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Product >>\"}}],\"filter\":true}},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCA7Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CA-7\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isCAVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Security Assessment Family \"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Configuration Management](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/controls?version=5.1&family=CM)\\r\\n---\\r\\nConfiguration Management establishes security baselines and measures deviations provides the basis for tracking the security posture of cloud assets.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Baseline Configuration [CM-2]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM-2\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Configuration Change Control [CM-3]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM-3\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Impact Analysis [CM-4]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM-4\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Access Restrictions for Change [CM-5]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM-5\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Configuration Settings [CM-6]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM-6\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCM2Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM-2\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"17f70fb6-9010-4611-99de-6fabfe7deae9\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCM3Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM-3\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"80c1b0ff-8d50-4d7d-9e54-5cb94c15de2a\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCM4Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM-4\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a4724d6f-19cc-453d-abb7-0a4bd343a7c6\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCM5Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM-5\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"d92ec5cb-6cbd-4ebe-81bd-904a5313e8c4\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCM6Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM-6\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"670fad9b-f6d5-465a-9657-13727bc0546f\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Least Functionality [CM-7]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM-7\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"System Component Inventory [CM-8]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM-8\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Configuration Management Plan [CM-9]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM-9\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Software Usage Restrictions [CM-10]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM-10\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"User-Installed Software [CM-11]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM-11\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCM7Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM-7\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"0688d498-3f43-4241-a716-cdd97aeabbce\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCM8Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM-8\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e7787bd2-dcb2-47c0-9e5e-7ca07f0afe89\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCM9Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM-9\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4215e9b3-cd53-4747-9343-37a8e2a60eab\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCM10Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM-10\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9bde1721-44b5-4aa1-97a8-b67de2e91fcb\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCM11Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM-11\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"017bd293-9d8d-4c27-85cd-0f3c0451a3d2\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Baseline Configuration (CM-2)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#baseline-configuration)\\r\\n\\r\\n\\ta. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and\\r\\n\\tb. Review and update the baseline configuration of the system:\\r\\n\\t\\t1. [Assignment: organization-defined frequency];\\r\\n\\t\\t2. When required due to [Assignment: organization-defined circumstances]; and\\r\\n\\t\\t3. When system components are installed or upgraded.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) <br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Azure security baseline for Azure Cloud Services](https://docs.microsoft.com/security/benchmark/azure/baselines/cloud-services-security-baseline)<br>\\r\\n💡 [Manage security baseline profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/security-baselines-configure)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CM-2](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CM-2)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CM-2] Baseline Configuration -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCM2Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM-2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Configuration Change Control (CM-3)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#baseline-configuration)\\r\\n\\r\\n\\ta. Determine and document the types of changes to the system that are configuration-controlled;\\r\\n\\tb. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;\\r\\n\\tc. Document configuration change decisions associated with the system;\\r\\n\\td. Implement approved configuration-controlled changes to the system;\\r\\n\\te. Retain records of configuration-controlled changes to the system for [Assignment: organization-defined time period];\\r\\n\\tf. Monitor and review activities associated with configuration-controlled changes to the system; and\\r\\n\\tg. Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; when [Assignment: organization-defined configuration change conditions]].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [ConfigurationChange](https://docs.microsoft.com/azure/azure-monitor/reference/tables/configurationchange) ✳️ [Virtual Machines]( https://azure.microsoft.com/services/virtual-machines/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Enable Change Tracking and Inventory from Azure portal](https://docs.microsoft.com/azure/automation/change-tracking/enable-from-portal)<br>\\r\\n💡 [Change Tracking and Inventory overview](https://docs.microsoft.com/azure/automation/change-tracking/overview)<br>\\r\\n💡 [File integrity monitoring in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/defender-for-cloud/file-integrity-monitoring-overview)<br>\\r\\n💡 [Get resource changes](https://docs.microsoft.com/azure/governance/resource-graph/how-to/get-resource-changes)<br>\\r\\n💡 [Enable Change Tracking and Inventory from an Automation account](https://docs.microsoft.com/azure/automation/change-tracking/enable-from-automation-account)<br>\\r\\n💡 [Get resource changes](https://docs.microsoft.com/azure/governance/resource-graph/how-to/get-resource-changes)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)<br>\\r\\n🔀 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CM-3](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CM-3)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ConfigurationChange \\r\\n| project _ResourceId, ConfigChangeType, ChangeCategory, RegistryKey, ValueName, ValueData, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250 \",\"size\":0,\"showAnalytics\":true,\"title\":\"[CM-3] Configuration Change Control -- Enable/Monitor Asset Configuration Changes\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ConfigChangeType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Files\",\"representation\":\"Folder\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ChangeCategory\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Added\",\"representation\":\"Add\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Removed\",\"representation\":\"FilterRemove\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Modified\",\"representation\":\"Wrench\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCM3Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM-3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Impact Analysis (CM-4)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#security-impact-analysis)\\r\\n\\r\\nAnalyze changes to the system to determine potential security and privacy impacts prior to change implementation.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Review your security recommendations](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)<br>\\r\\n💡 [Microsoft Sentinel: Training Lab Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/learning-with-the-microsoft-sentinel-training-lab/ba-p/2953403)<br>\\r\\n💡 [The simulated enterprise base configuration](https://docs.microsoft.com/microsoft-365/enterprise/simulated-ent-base-configuration-microsoft-365-enterprise)<br>\\r\\n💡 [Azure DevTest Labs](https://azure.microsoft.com/services/devtest-lab/)<br>\\r\\n💡 [Microsoft 365 for enterprise Test Lab Guides](https://docs.microsoft.com/microsoft-365/enterprise/m365-enterprise-test-lab-guides)<br>\\r\\n💡 [What is Conditional Access report-only mode?](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-report-only)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft Entra ID: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CM-4](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CM-4)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationState == \\\"Unhealthy\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by RecommendationSeverity\\r\\n| render areachart \",\"size\":0,\"showAnalytics\":true,\"title\":\"[CM-4] Security Impact Analysis -- Assess/Monitor Security Impacts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ConfigChangeType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Files\",\"representation\":\"File\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Registry\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCM4Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM-4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Restrictions for Change (CM-5)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#access-restrictions-for-change)\\r\\n\\r\\nDefine, document, approve, and enforce physical and logical access restrictions associated with changes to the system.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs?WT.mc_id=Portal-fx) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [What is Azure role-based access control (Azure RBAC)?](https://docs.microsoft.com/azure/role-based-access-control/overview)<br>\\r\\n💡 [What is Microsoft Entra ID Privileged Identity Management?](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\\r\\n💡 [Enable and request just-in-time access for Azure Managed Applications](https://docs.microsoft.com/azure/azure-resource-manager/managed-applications/request-just-in-time-access)<br>\\r\\n💡 [Office 365 Security & Compliance: Enable Auditing for Admins](https://docs.microsoft.com/microsoft-365/compliance/turn-audit-log-search-on-or-off)<br>\\r\\n💡 [Audited Activities](https://docs.microsoft.com/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance)<br>\\r\\n💡 [Use audit logs to track and monitor events in Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/monitor-audit-logs)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Entra ID: Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) <br>\\r\\n🔀 [Microsoft 365 Compliance: Audit](https://compliance.microsoft.com/auditlogsearch?viewid=Test%20Tab) <br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/) <br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CM-5](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CM-5)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| where OperationName contains \\\"PIM\\\"\\r\\n| extend PIM = strcat(\\\"https://ms.portal.azure.com/#blade/Microsoft_Azure_PIMCommon/MyAuditsMenuBlade/aadmigratedroles\\\")\\r\\n| distinct Identity, PIM, OperationName, AADOperationType, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CM-5] Access Restrictions for Change -- Restrict Changes with PIM\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"OperationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Identity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"PIM\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"PIM >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"MyAuditsMenuBlade\",\"extensionName\":\"Microsoft_Azure_PIMCommon\"}}},{\"columnMatch\":\"GrantedTo\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go To: AAD Profile >\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCM5Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM-5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Configuration Settings (CM-6)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#configuration-settings)\\r\\n\\r\\n\\ta. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations];\\r\\n\\tb. Implement the configuration settings;\\r\\n\\tc. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and\\r\\n\\td. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Overview of the Azure Security Benchmark (v3)](https://docs.microsoft.com/security/benchmark/azure/overview)<br>\\r\\n💡 [What is Azure Policy?](https://docs.microsoft.com/azure/governance/policy/overview)<br>\\r\\n💡 [Use adaptive application controls to reduce your machines' attack surfaces](https://docs.microsoft.com/azure/defender-for-cloud/adaptive-application-controls)<br>\\r\\n💡 [Available security baselines](https://docs.microsoft.com/mem/intune/protect/security-baselines#available-security-baselines)<br>\\r\\n💡 [Use Windows 10 templates to configure group policy settings in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/administrative-templates-windows)<br>\\r\\n💡 [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-configure#create-the-profile)<br>\\r\\n💡 [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-grant)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Azure Policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade/Overview)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CM-6](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CM-6)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"CM.6\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CM-6] Configuration Settings -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCM6Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM-6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Least Functionality (CM-7)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#least-functionality)\\r\\n\\r\\n\\ta. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and\\r\\n\\tb. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Remote access to on-premises applications through Microsoft Entra ID Application Proxy](https://learn.microsoft.com/en-us/entra/identity/app-proxy/)<br>\\r\\n💡 [Conditional Access: Grant](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-grant)<br>\\r\\n💡 [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-configure#create-the-profile)<br>\\r\\n💡 [Use Windows 10 templates to configure group policy settings in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/administrative-templates-windows)<br>\\r\\n💡 [Analyze your on-premises group policy objects (GPO) using Group Policy analytics in Microsoft Endpoint Manager](https://docs.microsoft.com/mem/intune/configuration/group-policy-analytics)<br>\\r\\n💡 [What are managed identities for Azure resources?](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview)<br>\\r\\n💡 [Manage user-assigned managed identities](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Microsoft Entra ID: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)<br>\\r\\n🔀 [Managed Identities](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.ManagedIdentity%2FuserAssignedIdentities)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CM-7](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CM-7)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"CM.7\\\" or RecommendationName contains \\\"port\\\" or RecommendationName contains \\\"protocol\\\" or RecommendationName contains \\\"functionality\\\" or RecommendationName contains \\\"least\\\" or RecommendationName contains \\\"restrict\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n| parse RecommendationLink with * '#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *\\r\\n| distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, assessmentKey\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CM-7] Least Functionality -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCM7Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM-7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [System Component Inventory (CM-8)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#information-system-component-inventory)\\r\\n\\r\\n\\ta. Develop and document an inventory of system components that:\\r\\n\\t1. Accurately reflects the system;\\r\\n\\t2. Includes all components within the system;\\r\\n\\t3. Does not include duplicate accounting of components or components assigned to any other system;\\r\\n\\t4. Is at the level of granularity deemed necessary for tracking and reporting; and\\r\\n\\t5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability];\\r\\n\\tb. Review and update the system component inventory [Assignment: organization-defined frequency]\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Use asset inventory to manage your resources' security posture](https://docs.microsoft.com/azure/defender-for-cloud/asset-inventory)<br>\\r\\n💡 [Software inventory - threat and vulnerability management](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-software-inventory)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Inventory](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/25)<br>\\r\\n🔀 [Microsoft 365 Defender: Software Inventory](https://security.microsoft.com/software-inventory/applications)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CM-8](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CM-8)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| extend Azure_Inventory=location\\r\\n| extend M365_Inventory=strcat(\\\"https://security.microsoft.com/machines\\\")\\r\\n| project AssetID=id,AssetType=type, Azure_Inventory, M365_Inventory\\r\\n| sort by AssetID asc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CM-8] Information System Component Inventory -- Review Asset Inventory\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Azure_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Inventory >>\",\"bladeOpenContext\":{\"bladeName\":\"InventoryBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"\",\"source\":\"static\",\"value\":\"25\"}]}}},{\"columnMatch\":\"M365_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"M365 Inventory >>\"}}],\"rowLimit\":2500,\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"type\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| summarize count() by type\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CM-8] Information System Component Inventory -- Asset Count by Type\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"type\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true}},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCM8Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM-8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Configuration Management Plan (CM-9)\\r\\n\\r\\n\\tDevelop, document, and implement a configuration management plan for the system that:\\r\\n\\ta. Addresses roles, responsibilities, and configuration management processes and procedures;\\r\\n\\tb. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;\\r\\n\\tc. Defines the configuration items for the system and places the configuration items under configuration management;\\r\\n\\td. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and\\r\\n\\te. Protects the configuration management plan from unauthorized disclosure and modification.\\r\\n\\r\\n### Implementation\\r\\n💡 [Enable Change Tracking and Inventory from Azure portal](https://docs.microsoft.com/azure/automation/change-tracking/enable-from-portal)<br>\\r\\n💡 [Change Tracking and Inventory overview](https://docs.microsoft.com/azure/automation/change-tracking/overview)<br>\\r\\n💡 [File integrity monitoring in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/defender-for-cloud/file-integrity-monitoring-overview)<br>\\r\\n💡 [Get resource changes](https://docs.microsoft.com/azure/governance/resource-graph/how-to/get-resource-changes)<br>\\r\\n💡 [Enable Change Tracking and Inventory from an Automation account](https://docs.microsoft.com/azure/automation/change-tracking/enable-from-automation-account)<br>\\r\\n💡 [Get resource changes](https://docs.microsoft.com/azure/governance/resource-graph/how-to/get-resource-changes)<br>\\r\\n\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Maintenance Configurations](https://ms.portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Maintenance%2FmaintenanceConfigurations)<br>\\r\\n🔀 [Automanage](https://ms.portal.azure.com/#blade/Microsoft_Azure_AutoManagedVirtualMachines/AutomanageMenuBlade/overview)<br>\\r\\n🔀 [Automation Accounts](https://ms.portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts)<br>\\r\\n🔀 [File Integrity Monitoring](https://ms.portal.azure.com/#blade/Microsoft_Azure_Security/FileIntegrityMonitoringWorkspaceSelectorBlade)<br>\\r\\n🔀 [Inventory](https://ms.portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/25)<br>\\r\\n\\r\\n### NIST SP 800-53 R5 Guidance\\r\\n[CM-9](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CM-9)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"[CM-9] Configuration Management Plan -- Develop Plan via Tooling\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"fec6091e-2608-497c-8f51-a0d8005bc542\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Maintenance Configurations\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.Maintenance/maintenanceConfigurations\"}]}},{\"id\":\"c18c0336-095d-4a57-848f-b0f134c6c10a\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Automanage\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"AutomanageMenuBlade\",\"extensionName\":\"Microsoft_Azure_AutoManagedVirtualMachines\"}},{\"id\":\"4701a78b-5790-43a3-a971-68a539851fc5\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Automation Accounts\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.Automation/AutomationAccounts\"}]}},{\"id\":\"0bf51734-cccc-4825-92d8-f17824344ab7\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"File Integrity Monitoring\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"FileIntegrityMonitoringWorkspaceSelectorBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}},{\"id\":\"a32b5156-4cec-481d-83b3-165ca9208301\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Inventory\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}}]},\"name\":\"links - 1\"}]},\"customWidth\":\"50\",\"name\":\"Configuration Management\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCM9Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM-9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Software Usage Restrictions (CM-10)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#software-usage-restrictions)\\r\\n\\r\\n\\ta. Use software and associated documentation in accordance with contract agreements and copyright laws;\\r\\n\\tb. Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and\\r\\n\\tc. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Introduction to Microsoft Defender for servers](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-servers-introduction)<br>\\r\\n💡 [Use adaptive application controls to reduce your machines' attack surfaces](https://docs.microsoft.com/azure/defender-for-cloud/adaptive-application-controls)<br>\\r\\n💡 [Change Tracking and Inventory overview](https://docs.microsoft.com/azure/automation/change-tracking/overview)<br>\\r\\n💡 [Quickstart: Enable enhanced security features](https://docs.microsoft.com/azure/defender-for-cloud/enable-enhanced-security)<br>\\r\\n💡 [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/agents/log-analytics-agent)<br>\\r\\n💡 [Conditional Access: Grant](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-grant)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Microsoft Entra ID: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)<br>\\r\\n🔀 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CM-10](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CM-10)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"CM.10\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CM-10] Software Usage Restrictions -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCM10Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM-10\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [User-Installed Software (CM-11)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#user-installed-software)\\r\\n\\r\\n\\ta. Establish [Assignment: organization-defined policies] governing the installation of software by users;\\r\\n\\tb. Enforce software installation policies through the following methods: [Assignment: organization-defined methods]; and\\r\\n\\tc. Monitor policy compliance [Assignment: organization-defined frequency].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Introduction to Microsoft Defender for servers](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-servers-introduction)<br>\\r\\n💡 [Use adaptive application controls to reduce your machines' attack surfaces](https://docs.microsoft.com/azure/defender-for-cloud/adaptive-application-controls)<br>\\r\\n💡 [Change Tracking and Inventory overview](https://docs.microsoft.com/azure/automation/change-tracking/overview)<br>\\r\\n💡 [Quickstart: Enable enhanced security features](https://docs.microsoft.com/azure/defender-for-cloud/enable-enhanced-security)<br>\\r\\n💡 [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/agents/log-analytics-agent)<br>\\r\\n💡 [Conditional Access: Grant](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-grant)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Microsoft Entra ID: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)<br>\\r\\n🔀 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CM-11](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CM-11)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"CM.11\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CM-11] User-Installed Software -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCM11Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM-11\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isCMVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Configuration Management Family\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Contingency Planning](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/controls?version=5.1&family=CP)\\r\\n---\\r\\nContingency Planning includes processes and procedures aligned to recovering from a disaster and ensuring business continuity.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Alternate Storage Site [CP-6]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CP-6\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Alternate Processing Site [CP-7]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CP-7\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Information System Backup [CP-9]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CP-9\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"17f70fb6-9010-4611-99de-6fabfe7deae9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCP6Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CP-6\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCP7Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CP-7\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"3fa97282-c124-4358-a413-22ce34a2dea9\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCP9Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CP-9\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"0a4b7234-ef17-4440-b66f-3448734905bb\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Alternate Storage Site (CP-6)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#alternate-storage-site)\\r\\n\\r\\n\\ta. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and\\r\\n\\tb. Ensure that the alternate storage site provides controls equivalent to that of the primary site.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Storage Services](https://azure.microsoft.com/product-categories/storage/) ✳️ [Azure Databases](https://azure.microsoft.com/product-categories/databases/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Business continuity management in Azure](https://docs.microsoft.com/azure/availability-zones/business-continuity-management-program)<br>\\r\\n💡 [Azure Storage redundancy](https://docs.microsoft.com/azure/virtual-machines/availability#azure-storage-redundancy)<br>\\r\\n💡 [Resiliency in Azure](https://docs.microsoft.com/azure/availability-zones/overview)<br>\\r\\n💡 [Create VM restore points](https://docs.microsoft.com/azure/virtual-machines/virtual-machines-create-restore-points)<br>\\r\\n💡 [Create a storage account](https://docs.microsoft.com/azure/storage/common/storage-account-create?tabs=azure-portal)<br>\\r\\n💡 [Replicate data to Azure SQL Database using Data Export Service](https://docs.microsoft.com/power-platform/admin/replicate-data-microsoft-azure-sql-database)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Storage Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts)<br>\\r\\n🔀 [SQL databases](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Sql%2Fservers%2Fdatabases)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CP-6](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CP-6)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"CP.6.*\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CP-6] Alternate Storage Site -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"restorepoint\\\" or type contains \\\"storage\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CP-6] Alternate Storage Site -- Storage & Restore Points\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCP6Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"group - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Alternate Processing Site (CP-7)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#alternate-processing-site-1)\\r\\n\\r\\n\\ta. Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;\\r\\n\\tb. Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and\\r\\n\\tc. Provide controls at the alternate processing site that are equivalent to those at the primary site.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Availabilty Zones](https://azure.microsoft.com/global-infrastructure/availability-zones/) <br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Resiliency in Azure](https://docs.microsoft.com/azure/availability-zones/overview)<br>\\r\\n💡 [Regions and availability zones](https://docs.microsoft.com/azure/availability-zones/az-overview)<br>\\r\\n💡 [Create a virtual machine in an availability zone using the Azure portal](https://docs.microsoft.com/azure/virtual-machines/windows/create-portal-availability-zone)<br>\\r\\n💡 [Quickstart: Create a virtual machine scale set in the Azure portal](https://docs.microsoft.com/azure/virtual-machine-scale-sets/quick-create-portal)<br>\\r\\n\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Availability Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FavailabilitySets)<br>\\r\\n🔀 [Virtual Machine Scale Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Compute%2FvirtualMachineScaleSets)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CP-7](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CP-7)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"CP.7\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CP-7] Alternate Processing Site -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"scalesets\\\" or type contains \\\"availabilitysets\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CP-7] Alternate Processing Site -- Availability Sets & Scale Sets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCP7Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"group - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Information System Backup (CP-9)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#information-system-backup)\\r\\n\\r\\n\\ta. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];\\r\\n\\tb. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];\\r\\n\\tc. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and\\r\\n\\td. Protect the confidentiality, integrity, and availability of backup information.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Backup](https://azure.microsoft.com/services/backup/)✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) <br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Azure Backup service documentation](https://docs.microsoft.com/azure/backup/)<br>\\r\\n💡 [Recovery Services vaults overview](https://docs.microsoft.com/azure/backup/backup-azure-recovery-services-vault-overview)<br>\\r\\n💡 [Azure Key Vault backup and restore](https://docs.microsoft.com/azure/key-vault/general/backup)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Backup Center](https://portal.azure.com/#blade/Microsoft_Azure_DataProtection/BackupCenterMenuBlade/overview)<br>\\r\\n🔀 [Recovery Services Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.RecoveryServices%2Fvaults)<br>\\r\\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CP-9](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CP-9)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"CP.9\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CP-9] Information System Backup -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"[CP-9(1)] Contingency Plan  -- Test for Reliability/Integrity of Backups via Contingency Tooling\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"a32b5156-4cec-481d-83b3-165ca9208301\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Backup Center\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BackupCenterMenuBlade\",\"extensionName\":\"Microsoft_Azure_DataProtection\"}},{\"id\":\"900442ab-f711-4162-ab1a-309f39c1a64a\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Backup Vaults\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.DataProtection/BackupVaults\"}]}},{\"id\":\"7a6098fe-3036-4e9f-8586-4cb0e6b86090\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Backup Items\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems\"}]}},{\"id\":\"7702dcc5-bcac-4649-82bb-9b4ca295d965\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Recovery Services Vaults\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.RecoveryServices/vaults\"}]}},{\"id\":\"4c495517-17a6-4ffd-ab2c-354fa78ebe14\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Availability Sets\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.Compute/availabilitySets\"}]}},{\"id\":\"39914af1-c88c-4506-9cb8-3cee5811e964\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Inventory\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}}]},\"name\":\"links - 1\"}]},\"customWidth\":\"50\",\"name\":\"Configuration Management\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"recover\\\" or type contains \\\"restore\\\" or type contains \\\"keyvault\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CP-9] Information System Backup -- Azure Backups & Key Vaults\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"back\\\" or Description contains \\\"recover\\\" or Description contains \\\"restore\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"back\\\" or Description contains \\\"recover\\\" or Description contains \\\"restore\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"back\\\" or Description contains \\\"recover\\\" or Description contains \\\"restore\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| where Description !contains \\\"feedback\\\" and Description !contains \\\"fallback\\\"\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CP-9] Information System Backup -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCP9Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CP-9\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isCPVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Contingency Planning Family\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Identification & Authentication](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/controls?version=5.1&family=IA)\\r\\n---\\r\\nIdentification & Authentication Management is the process of managing user, system, asset identities and controlling access to authorized resources.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Organizational Users [IA-2]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IA-2\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Identifier Management [IA-4]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IA-4\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Authenticator Management [IA-5]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IA-5\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIA2Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IA-2\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"6f7f419d-796c-46f8-b74b-5b783f4a90ce\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIA4Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IA-4\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"c97a42bd-0a6b-47c6-8cad-65a6ab3e1fc7\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIA5Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IA-5\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4c5d94f9-f3fc-4fac-adb5-adc0dcfd93c2\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Authenticator Feedback [IA-6]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IA-6\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Cryptographic Module Authentication [IA-7]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IA-7\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Non-Organizational Users [IA-8]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IA-8\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIA6Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IA-6\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"d9a45678-63e7-41e1-a843-0fef03138190\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIA7Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IA-7\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"ac00a653-fbbf-4e3a-8ef2-093b6ecc908e\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIA8Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IA-8\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"c97b2bb1-a3e6-4de1-be11-1bfb9f3e6aa7\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Organizational Users (IA-2)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#identification-and-authentication-organizational-users)\\r\\n\\r\\nUniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)<br>\\r\\n💡 [Building a Conditional Access policy](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policies)<br>\\r\\n💡 [How it works: Microsoft Entra ID Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks)<br>\\r\\n💡 [Plan an Microsoft Entra ID Multi-Factor Authentication deployment](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted)<br>\\r\\n💡 [What is Azure role-based access control (Azure RBAC)?](https://docs.microsoft.com/azure/role-based-access-control/overview)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Entra ID: Users](https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/MsGraphUsers)<br>\\r\\n🔀 [Microsoft Entra ID: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[IA-2](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=IA-2)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserType, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| where UserType == \\\"Member\\\"\\r\\n| project UserPrincipalName, UserType, SignInCount=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IA-2] Identification and Authentication -- Organizational Users\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"authentication\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"authentication\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"authentication\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IA-2] Identification and Authentication -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"IA.2.*\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IA-2] Identification and Authentication -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIA2Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA-2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Identifier Management (IA-4)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#identifier-management)\\r\\n\\r\\n\\tManage system identifiers by:\\r\\n\\ta. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, service, or device identifier;\\r\\n\\tb. Selecting an identifier that identifies an individual, group, role, service, or device;\\r\\n\\tc. Assigning the identifier to the intended individual, group, role, service, or device; and\\r\\n\\td. Preventing reuse of identifiers for [Assignment: organization-defined time period].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Microsoft Entra ID fundamentals documentation](https://docs.microsoft.com/azure/active-directory/fundamentals/)<br>\\r\\n💡 [Govern access for external users in Microsoft Entra ID entitlement management](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-external-users)<br>\\r\\n💡 [Use activity filters and create action policies with Microsoft Defender for Identity in Microsoft Defender for Cloud Apps](https://docs.microsoft.com/defender-for-identity/activities-filtering-mcas)<br>\\r\\n💡 [Security assessment: Dormant entities in sensitive groups](https://docs.microsoft.com/defender-for-identity/cas-isp-dormant-entities#how-do-i-use-this-security-assessment)<br>\\r\\n💡 [Create an access review of groups and applications in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/governance/create-access-review)<br>\\r\\n💡 [How to detect inactive user accounts](https://docs.microsoft.com/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts#how-to-detect-inactive-user-accounts)<br>\\r\\n💡 [How To: Manage inactive user accounts in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n🔀 [Microsoft Entra ID: Identity Governance - Access Reviews](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/Controls)<br>\\r\\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[IA-4](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=IA-4)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"IA.4\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IA-4] Identifier Management -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"account\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"account\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"account\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IA-4] Identifier Management -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_1\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_1\",\"sortOrder\":2}]},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIA4Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA-4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Authenticator Management (IA-5)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#identifier-management)\\r\\n\\r\\n\\tManage system authenticators by:\\r\\n\\ta. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;\\r\\n\\tb. Establishing initial authenticator content for any authenticators issued by the organization;\\r\\n\\tc. Ensuring that authenticators have sufficient strength of mechanism for their intended use;\\r\\n\\td. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;\\r\\n\\te. Changing default authenticators prior to first use;\\r\\n\\tf. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur;\\r\\n\\tg. Protecting authenticator content from unauthorized disclosure and modification;\\r\\n\\th. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and\\r\\n\\ti. Changing authenticators for group or role accounts when membership to those accounts changes.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Enforce on-premises Microsoft Entra ID Password Protection for Active Directory Domain Services\\r\\n](https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad-on-premises)<br>\\r\\n💡 [Create a custom password policy](https://docs.microsoft.com/azure/active-directory-domain-services/password-policy#create-a-custom-password-policy)<br>\\r\\n💡 [Password policies and account restrictions in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-policy)<br>\\r\\n💡 [Global banned password list](https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad#global-banned-password-list)<br>\\r\\n💡 [Custom banned password list](https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad#custom-banned-password-list)<br>\\r\\n💡 [Device password requirements](https://docs.microsoft.com/mem/intune/user-help/password-does-not-meet-it-administrator-requirements)<br>\\r\\n💡 [Compliance policy settings](https://docs.microsoft.com/mem/intune/protect/device-compliance-get-started#compliance-policy-settings)<br>\\r\\n💡 [Integrate with Conditional Access](https://docs.microsoft.com/mem/intune/protect/device-compliance-get-started#integrate-with-conditional-access)<br>\\r\\n💡 [Access model overview](https://docs.microsoft.com/azure/key-vault/general/security-features#access-model-overview)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Microsoft Entra ID: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)<br>\\r\\n🔀 [Microsoft Entra ID: Password Protection](https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordProtectionBlade)<br>\\r\\n🔀 [Microsoft Entra: Authenticator Management](https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/AdminAuthMethods)<br>\\r\\n🔀 [Key Vault](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[IA-5](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=IA-5)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"IA.5\\\" and complianceControlId !contains \\\"*\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IA-5] Authenticator Management -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"password\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"password\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"password\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IA-5] Authenticator Management -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"[IA-5] Authenticator Management -- Leverage Authenticator Tooling\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"a32b5156-4cec-481d-83b3-165ca9208301\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Entra ID: Password Protection (Banned Passwords)\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"PasswordProtectionBlade\",\"extensionName\":\"Microsoft_AAD_IAM\"}},{\"id\":\"27d9b4d1-fc6b-4813-b851-f8bd130d0be5\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Entra ID: Authenticator Management\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"AuthenticationMethodsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\"}},{\"id\":\"d1f6bb1b-7fa4-49cf-91cd-2f67465563aa\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Entra ID: Conditional Access\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"ConditionalAccessBlade\",\"extensionName\":\"Microsoft_AAD_IAM\"}}]},\"name\":\"links - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIA5Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA-5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Authenticator Feedback (IA-6)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#authenticator-feedback)\\r\\n\\r\\nObscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Password box](https://docs.microsoft.com/windows/apps/design/controls/password-box)<br>\\r\\n💡 [Policy CSP - CredentialsU](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialsui)<br>\\r\\n💡 [Manage security baseline profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/security-baselines-configure)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center: Security Baselines](https://endpoint.microsoft.com/#blade/Microsoft_Intune_Workflows/SecurityManagementMenu/securityBaselines)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[IA-6](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=IA-6)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where RuleSetting contains \\\"EnableSmartScreen\\\" or RuleSetting contains \\\"DisablePasswordReveal\\\" or RuleSetting contains \\\"DisableLockScreenAppNotifications\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where RuleSetting contains \\\"EnableSmartScreen\\\" or RuleSetting contains \\\"DisablePasswordReveal\\\" or RuleSetting contains \\\"DisableLockScreenAppNotifications\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where RuleSetting contains \\\"EnableSmartScreen\\\" or RuleSetting contains \\\"DisablePasswordReveal\\\" or RuleSetting contains \\\"DisableLockScreenAppNotifications\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IA-6] Authenticator Feedback -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIA6Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA-6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Cryptographic Module Authentication (IA-7)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#cryptographic-module-authentication)\\r\\n\\r\\nImplement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Configure identification and authentication controls to meet FedRAMP High Impact level](https://docs.microsoft.com/azure/active-directory/standards/fedramp-identification-and-authentication-controls)<br>\\r\\n💡 [Configure Microsoft Entra ID to meet NIST authenticator assurance levels](https://docs.microsoft.com/azure/active-directory/standards/nist-overview)<br>\\r\\n💡 [Achieve NIST authenticator assurance level 2 with Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/standards/nist-authenticator-assurance-level-2)<br>\\r\\n💡 [TPM Group Policy settings](https://docs.microsoft.com/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[IA-7](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=IA-7)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| summarize arg_max(TimeGenerated, *) by RecommendationName, AssessedResourceId\\r\\n| where RecommendationDisplayName contains \\\"TPM\\\"\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IA-7] Cryptographic Module Authentication -- Configure/Monitor Authentictor Assurance Levels\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIA7Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA-7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Non-Organizational Users (IA-8)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#identification-and-authentication-non-organizational-users)\\r\\n\\r\\nUniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Quickstart: Add guest users to your directory in the Azure portal](https://docs.microsoft.com/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal)<br>\\r\\n💡 [Restrict guest access permissions in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/enterprise-users/users-restrict-guest-permissions)<br>\\r\\n💡 [Properties of an Microsoft Entra ID B2B collaboration user](https://docs.microsoft.com/azure/active-directory/external-identities/user-properties)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Entra ID: External Identities](https://portal.azure.com/#blade/Microsoft_AAD_IAM/CompanyRelationshipsMenuBlade/ExternalIdentitiesGettingStarted)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[IA-8](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=IA-8)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserType, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| where UserType <> \\\"Member\\\"\\r\\n| project UserPrincipalName, UserType, SignInCount=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IA-8] Identification and Authentication -- Non-Organizational Users\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"guest\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"guest\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"guest\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IA-8] Identification and Authentication -- Non-organizational Users -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIA8Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA-8\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isIAVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Identification & Authentication Family \"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Incident Response](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/controls?version=5.1&family=IR)\\r\\n---\\r\\nIncident Response is the process of responding to cybersecurity incidents and events. Incident Response includes preparation, identification, containment, eradication, recovery, and lessons learned phases.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Incident Response Testing [IR-3]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IR-3\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Incident Handling [IR-4]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IR-4\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Incident Monitoring [IR-5]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IR-5\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Incident Reporting [IR-6]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IR-6\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIR3Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IR-3\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"8c96f96a-18c1-47d9-9886-0c9d05a6bd75\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIR4Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IR-4\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"2ac699fa-7a03-4c35-a09f-9e2e28e668e1\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIR5Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IR-5\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"fb20a59e-8d30-425d-8fc8-7567195bd1f1\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIR6Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IR-6\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"3d6c20c9-06d7-4d5e-93ae-a5084c409dcc\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Incident Response Testing (IR-3)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#incident-response-testing)\\r\\n\\r\\nTest the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests].\\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Incident response planning](https://docs.microsoft.com/security/compass/incident-response-planning)<br>\\r\\n💡 [Simulate a phishing attack in Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/attack-simulation-training?)<br>\\r\\n💡 [How to Generate Microsoft Sentinel Incidents for Testing](https://techcommunity.microsoft.com/discussions/microsoft-security/new-blog-post--how-to-generate-microsoft-sentinel-incidents-for-testing-and-demo/3256681)<br>\\r\\n💡 [Experience Microsoft Defender for Endpoint through simulated attacks](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-simulations)<br>\\r\\n💡 [Testing with the Microsoft Sentinel Training Lab](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/learning-with-the-microsoft-sentinel-training-lab/ba-p/2953403)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft 365 Defender: Attack Simulation](https://security.microsoft.com/attacksimulator?viewid=overview)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[IR-3](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=IR-3)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"test\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * 'https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IR-3] Incident Response Testing -- Incident Tests\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIR3Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IR-3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Incident Handling (IR-4)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#incident-handling)\\r\\n\\r\\n\\ta. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;\\r\\n\\tb. Coordinate incident handling activities with contingency planning activities;\\r\\n\\tc. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and\\r\\n\\td. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft 365 Defender](https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender) \\r\\n\\r\\n### Implementation\\r\\n💡 [Investigate incidents with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/investigate-cases)<br>\\r\\n💡 [Tutorial: Use playbooks with automation rules in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook)<br>\\r\\n💡 [Keep track of data during incident response with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/bookmarks)<br>\\r\\n💡 [Manage your SOC better with incident metrics](https://docs.microsoft.com/azure/sentinel/manage-soc-with-incident-metrics)<br>\\r\\n💡 [Manage incidents in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/defender/manage-incidents)<br>\\r\\n💡 [Incident response with Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/defender/incidents-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel: Incidents](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft 365 Defender: Incidents](https://security.microsoft.com/incidents)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[IR-4](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=IR-4)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * 'https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IR-4] Incident Handling -- Incidents\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIR4Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IR-4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Incident Monitoring (IR-5)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#incident-monitoring)\\r\\n\\r\\nTrack and document incidents.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft 365 Defender](https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender) \\r\\n\\r\\n### Implementation\\r\\n💡 [Automatically create incidents from Microsoft security alerts](https://docs.microsoft.com/azure/sentinel/create-incidents-from-alerts)<br>\\r\\n💡 [Create custom analytics rules to detect threats](https://docs.microsoft.com/azure/sentinel/detect-threats-custom)<br>\\r\\n💡 [Hybrid Security Monitoring using Microsoft Defender for Cloud and Microsoft Sentinel](https://docs.microsoft.com/azure/architecture/hybrid/hybrid-security-monitoring)<br>\\r\\n💡 [Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)<br>\\r\\n💡 [Automate threat response with playbooks in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/automate-responses-with-playbooks)<br>\\r\\n💡 [Manage incidents in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/defender/manage-incidents)<br>\\r\\n💡 [Incident response with Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/defender/incidents-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel: Incidents](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft 365 Defender: Incidents](https://security.microsoft.com/incidents)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[IR-5](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=IR-5)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Severity\\r\\n| render timechart \\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IR-5] Incident Monitoring -- Incidents over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIR5Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IR-5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Incident Reporting (IR-6)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#incident-reporting)\\r\\n\\r\\n\\ta. Require personnel to report suspected incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and\\r\\n\\tb. Report incident information to [Assignment: organization-defined authorities].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft 365 Defender](https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender) \\r\\n\\r\\n### Implementation\\r\\n💡 [Manage your SOC better with incident metrics](https://docs.microsoft.com/azure/sentinel/manage-soc-with-incident-metrics)<br>\\r\\n💡 [Use Azure Monitor workbooks to visualize and monitor your data](https://docs.microsoft.com/azure/sentinel/monitor-your-data)<br>\\r\\n💡 [Visualize collected data](https://docs.microsoft.com/azure/sentinel/get-visibility)<br>\\r\\n💡 [Manage incidents in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/defender/manage-incidents)<br>\\r\\n💡 [Incident response with Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/defender/incidents-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel: Incidents](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft 365 Defender: Incidents](https://security.microsoft.com/incidents)<br>\\r\\n### NIST SP 800-53 Guidance\\r\\n[IR-6](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=IR-6)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"[IR-6] Incident Reporting -- Incidents by Severity\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where Severity == \\\"High\\\"\\n| summarize count()\\n\\n\\n\\n\",\"size\":4,\"title\":\"High\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where Severity == \\\"Medium\\\"\\n| summarize count()\\n\\n\\n\\n\",\"size\":4,\"title\":\"Medium \",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"orange\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where Severity == \\\"Low\\\"\\n| summarize count()\\n\\n\\n\\n\",\"size\":4,\"title\":\"Low\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"yellow\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where dayofyear(TimeGenerated) == dayofyear(now())\\n| summarize count()\\n\\n\\n\",\"size\":4,\"title\":\"New Today\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"blueDark\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10\"}]},\"customWidth\":\"50\",\"name\":\"Incidents\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| extend [\\\"MITRE ATT&CK Tactics\\\"] = tostring(parse_json(tostring(AdditionalData.tactics))[0])\\r\\n| where Severity == \\\"High\\\"\\r\\n| summarize count() by [\\\"Incident Name\\\"]=Title, [\\\"MITRE ATT&CK Tactics\\\"]\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IR-5] Incident Monitoring -- High Severity Incident Types\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\r\\n| where Severity == \\\"High\\\"\\r\\n| make-series count() default=0 on FirstModifiedTime from {TimeRange:start} to {TimeRange:end} step 1d by Title\\r\\n| render timechart \\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IR-5] Incident Monitoring -- High Severity Incidents over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber\\r\\n| where Status == \\\"Closed\\\"\\r\\n| extend TimeToRespond =  (CreatedTime - FirstActivityTime)/1d \\r\\n| extend TimeToResolve =  (ClosedTime - CreatedTime)/1d\\r\\n| extend AssignedAnalyst = tostring(Owner.assignedTo)\\r\\n| extend [\\\"MITRE ATT&CK Tactics\\\"] = tostring(parse_json(tostring(AdditionalData.tactics))[0])\\r\\n| parse IncidentUrl with * 'https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, ClosedTime desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, [\\\"MITRE ATT&CK Tactics\\\"], AssignedAnalyst, Classification, ClassificationComment, ClassificationReason, Description, TimeToRespond, TimeToResolve, IncidentStartTime=CreatedTime, IncidentClosedTime=ClosedTime, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IR-5] Incident Monitoring -- Incident Closure Reports\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"TimeToRespond\",\"formatter\":0,\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"TimeToResolve\",\"formatter\":0,\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIR6Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IR-6\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isIRVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Incident Response Family\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Media Protection](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/controls?version=5.1&family=MP)\\r\\n---\\r\\nMedia protection includes physical, logical, and administrative controls over sensitive data. \"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Media Access [MP-2]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MP-2\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Media Marking [MP-3]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MP-3\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Media Transport [MP-5]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MP-5\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Media Sanitization [MP-6]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MP-6\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Media Use [MP-7]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MP-7\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"4700784f-bcd3-436c-a6c9-1678ae081de2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMP2Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MP-2\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMP3Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MP-3\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"357abfc4-fb8e-4162-b003-963f76c37bc6\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMP5Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MP-5\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e32367e5-3bb7-42f5-9464-6cc7b05d468c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMP6Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MP-6\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"d1baed97-9f3a-4269-b160-0ec5834ebb14\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMP7Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MP-7\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b260fee7-8f91-4bc7-9aa5-0136c8ef7563\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Media Access (MP-2)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#media-access)\\r\\n\\r\\nRestrict access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionEvents](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n🔷 [OfficeActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/officeactivity) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [What is the Azure Information Protection unified labeling scanner?](https://docs.microsoft.com/azure/information-protection/deploy-aip-scanner)<br>\\r\\n💡 [Prevent data leaks on non-managed devices using Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/data-leak-prevention)<br>\\r\\n💡 [App protection policies overview](https://docs.microsoft.com/mem/intune/apps/app-protection-policy)<br>\\r\\n💡 [How to integrate Microsoft Information Protection with Defender for Cloud Apps](https://docs.microsoft.com/defender-cloud-apps/azip-integration#how-to-integrate-azure-information-protection-with-cloud-app-security)<br>\\r\\n💡 [Data loss prevention reference](https://docs.microsoft.com/microsoft-365/compliance/data-loss-prevention-policies?)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)<br>\\r\\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/)<br>\\r\\n🔀 [Microsoft 365 Compliance Manager: Information Protection](https://compliance.microsoft.com/informationprotection?viewid=overview) <br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[MP-2](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=MP-2)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionEvents\\r\\n| extend AIP = strcat(\\\"https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/ActivityLogsBlade\\\")\\r\\n| project LabelName, Activity, AIP, User, ItemName, ItemPath, Platform, ApplicationName, ProtectionOwner, IpAddress, Time\\r\\n| sort by Time desc\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[MP-2] Media Access -- Control/Monitor File Access via AIP\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LabelName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AIP\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Information Protection >>\",\"bladeOpenContext\":{\"bladeName\":\"DataClassGroupEditBlade\",\"extensionName\":\"Microsoft_Azure_InformationProtection\"}}},{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProtectionOwner\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"PersonWithFriend\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"[MP-2] Media Access -- Control/Monitor File Access\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"ac6f7462-59ff-4d82-86b0-0a6eccc35a51\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"UserPrincipalName\",\"label\":\"🔀 User Selector\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SigninLogs\\r\\n| summarize by UserPrincipalName \",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"User Selector Parameter - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where UserId in ({UserPrincipalName})\\r\\n| where Operation contains \\\"file\\\"\\r\\n| extend Path = OfficeObjectId\\r\\n| project UserId, OfficeWorkload, Operation, SourceFileName, SourceFileExtension, Path, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"File Access Activity Details\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Path\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where UserId in ({UserPrincipalName})\\r\\n| where Operation contains \\\"file\\\"\\r\\n| summarize count() by UserId, SourceFileName, SourceFileExtension, OfficeObjectId \\r\\n| project UserId, SourceFileName, count_, OfficeObjectId\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Most Frequently Accessed Files\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SourceFileName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"info\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"OfficeObjectId\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results80d\"}]},\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMP2Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP-2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Media Marking (MP-3)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#media-marking)\\r\\n\\r\\n\\ta. Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and\\r\\n\\tb. Exempt [Assignment: organization-defined types of system media] from marking if the media remain within [Assignment: organization-defined controlled areas].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionEvents](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [What is the Azure Information Protection unified labeling scanner?](https://docs.microsoft.com/azure/information-protection/deploy-aip-scanner)<br>\\r\\n💡 [How to configure the policy settings for Azure Information Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-settings)<br>\\r\\n💡 [Admin Guide: Custom configurations for the Azure Information Protection unified labeling client](https://docs.microsoft.com/azure/information-protection/rms-client/clientv2-admin-guide-customizations)<br>\\r\\n💡 [Azure Information Protection (AIP) labeling, classification, and protection](https://docs.microsoft.com/azure/information-protection/aip-classification-and-protection)<br>\\r\\n💡 [Quickstart: Create a new Azure Information Protection label for specific users](https://docs.microsoft.com/azure/information-protection/quickstart-label-specificusers)<br>\\r\\n💡 [Quickstart: Find what sensitive information you have in files stored on-premises](https://docs.microsoft.com/azure/information-protection/quickstart-findsensitiveinfo)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Information Protection: Labels](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/globalBlade)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[MP-3](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=MP-3)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionEvents\\r\\n| extend AIP = strcat(\\\"https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/ActivityLogsBlade\\\")\\r\\n| summarize count() by LabelName, AIP\\r\\n| sort by count_ desc\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[MP-3] Media Marking -- Data Labeling via AIP\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LabelName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AIP\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Information Protection >>\",\"bladeOpenContext\":{\"bladeName\":\"DataClassGroupEditBlade\",\"extensionName\":\"Microsoft_Azure_InformationProtection\"}}},{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProtectionOwner\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"PersonWithFriend\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMP3Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP-3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Media Transport (MP-5)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#media-transport)\\r\\n\\r\\n\\ta. Protect and control [Assignment: organization-defined types of system media] during transport outside of controlled areas using [Assignment: organization-defined controls];\\r\\n\\tb. Maintain accountability for system media during transport outside of controlled areas;\\r\\n\\tc. Document activities associated with the transport of system media; and\\r\\n\\td. Restrict the activities associated with the transport of system media to authorized personnel.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Azure Key Vault basic concepts](https://docs.microsoft.com/azure/key-vault/general/basic-concepts)<br>\\r\\n💡 [Quickstart: Create a new Azure Information Protection label for specific users](https://docs.microsoft.com/azure/information-protection/quickstart-label-specificusers)<br>\\r\\n💡 [Microsoft Defender for Endpoint Device Control Device Installation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/mde-device-control-device-installation?#allow-or-block-removable-devices)<br>\\r\\n💡 [Quickstart: Create a new Azure Information Protection label for specific users](https://docs.microsoft.com/azure/information-protection/quickstart-label-specificusers)<br>\\r\\n💡 [Customer Lockbox for Microsoft Azure](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview)<br>\\r\\n💡 [Restrict USB devices by using Intune Administrative Templates](https://docs.microsoft.com/troubleshoot/mem/intune/restrict-usb-with-administrative-template)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Key Vault](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)<br>\\r\\n🔀 [Customer Lockbox](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[MP-5](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=MP-5)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where RuleSetting contains \\\"DisableRemovableDriveScanning\\\" or RuleSetting contains \\\"NoDriveTypeAutoRun\\\" or RuleSetting contains \\\"EnableInstallerDetection\\\" or Description contains \\\"locker\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where RuleSetting contains \\\"DisableRemovableDriveScanning\\\" or RuleSetting contains \\\"NoDriveTypeAutoRun\\\" or RuleSetting contains \\\"EnableInstallerDetection\\\" or Description contains \\\"locker\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where RuleSetting contains \\\"DisableRemovableDriveScanning\\\" or RuleSetting contains \\\"NoDriveTypeAutoRun\\\" or RuleSetting contains \\\"EnableInstallerDetection\\\" or Description contains \\\"locker\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[MP-5] Media Transport -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMP5Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP-5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Media Sanitization (MP-6)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#media-sanitization)\\r\\n\\r\\n\\ta. Sanitize [Assignment: organization-defined system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures]; and\\r\\n\\tb. Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [NIST SP 800-88 R1](https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final)<br>\\r\\n💡 [Set up Microsoft Sentinel customer-managed key](https://docs.microsoft.com/azure/sentinel/customer-managed-keys)<br>\\r\\n💡 [Azure customer data protection](https://docs.microsoft.com/azure/security/fundamentals/protection-customer-data)<br>\\r\\n💡 [Data-bearing device destruction](https://docs.microsoft.com/compliance/assurance/assurance-data-bearing-device-destruction)<br>\\r\\n💡 [Equipment disposal](https://docs.microsoft.com/azure/security/fundamentals/physical-security#equipment-disposal)<br>\\r\\n💡 [Data retention, deletion, and destruction in Microsoft 365](https://docs.microsoft.com/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Key Vault](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[MP-6](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=MP-6)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where RecommendationName contains \\\"managed key\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | distinct RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[MP-6] Media Sanitization -- Leverage CMK for Cryptographic Erasure\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMP6Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP-6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Media Use (MP-7)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#media-use)\\r\\n\\r\\n\\ta. [Selection: Restrict; Prohibit] the use of [Assignment: organization-defined types of system media] on [Assignment: organization-defined systems or system components] using [Assignment: organization-defined controls]; and\\r\\n\\tb. Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Microsoft Defender for Endpoint Device Control Device Installation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/mde-device-control-device-installation)<br>\\r\\n💡 [Use Windows 10 templates to configure group policy settings in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/administrative-templates-windows)<br>\\r\\n💡 [Policy CSP - DeviceInstallation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[MP-7](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=MP-7)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where Description contains \\\"drive\\\" or Description contains \\\"USB\\\" or Description contains \\\"device\\\" or Description contains \\\"removable\\\" or Description contains \\\"media\\\" or Description contains \\\"print\\\" or Description contains \\\"save\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where Description contains \\\"drive\\\" or Description contains \\\"USB\\\" or Description contains \\\"device\\\" or Description contains \\\"removable\\\" or Description contains \\\"media\\\" or Description contains \\\"print\\\" or Description contains \\\"save\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where Description contains \\\"drive\\\" or Description contains \\\"USB\\\" or Description contains \\\"device\\\" or Description contains \\\"removable\\\" or Description contains \\\"media\\\" or Description contains \\\"print\\\" or Description contains \\\"save\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[MP-7] Media Use -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMP7Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP-7\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isMPVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Media Protection Family\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Risk Assessment](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/controls?version=5.1&family=RA)\\r\\n---\\r\\nRisk Assessment ensures a consistent approach to the identification, mitigation, and response to security risks.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Categorization [RA-2]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"RA-2\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Risk Assessment [RA-3]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"RA-3\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Vulnerability Scanning [RA-5]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"RA-5\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRA2Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"RA-2\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b1b060d4-95a8-4c72-bc2e-88f62e6a4835\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRA3Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"RA-3\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"688c6b95-1494-4967-8974-fe44d8870639\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRA5Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"RA-5\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"87ba2e69-6c44-4938-98c3-b8e38a919157\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Categorization (RA-2)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#security-categorization)\\r\\n\\r\\n\\ta. Categorize the system and information it processes, stores, and transmits;\\r\\n\\tb. Document the security categorization results, including supporting rationale, in the security plan for the system; and\\r\\n\\tc. Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Use asset inventory to manage your resources' security posture](https://docs.microsoft.com/azure/defender-for-cloud/asset-inventory)<br>\\r\\n💡 [Software inventory - threat and vulnerability management](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-software-inventory)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Inventory](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/25)<br>\\r\\n🔀 [Microsoft 365 Defender: Software Inventory](https://security.microsoft.com/software-inventory/applications)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[RA-2](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=RA-2)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| extend Azure_Inventory=location\\r\\n| extend M365_Inventory=strcat(\\\"https://security.microsoft.com/machines\\\")\\r\\n| project AssetID=id,AssetType=type, Azure_Inventory, M365_Inventory\\r\\n| sort by AssetID asc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"[RA-2] Security Categorization -- Review Asset Inventory\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Azure_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Inventory >>\",\"bladeOpenContext\":{\"bladeName\":\"InventoryBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"\",\"source\":\"static\",\"value\":\"25\"}]}}},{\"columnMatch\":\"M365_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"M365 Inventory >>\"}}],\"rowLimit\":2500,\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"type\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isRA2Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"RA-2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Risk Assessment (RA-3)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#risk-assessment-1)\\r\\n\\r\\n\\ta. Conduct a risk assessment, including:\\r\\n\\t\\t1. Identifying threats to and vulnerabilities in the system;\\r\\n\\t\\t2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and\\r\\n\\t\\t3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;\\r\\n\\tb. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;\\r\\n\\tc. Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]];\\r\\n\\td. Review risk assessment results [Assignment: organization-defined frequency];\\r\\n\\te. Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and\\r\\n\\tf. Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> 🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>  🔷 [AADUserRiskEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID: Identity Protection](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Review your security recommendations](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)<br>\\r\\n💡 [Automatically create incidents from Microsoft security alerts](https://docs.microsoft.com/azure/sentinel/create-incidents-from-alerts)<br>\\r\\n💡 [Microsoft Entra ID Protection integration](https://docs.microsoft.com/defender-cloud-apps/aadip-integration)<br>\\r\\n\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft Entra ID Protection](https://portal.azure.com/#blade/Microsoft_AAD_IAM/IdentityProtectionMenuBlade/Overview)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[RA-3](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=RA-3)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationState == \\\"Unhealthy\\\"\\r\\n| where isnotempty(RecommendationSeverity)\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by RecommendationSeverity\\r\\n| render areachart \",\"size\":0,\"showAnalytics\":true,\"title\":\"[RA-3] Risk Assessment -- Security Recommendation Severity over Time\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud SecurityRecommendation logging is enabled and/or extend time thresholds for a larger data-set.  \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Severity\\r\\n| render areachart \",\"size\":0,\"showAnalytics\":true,\"title\":\"[RA-3] Risk Assessment -- Security Incidents over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AADUserRiskEvents \\r\\n| extend RiskyUsers = strcat(\\\"https://ms.portal.azure.com/#blade/Microsoft_AAD_IAM/RiskyUsersBlade\\\")\\r\\n| summarize count() by UserPrincipalName, RiskLevel, RiskyUsers\\r\\n| extend Rank=iff(RiskLevel == \\\"high\\\", 3, iff(RiskLevel == \\\"medium\\\", 2, iff(RiskLevel == \\\"low\\\", 1, 0)))\\r\\n| where UserPrincipalName <> \\\"\\\"\\r\\n| project UserPrincipalName, RiskLevel, RiskyUsers, count_, Rank\\r\\n| sort by Rank,count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[RA-3] Risk Assessment -- Risky Users\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud SecurityRecommendation logging is enabled and/or extend time thresholds for a larger data-set.  \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RiskLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RiskyUsers\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Risky User Response >>\",\"bladeOpenContext\":{\"bladeName\":\"RiskyUsersBlade\",\"extensionName\":\"Microsoft_AAD_IAM\"}}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Rank\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isRA3Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"RA-3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Vulnerability Scanning (RA-5)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#vulnerability-scanning)\\r\\n\\r\\n\\ta. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported;\\r\\n\\tb. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:\\r\\n\\t\\t1. Enumerating platforms, software flaws, and improper configurations;\\r\\n\\t\\t2. Formatting checklists and test procedures; and\\r\\n\\t\\t3. Measuring vulnerability impact;\\r\\n\\tc. Analyze vulnerability scan reports and results from vulnerability monitoring;\\r\\n\\td. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk;\\r\\n\\te. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and\\r\\n\\tf. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) 🔷 [SecurityNestedRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitynestedrecommendation)✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Defender for Cloud's integrated Qualys vulnerability scanner for Azure and hybrid machines](https://docs.microsoft.com/azure/defender-for-cloud/deploy-vulnerability-assessment-vm)<br>\\r\\n💡 [Threat and vulnerability management](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt?)<br>\\r\\n💡 [View and remediate findings from vulnerability assessment solutions on your VMs](https://docs.microsoft.com/azure/defender-for-cloud/remediate-vulnerability-findings-vm)<br>\\r\\n💡 [Vulnerabilities in my organization - threat and vulnerability management](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-weaknesses?)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft 365 Defender: Threat & Vulnerability Management](https://security.microsoft.com/tvm_dashboard)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[RA-5](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=RA-5)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n| where type == \\\"microsoft.security/assessments/subassessments\\\"\\r\\n| extend assessmentKey = extract(\\\".*assessments/(.+?)/.*\\\",1,  id)\\r\\n| where assessmentKey == \\\"1195afff-c881-495e-9bc5-1486211ae03f\\\"\\r\\n | project Resource = tolower(extract(\\\"([\\\\\\\\s\\\\\\\\S]*?)(/providers/Microsoft.Security.*)\\\",1,id)), ResourceGroup = trim_end(\\\"/\\\",extract(\\\".*resourceGroups/(.+?)/\\\",0,id)), ResourceType = tolower(split(id,\\\"/\\\").[6]), subscriptionId, severity = tostring(parse_json(properties).status.severity), status = tostring(parse_json(properties).status.code), VulnId = tostring(parse_json(properties).id), description = tostring(parse_json(properties).displayName), patchable = parse_json(properties.additionalData).patchable, cve = parse_json(properties.additionalData).cve\\r\\n | where status == 'Unhealthy'\\r\\n | summarize dcount(VulnId) by ResourceGroup, Resource, severity, VulnId, description, tostring(patchable), tostring(cve)\\r\\n | summarize Total = count(dcount_VulnId), sevH=countif(severity=='High'), sevM=countif(severity=='Medium'), sevL=countif(severity=='Low'), patchAvailable = countif(patchable=='true'), CVEcount =countif(cve!='[]') by ResourceGroup, Resource\\r\\n | order by sevH desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[RA-5] Vulnerability Scanning >> Select Asset for Details Below\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"exportFieldName\":\"Resource\",\"exportParameterName\":\"selectedServer\",\"exportDefaultValue\":\"All\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"$gen_group\",\"formatter\":13,\"formatOptions\":{\"linkColumn\":\"Resource\",\"linkTarget\":\"Resource\",\"showIcon\":true,\"customColumnWidthSetting\":\"30ch\"}},{\"columnMatch\":\"ResourceGroup\",\"formatter\":5},{\"columnMatch\":\"Resource\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"Total\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10ch\"}},{\"columnMatch\":\"sevH\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"12ch\"}},{\"columnMatch\":\"sevM\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\",\"customColumnWidthSetting\":\"13ch\"}},{\"columnMatch\":\"sevL\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blueDark\",\"customColumnWidthSetting\":\"10ch\"}},{\"columnMatch\":\"patchAvailable\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\"},\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"CVEcount\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"10ch\"}}],\"rowLimit\":1000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ResourceGroup\"],\"expandTopLevel\":true,\"finalBy\":\"Resource\"},\"labelSettings\":[{\"columnId\":\"ResourceGroup\",\"label\":\"Resource group\"},{\"columnId\":\"sevH\",\"label\":\"High\"},{\"columnId\":\"sevM\",\"label\":\"Medium\"},{\"columnId\":\"sevL\",\"label\":\"Low\"},{\"columnId\":\"patchAvailable\",\"label\":\"Available patches\"},{\"columnId\":\"CVEcount\",\"label\":\"CVEs\"}]}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n| where type == \\\"microsoft.security/assessments/subassessments\\\"\\r\\n| extend assessmentKey = extract(\\\".*assessments/(.+?)/.*\\\",1,  id)\\r\\n| where assessmentKey == \\\"1195afff-c881-495e-9bc5-1486211ae03f\\\"\\r\\n| project Resource = tolower(extract(\\\"([\\\\\\\\s\\\\\\\\S]*?)(/providers/Microsoft.Security.*)\\\",1,id)), ResourceGroup = trim_end(\\\"/\\\",extract(\\\".*resourceGroups/(.+?)/\\\",0,id)), ResourceType = tolower(split(id,\\\"/\\\").[6]), subscriptionId, Severity = tostring(parse_json(properties).status.severity), Status = tostring(parse_json(properties).status.code), VulnId = tostring(parse_json(properties).id), Description = tostring(parse_json(properties).displayName), Patchable = parse_json(properties.additionalData).patchable, CVE = properties.additionalData.cve, Category = tostring(properties.category), TimeGenerated = tostring(properties.timeGenerated), Remediation = tostring(properties.remediation), Impact = tostring(properties.impact), Threat = tostring(properties.additionalData.threat)\\r\\n| where Status == 'Unhealthy'\\r\\n| where '{selectedServer}' == 'All' or Resource == '{selectedServer}'\\r\\n| project Severity, VulnId, Description, tostring(Patchable), Category, Resource, ResourceGroup, CVE, TimeGenerated, Remediation, Impact, Threat\\r\\n| mv-expand CveExpand = split (CVE, \\\"},\\\") to typeof(string)\\r\\n| parse CveExpand with * '\\\"title\\\":\\\"' singleCve '\\\"' *\\r\\n| summarize CVEs = tostring(make_list(singleCve)) by Severity, VulnId, Description, tostring(Patchable), Category, Resource, ResourceGroup, TimeGenerated, Threat, Impact, Remediation\",\"size\":0,\"showAnalytics\":true,\"title\":\"[RA-5] Vulnerability Details >> Select Asset Above\",\"noDataMessage\":\"Select Asset in Vulnerability Scanning Panel Above\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{selectedServer}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":5},{\"columnMatch\":\"VulnId\",\"formatter\":5},{\"columnMatch\":\"Resource\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"Remediation\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}}],\"rowLimit\":1000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Severity\"],\"expandTopLevel\":true,\"finalBy\":\"VulnId\"},\"labelSettings\":[{\"columnId\":\"ResourceGroup\",\"label\":\"Resource group\"},{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"}]}},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"RA.5\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[RA-5] Vulnerability Scan -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isRA5Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"RA-5\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isRAVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Risk Assessment Family\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [System & Communications Protection](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/controls?version=5.1&family=SC)\\r\\n---\\r\\nSystem & Communications Protection includes network security for administrative and management functions.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Denial of Service Protection [SC-5]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-5\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Resource Availability [SC-6]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-6\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Boundary Protection [SC-7]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-7\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Transmission Confidentiality & Integrity [SC-8]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-8\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Cryptographic Key Management [SC-12]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-12\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Cryptographic Protection [SC-13]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-13\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC5Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-5\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"97ff7e32-a037-40b7-9e80-1c7b07d067f2\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC6Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-6\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"1a9b38e0-add0-4eb8-aaaf-497e0247b0a1\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC7Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-7\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"ffbdb17a-8192-4a95-9b3b-3e41c9698d1e\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC8Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-8\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"961c000c-366c-4339-9251-c6655930668e\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC12Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-12\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"85a22349-ab5d-4975-b11b-dfaccc5e5584\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC13Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-13\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"18d9df7f-9120-4488-94d2-9d7073ce547b\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Public Key Infrastructure Certificates [SC-17]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-17\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Mobile Code [SC-18]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-18\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Secure Name Resolution Service [SC-21]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-21\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Session Authenticity [SC-23]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-23\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Honeypots [SC-26]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-26\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Protection of Information at Rest [SC-28]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-28\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC17Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-17\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"5ae74048-1da8-455e-9c0c-822f94893764\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC18Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-18\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"80fda944-16cd-48b9-89c2-9e15ced4b404\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC21Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-21\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"90732ff4-83e8-4c30-9fe1-4dcce44a3cfa\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC23Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-23\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"27d42082-d14c-4dc1-b351-bbcbfe55e154\"},{\"id\":\"76836fe0-0947-4aef-a0b7-272830c2d546\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC26Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-26\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC28Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-28\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"13b89fee-4689-4484-90a9-db92db8f0f3d\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Denial of Service Protection (SC-5)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#denial-of-service-protection)\\r\\n\\r\\n\\ta. [Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; and\\r\\n\\tb. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure DDoS Protection]( https://azure.microsoft.com/services/ddos-protection/) <br>\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>   \\r\\n\\r\\n### Implementation\\r\\n💡 [Azure DDoS Protection Standard overview](https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview)<br>\\r\\n💡 [Quickstart: Create and configure Azure DDoS Protection Standard](https://docs.microsoft.com/azure/ddos-protection/manage-ddos-protection)<br>\\r\\n💡 [Microsoft denial-of-service defense strategy](https://docs.microsoft.com/compliance/assurance/assurance-microsoft-dos-defense-strategy)<br>\\r\\n💡 [Components of a DDoS response strategy](https://docs.microsoft.com/azure/ddos-protection/ddos-response-strategy)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [DDoS protection plans](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FddosProtectionPlans)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-5](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-5)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n   | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed,  recommendationName\\r\\n    | where RecommendationName contains \\\"dos\\\"\\r\\n    | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-5] Denial of Service Protection -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"dos\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-5] Denial of Service Protection -- DDoS Protection Plans\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"dos\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * 'https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-5] Denial of Service Protection -- DDoS Security Incidents\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"IPAddress\",\"parameterName\":\"IPAddress\",\"parameterType\":1},{\"fieldName\":\"ResourceId\",\"parameterName\":\"ResourceId\",\"parameterType\":1,\"defaultValue\":\"ResourceId\"},{\"fieldName\":\"Resource\",\"parameterName\":\"AttackReport\",\"parameterType\":1,\"defaultValue\":\"/\"}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"IPAddress\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"subtitleContent\":{\"columnMatch\":\"TopAttackVector\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Resource\"},\"rightContent\":{\"columnMatch\":\"TimeGenerated\"},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC5Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC-5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Resource Availability (SC-6)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#resource-availability)\\r\\n\\r\\nProtect the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more): priority; quota; [Assignment: organization-defined controls]].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Virtual Machine Scale Sets]( https://azure.microsoft.com/services/virtual-machine-scale-sets/) ✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) ✳️ [Application Gateway]( https://azure.microsoft.com/services/application-gateway/) ✳️ [Azure Front Door](https://azure.microsoft.com/services/frontdoor/) ✳️ [Traffic Manager](https://azure.microsoft.com/services/traffic-manager/) <br>\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Quickstart: Create a public load balancer to load balance VMs using the Azure portal](https://docs.microsoft.com/azure/load-balancer/quickstart-load-balancer-standard-public-portal)<br>\\r\\n💡 [Quickstart: Create a Traffic Manager profile using the Azure portal](https://docs.microsoft.com/azure/traffic-manager/quickstart-create-traffic-manager-profile)<br>\\r\\n💡 [Quickstart: Direct web traffic with Azure Application Gateway - Azure portal](https://docs.microsoft.com/azure/application-gateway/quick-create-portal)<br>\\r\\n💡 [Quickstart: Create a Front Door for a highly available global web application](https://docs.microsoft.com/azure/frontdoor/quickstart-create-front-door)<br>\\r\\n💡 [Quickstart: Create a virtual machine scale set in the Azure portal](https://docs.microsoft.com/azure/virtual-machine-scale-sets/quick-create-portal)<br>\\r\\n💡 [SQL Databases: Horizontal & Vertical Scaling](https://docs.microsoft.com/azure/azure-sql/database/elastic-scale-introduction#horizontal-and-vertical-scaling)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Load Balancers]()<br>\\r\\n🔀 [Traffic Manager]()<br>\\r\\n🔀 [Front Door]()<br>\\r\\n🔀 [Application Gateway]()<br>\\r\\n🔀 [Virtual Machine Scale Sets]()<br>\\r\\n🔀 [SQL Datbases]()<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-6](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-6)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"applicationgateway\\\" or type contains \\\"frontdoor\\\" or type contains \\\"load\\\" or type contains \\\"scale\\\" or type contains \\\"traffic\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-6] Resource Availability -- Load Balancers, Traffic Managers, Scale Sets, Front Door, Application Security Groups\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | where RecommendationName contains \\\"avail\\\" or RecommendationName contains \\\"load\\\" or RecommendationName contains \\\"scale\\\" or RecommendationName contains \\\"front\\\" or RecommendationName contains \\\"application gateway\\\" or RecommendationName contains \\\"traffic\\\"\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-6] Resource Availability -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC6Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC-6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Boundary Protection (SC-7)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#boundary-protection)\\r\\n\\r\\n\\ta. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;\\r\\n\\tb. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and\\r\\n\\tc. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)  ✳️ [Application Gateway](https://azure.microsoft.com/services/application-gateway/) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) ✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) ✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) ✳️ [VPN Gateway]( https://azure.microsoft.com/services/vpn-gateway/) <br>\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Tutorial: Deploy and configure Azure Firewall and policy using the Azure portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal-policy)<br>\\r\\n💡 [Azure Firewall: Intrustion Prevention Detection System / TLS Inspection](https://docs.microsoft.com/azure/firewall/premium-features)<br>\\r\\n💡 [Quickstart: Create a virtual network using the Azure portal](https://docs.microsoft.com/azure/virtual-network/quick-create-portal)<br>\\r\\n💡 [Tutorial: Create and manage a VPN gateway using Azure portal](https://docs.microsoft.com/azure/vpn-gateway/tutorial-create-gateway-portal)<br>\\r\\n💡 [Create an Azure Network Watcher instance](https://docs.microsoft.com/azure/network-watcher/network-watcher-create)<br>\\r\\n💡 [Network security groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview)<br>\\r\\n💡 [Application security groups](https://docs.microsoft.com/azure/virtual-network/application-security-groups)<br>\\r\\n💡 [What is Azure Web Application Firewall on Azure Application Gateway?](https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview)<br>\\r\\n💡 [Quickstart: Create and modify an ExpressRoute circuit](https://docs.microsoft.com/azure/expressroute/expressroute-howto-circuit-portal-resource-manager)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks)<br>\\r\\n🔀 [Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworkGateways)<br>\\r\\n🔀 [ExpressRoute](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits)<br>\\r\\n🔀 [Azure Firewall](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview)<br>\\r\\n🔀 [Azure Web Application Firewall](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies)<br>\\r\\n🔀 [Application Gateway](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/applicationgateways)<br>\\r\\n🔀 [Network Watcher](https://portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/overview)<br>\\r\\n🔀 [Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-7](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-7)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"SC.7\\\" and complianceControlId !contains \\\"*\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-7] Boundary Protection -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"network\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-7] Boundary Protection -- Network Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC7Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC-7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Transmission Confidentiality & Integrity (SC-8)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#transmission-confidentiality-and-integrity)\\r\\n\\r\\nProtect the [Selection (one or more): confidentiality; integrity] of transmitted information.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Azure encryption overview](https://docs.microsoft.com/azure/security/fundamentals/encryption-overview)<br>\\r\\n💡 [Device Compliance settings for Windows 10/11 in Intune](https://docs.microsoft.com/mem/intune/protect/compliance-policy-create-windows)<br>\\r\\n💡 [Conditional Access: Require approved client apps or app protection policy](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection)<br>\\r\\n💡 [How to create and assign app protection policies](https://docs.microsoft.com/mem/intune/apps/app-protection-policies)<br>\\r\\n💡 [Android app protection policy settings in Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/app-protection-policy-settings-android)<br>\\r\\n💡 [iOS app protection policy settings](https://docs.microsoft.com/mem/intune/apps/app-protection-policy-settings-ios)<br>\\r\\n💡 [Network access control (NAC) integration with Intune](https://docs.microsoft.com/mem/intune/protect/network-access-control-integrate)<br>\\r\\n💡 [What are common ways to use Conditional Access with Intune?](https://docs.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use)<br>\\r\\n💡 [What is Azure ExpressRoute?](https://docs.microsoft.com/azure/expressroute/expressroute-introduction)<br>\\r\\n💡 [Remote Desktop Protocol](https://docs.microsoft.com/windows/win32/termserv/remote-desktop-protocol)<br>\\r\\n💡 [How to use SSH keys with Windows on Azure](https://docs.microsoft.com/azure/virtual-machines/linux/ssh-from-windows)<br>\\r\\n💡 [About Azure Key Vault](https://docs.microsoft.com/azure/key-vault/general/overview)<br>\\r\\n💡 [About VPN Gateway configuration settings](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [ Microsoft Entra ID : Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)<br>\\r\\n🔀 [Key Vault](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)<br>\\r\\n🔀 [Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworkGateways)<br>\\r\\n🔀 [ExpressRoute](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-8](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-8)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"SC.8\\\" and complianceControlId !contains \\\"*\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-8] Transmission Confidentiality & Integrity -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC8Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC-8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Cryptographic Key Establishment & Management (SC-12)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#cryptographic-key-establishment-and-management)\\r\\n\\r\\nEstablish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [What is Azure Dedicated HSM?](https://docs.microsoft.com/azure/dedicated-hsm/overview)<br>\\r\\n💡 [Thales Luna HSMs](https://cpl.thalesgroup.com/encryption/hardware-security-modules/network-hsms)<br>\\r\\n💡 [Quickstart: Set and retrieve a secret from Azure Key Vault using the Azure portal](https://docs.microsoft.com/azure/key-vault/secrets/quick-create-portal)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Key Vault](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-12](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-12)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"SC.12\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-12] Cryptographic Key Establishment & Management -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC12Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC-12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Cryptographic Protection (SC-13)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#cryptographic-protection-3)\\r\\n\\r\\n\\ta. Determine the [Assignment: organization-defined cryptographic uses]; and\\r\\n\\tb. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [FIPS 140-2 Validation](https://docs.microsoft.com/windows/security/threat-protection/fips-140-validation)<br>\\r\\n💡 [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing)<br>\\r\\n💡 [Key Vault Keys](https://docs.microsoft.com/azure/key-vault/keys/about-keys)<br>\\r\\n💡 [Federal Information Processing Standard (FIPS) 140](https://docs.microsoft.com/azure/compliance/offerings/offering-fips-140-2)<br>\\r\\n💡 [Cryptographic controls used by Azure RMS: Algorithms and key lengths](https://docs.microsoft.com/azure/information-protection/how-does-it-work#cryptographic-controls-used-by-azure-rms-algorithms-and-key-lengths)<br>\\r\\n💡 [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Key Vault](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-13](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-13)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n   | distinct RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink\\r\\n    | where RecommendationName contains \\\"crypt\\\"\\r\\n    | sort by Total, Passed desc\\r\\n    | limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-13] Cryptographic Protection -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC13Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC-13\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Public Key Infrastructure Certificates (SC-17)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#public-key-infrastructure-certificates)\\r\\n\\r\\n\\ta. Issue public key certificates under an [Assignment: organization-defined certificate policy] or obtain public key certificates from an approved service provider; and\\r\\n\\tb. Include only approved trust anchors in trust stores or certificate stores managed by the organization.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Get started with Key Vault certificates](https://docs.microsoft.com/azure/key-vault/certificates/certificate-scenarios)<br>\\r\\n💡 [Certificate authorities used by Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/certificate-authorities)<br>\\r\\n💡 [PKI design considerations using Active Directory Certificate Services (AD CS)](https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/pki-design-considerations)<br>\\r\\n💡 [Validate and Configure Public Key Infrastructure - Key Trust](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki)<br>\\r\\n💡 [PKI certificate requirements for Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/network/pki-certificate-requirements#supported-certificate-types)<br>\\r\\n💡 [Configure and use PKCS certificates with Intune](https://docs.microsoft.com/mem/intune/protect/certificates-pfx-configure)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Key Vault](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)<br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-17](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-17)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n   | distinct RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink\\r\\n    | where RecommendationName contains \\\"cert\\\"\\r\\n    | sort by Total, Passed desc\\r\\n    | limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-17] Public Key Infrastructure Certificates -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC17Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC-17\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Mobile Code (SC-18)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#mobile-code)\\r\\n\\r\\n\\ta. Define acceptable and unacceptable mobile code and mobile code technologies; and\\r\\n\\tb. Authorize, monitor, and control the use of mobile code within the system.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [DeviceFileEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/devicefileevents) ✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br> \\r\\n🔷 [OfficeActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/officeactivity) ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/security/business/threat-protection/office-365-defender)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Administer Group Policy in an Microsoft Entra ID Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy)<br>\\r\\n💡 [Enable and configure Microsoft Antimalware for Azure Resource Manager VMs](https://docs.microsoft.com/azure/security/fundamentals/antimalware-code-samples)<br>\\r\\n💡 [Microsoft Antimalware for Azure Cloud Services and Virtual Machines](https://docs.microsoft.com/azure/security/fundamentals/antimalware)<br>\\r\\n💡 [Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection)<br>\\r\\n💡 [Customize Web Application Firewall rules using the Azure portal](https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-customize-waf-rules-portal)<br>\\r\\n💡 [Block syncing of specific file types](https://docs.microsoft.com/onedrive/block-file-types)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/homepage)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-18](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-18)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let M365Files = OfficeActivity\\r\\n| where SourceFileName contains \\\".vbx\\\" or SourceFileName contains \\\".js \\\" or SourceFileName contains \\\".dcr\\\" or SourceFileName contains \\\".fla\\\" or SourceFileName contains \\\".flv\\\" or SourceFileName contains \\\".swr\\\"\\r\\n| extend FileName=SourceFileName, FileLocations=OfficeObjectId\\r\\n| summarize count() by FileName, FileLocations;\\r\\nlet FilePathList = DeviceFileEvents\\r\\n//Update file types and mobile code indicators as required\\r\\n| where FileName contains \\\".vbx\\\" or FileName contains \\\".js \\\" or FileName contains \\\".dcr\\\" or FileName contains \\\".fla\\\" or FileName contains \\\".flv\\\" or FileName contains \\\".swr\\\"\\r\\n| extend FileLocations = strcat(\\\"DEVICENAME: \\\",DeviceName,\\\" \\\",\\\"ACCOUNT: \\\",InitiatingProcessAccountName,\\\" \\\",\\\"PATH: \\\",\\\" \\\",FolderPath)\\r\\n| summarize FileLocations = makelist(FileLocations) by FileName\\r\\n| extend FileLocations = tostring(FileLocations);\\r\\nDeviceFileEvents\\r\\n//Update file types and mobile code indicators as required\\r\\n| where FileName contains \\\".vbx\\\" or FileName contains \\\".js \\\" or FileName contains \\\".dcr\\\" or FileName contains \\\".fla\\\" or FileName contains \\\".flv\\\" or FileName contains \\\".swr\\\"\\r\\n| summarize count() by FileName\\r\\n| join (FilePathList) on FileName\\r\\n| project FileName, count_, FileLocations\\r\\n| union M365Files\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-18] Mobile Code -- Control/Monitor Mobile Code\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FileName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"File\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"FileLocations\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Folder\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC18Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"group - 22\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Secure Name / Address Resolution Service (SC-21)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#secure-name--address-resolution-service-recursive-or-caching-resolver)\\r\\n\\r\\nRequest and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Introduction to Microsoft Defender for DNS](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-dns-introduction)<br>\\r\\n💡 [Respond to Microsoft Defender for DNS alerts](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-dns-introduction#respond-to-microsoft-defender-for-dns-alerts)<br>\\r\\n💡 [Set-DnsServerRecursion](https://docs.microsoft.com/powershell/module/dnsserver/set-dnsserverrecursion?view=windowsserver2022-ps)<br>\\r\\n💡 [DNS Server vulnerability to DNS Server Cache snooping attacks](https://docs.microsoft.com/troubleshoot/windows-server/networking/dns-server-cache-snooping-attacks)<br>\\r\\n💡 [Reviewing DNS Concepts](https://docs.microsoft.com/windows-server/identity/ad-ds/plan/reviewing-dns-concepts)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Workload Protections](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/26)<br>\\r\\n🔀 [DNS zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-21](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-21)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n   | distinct RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink\\r\\n    | where RecommendationName contains \\\"DNS\\\" or RecommendationName contains \\\"domain\\\"\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-21] Secure Name / Address Resolution Service -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC21Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC-21\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Session Authenticity (SC-23)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#session-authenticity)\\r\\n\\r\\nProtect the authenticity of communications sessions.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Configure authentication session management with Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime)<br>\\r\\n💡 [Onboard Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-get-started)<br>\\r\\n💡 [Review your security recommendations](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [ Microsoft Entra ID : Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-23](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-23)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n   | distinct RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink\\r\\n    | where RecommendationName contains \\\"TLS\\\" or RecommendationName contains \\\"SSL\\\" or RecommendationName contains \\\"private\\\" or RecommendationName contains \\\"session\\\" or RecommendationName contains \\\"auth\\\" or RecommendationName contains \\\"accounts\\\" and RecommendationName !contains \\\"storage\\\"\\r\\n    | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-23] Session Authenticity -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC23Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC-23\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Honeypots (SC-26)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#network-disconnect)\\r\\n\\r\\nInclude components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Deploy and monitor Azure Key Vault honeytokens with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/monitor-key-vault-honeytokens?tabs=deploy-at-scale)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Key Vault](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-26](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-26)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where id contains \\\"deception\\\" or id contains \\\"honey\\\" or id contains \\\"HTDK\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-26] Honeypots -- Microsoft Sentinel: Deception Solution Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC26Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC-26\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Protection of Information at Rest (SC-28)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#protection-of-information-at-rest)\\r\\n\\r\\nProtect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Quickstart: Create a key vault using the Azure portal](https://docs.microsoft.com/azure/key-vault/general/quick-create-portal)<br>\\r\\n💡 [Configure encryption with customer-managed keys](https://docs.microsoft.com/azure/storage/common/customer-managed-keys-configure-key-vault?tabs=portal#configure-encryption-with-customer-managed-keys)<br>\\r\\n💡 [Encryption in Microsoft 365](https://docs.microsoft.com/microsoft-365/compliance/encryption)<br>\\r\\n💡 [Data encryption models](https://docs.microsoft.com/azure/security/fundamentals/encryption-models)<br>\\r\\n💡 [Azure Disk Encryption for virtual machines and virtual machine scale sets](https://docs.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss)<br>\\r\\n💡 [Manage BitLocker policy for Windows devices with Intune](https://docs.microsoft.com/mem/intune/protect/encrypt-devices)<br>\\r\\n💡 [Transparent data encryption (TDE)](https://docs.microsoft.com/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center: Configuration Profiles](https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesMenu/configurationProfiles)<br>\\r\\n🔀 [Key Vault](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)<br>\\r\\n🔀 [SQL Databases](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Sql%2Fservers%2Fdatabases)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-28](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-28)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId == \\\"SC.28.*\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-28] Protection of Information at Rest -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC28Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC-28\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isSCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"System & Communications Protection Family\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [System & Information Integrity](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/controls?version=5.1&family=SI)\\r\\n---\\r\\nSystem & Information Integrity includes controls to identify system flaws, combat malware, and identify anomalies.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Flaw Remediation [SI-2]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SI-2\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Malicious Code Protection [SI-3]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SI-3\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Information System Monitoring [SI-4]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SI-4\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Alerts, Advisories, & Directives [SI-5]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SI-5\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSI2Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SI-2\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b553471a-7ce6-42bf-935a-47279ebe6fc8\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSI3Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SI-3\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"f01adcc0-1423-4d51-a8ba-edc328ae2c58\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSI4Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SI-4\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"c9d8d03d-8d6f-404d-9100-2261389a6e5b\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSI5Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SI-5\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"2cf136e9-8f36-4b9c-ad94-403aa2b4c6e7\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Software, Firmware, & Information Integrity [SI-7]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SI-7\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Spam Protection [SI-8]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SI-8\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Information Handling & Retention [SI-12]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SI-12\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e73461c8-699d-4698-bbbc-82ce5096800d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSI7Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SI-7\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSI8Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SI-8\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"24733b22-cc4d-4322-a53b-6dce1ad815dc\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSI12Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SI-12\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a5f05f8c-6393-4898-966c-04a53c7a4d8c\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Flaw Remediation (SI-2)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#flaw-remediation)\\r\\n\\r\\n\\ta. Identify, report, and correct system flaws;\\r\\n\\tb. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;\\r\\n\\tc. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and\\r\\n\\td. Incorporate flaw remediation into the organizational configuration management process.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Risk-based threat and vulnerability management](https://www.microsoft.com/security/business/threat-protection/threat-vulnerability-management)<br>\\r\\n💡 [How to monitor Endpoint Protection status](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/monitor-endpoint-protection)<br>\\r\\n💡 [Configure Alerts for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-configure-alerts)<br>\\r\\n💡 [Microsoft Antimalware for Azure Cloud Services and Virtual Machines](https://docs.microsoft.com/azure/security/fundamentals/antimalware)<br>\\r\\n💡 [Use Intune to remediate vulnerabilities identified by Microsoft Defender for Endpoint](https://docs.microsoft.com/mem/intune/protect/atp-manage-vulnerabilities)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft 365 Defender: Threat & Vulnerability Management](https://security.microsoft.com/tvm_dashboard)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SI-2](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SI-2)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"SI.2\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SI-2] Flaw Remediation -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSI2Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI-2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Malicious Code Protection (SI-3)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#malicious-code-protection)\\r\\n\\r\\n\\ta. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;\\r\\n\\tb. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;\\r\\n\\tc. Configure malicious code protection mechanisms to:\\r\\n\\t\\t1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and\\r\\n\\t\\t2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and\\r\\n\\td. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Microsoft Antimalware for Azure Cloud Services and Virtual Machines](https://docs.microsoft.com/azure/security/fundamentals/antimalware)<br>\\r\\n💡 [Malware and ransomware protection in Microsoft 365](https://docs.microsoft.com/compliance/assurance/assurance-malware-and-ransomware-protection)<br>\\r\\n💡 [Enable and configure always-on protection in Group Policy](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus#enable-and-configure-always-on-protection-in-group-policy)<br>\\r\\n💡 [Enable and configure Microsoft Antimalware for Azure Resource Manager VMs](https://docs.microsoft.com/azure/security/fundamentals/antimalware-code-samples)<br>\\r\\n💡 [Windows 10 (and newer) device settings to allow or restrict features using Intune](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10)<br>\\r\\n\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft Defender for Cloud: Security Alerts](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/7)<br>\\r\\n🔀 [Microsoft 365 Defender: Alerts](https://security.microsoft.com/alerts)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SI-3](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SI-3)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"SI.3\\\" and complianceControlId !contains \\\"*\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SI-3] Malicious Code Protection -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"ware\\\" or Title contains \\\"mining\\\" or Title contains \\\"backdoor\\\" or Title contains \\\"exploit\\\" or Title contains \\\"tool\\\" or Title contains \\\"file\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * 'https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| sort by FirstActivityTime desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SI-3] Malicious Code Protection -- Security Incidents\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSI3Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI-3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Information System Monitoring (SI-4)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#information-system-monitoring)\\r\\n\\r\\n\\ta. Monitor the system to detect:\\r\\n\\t\\t1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and\\r\\n\\t\\t2. Unauthorized local, network, and remote connections;\\r\\n\\tb. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods];\\r\\n\\tc. Invoke internal monitoring capabilities or deploy monitoring devices:\\r\\n\\t\\t1. Strategically within the system to collect organization-determined essential information; and\\r\\n\\t\\t2. At ad hoc locations within the system to track specific types of transactions of interest to the organization;\\r\\n\\td. Analyze detected events and anomalies;\\r\\n\\te. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;\\r\\n\\tf. Obtain legal opinion regarding system monitoring activities; and\\r\\n\\tg. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) 🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident)✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/microsoft-sentinel/) <br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Automatically create incidents from Microsoft security alerts](https://docs.microsoft.com/azure/sentinel/create-incidents-from-alerts)<br>\\r\\n💡 [Connect Microsoft Defender for Cloud alerts to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-defender-for-cloud)<br>\\r\\n💡 [Connect data from Microsoft 365 Defender to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SI-4](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SI-4)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"SI.4\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SI-4] Information System Monitoring -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SecurityProducts = datatable(ProviderName:string, Product:string, Portal:string)\\r\\n[\\r\\n    \\\"ASI Scheduled Alerts\\\", \\\"Microsoft Sentinel\\\", \\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n    \\\"MCAS\\\", \\\"Microsoft Defender for Cloud Apps\\\", \\\"https://portal.cloudappsecurity.com/\\\",\\r\\n    \\\"MDATP\\\", \\\"Microsoft Defender for Endpoint\\\", \\\"https://security.microsoft.com/homepage\\\",\\r\\n    \\\"Azure Security Center\\\", \\\"Microsoft Defender for Cloud\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0\\\",\\r\\n    \\\"Detection-WarmPathV2\\\", \\\"Microsoft Defender for Cloud\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0\\\",\\r\\n    \\\"MicrosoftThreatProtection\\\", \\\"Microsoft 365 Defender\\\", \\\"https://security.microsoft.com/homepage\\\",\\r\\n    \\\"IPC\\\", \\\"Azure Active Directory Identity Protection\\\", \\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/IdentityProtectionMenuBlade/Overview\\\",\\r\\n   \\\"Detection-Fusion\\\", \\\"Machine Learning Fusion Alert\\\", \\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n    \\\"Sentinel Fusion\\\", \\\"Machine Learning Fusion Alert\\\", \\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n    \\\"Azure Advanced Threat Protection\\\", \\\"Microsoft Defender for Identity\\\", \\\"https://security.microsoft.com/settings/identities\\\",\\r\\n    \\\"Threat Intelligence Alerts\\\", \\\"Threat Intelligence\\\", \\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n    \\\"IoTSecurity\\\", \\\"Microsoft Defender for IoT\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started\\\",\\r\\n    \\\"MSTIC\\\", \\\"Microsoft Intelligent Security Graph\\\", \\\"https://portal.azure.com/#blade/HubsExtension/ArgQueryBlade\\\",\\r\\n    \\\"AntimalwarePublisher\\\", \\\"Microsoft Anti-Malware\\\", \\\"https://security.microsoft.com/homepage\\\",\\r\\n    \\\"OATP\\\", \\\"Microsoft Defender for Office 365\\\", \\\"https://security.microsoft.com/homepage\\\",\\r\\n    \\\"AdaptiveNetworkHardenings\\\", \\\"Microsoft Defender for Cloud\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0\\\",\\r\\n    \\\"StorageThreatDetection\\\", \\\"Azure Defender for Storage\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0\\\",\\r\\n    \\\"CloudNetworkSecurity\\\", \\\"Azure Network Security\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/overview\\\",\\r\\n    \\\"SQLThreatDetection\\\", \\\"Azure Defender for SQL\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0\\\"\\r\\n];\\r\\nSecurityAlert\\r\\n| join kind=inner SecurityProducts on ProviderName\\r\\n| summarize count() by Product, Portal\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SI-4] Information System Monitoring -- Security Alerts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Product\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Portal\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Portal >>\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * 'https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SI-4] Information System Monitoring -- Security Incidents\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSI4Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI-4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Alerts, Advisories, & Directives (SI-5)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#security-alerts-advisories-and-directives)\\r\\n\\r\\n\\ta. Receive system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;\\r\\n\\tb. Generate internal security alerts, advisories, and directives as deemed necessary;\\r\\n\\tc. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and\\r\\n\\td. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) 🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)<br> \\r\\n\\r\\n### Resources\\r\\n✴️ [US-CERT: Alerts](https://www.cisa.gov/uscert/ncas/alerts)<br>\\r\\n✴️ [US-CERT: Bulletins](https://www.cisa.gov/uscert/ncas/bulletins)<br>\\r\\n✴️ [US-CERT: Current Activity](https://www.cisa.gov/uscert/ncas/current-activity)<br>\\r\\n✴️ [US-CERT: Analysis Reports](https://www.cisa.gov/uscert/ncas/analysis-reports)<br>\\r\\n✴️ [Microsoft Technical Security Notifications](https://www.microsoft.com/msrc/technical-security-notifications)<br>\\r\\n✴️ [Microsoft Security Response Center](https://www.microsoft.com/msrc)<br>\\r\\n✴️ [Microsoft Security Intelligence](https://www.microsoft.com/security/blog/microsoft-security-intelligence/)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft Sentinel: Automation](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SI-5](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SI-5)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n   | distinct RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink\\r\\n    | where RecommendationName contains \\\"alert\\\"\\r\\n    | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SI-5] Security Alerts, Advisories, and Directives -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type == \\\"microsoft.logic/workflows\\\"\\r\\n| extend PlaybookName = id\\r\\n| where PlaybookName contains \\\"notify\\\" or PlaybookName contains \\\"email\\\" or PlaybookName contains \\\"teams\\\" or PlaybookName contains \\\"ticket\\\" or PlaybookName contains \\\"post\\\"\\r\\n| project PlaybookName, type, resourceGroup\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SI-5] Security Alerts, Advisories, and Directives -- SOAR Notification Playbooks\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions                                                                                                                                               •    Confirm Licensing, Availability, and Health of Respective Offerings                                                                                                                                                •    Confirm Log Source is Onboarded to Microsoft Sentinel Workspace                                                                                                                                                     •    Adjust the Time Paramenter for a Larger Data-Set                                                                                                                                                                          •    Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations                                                                                                                                   •    Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| where OperationNameValue startswith \\\"Microsoft.Logic\\\"\\r\\n| where ActivityStatusValue == \\\"Success\\\" or ActivityStatusValue == \\\"Succeeded\\\"\\r\\n| extend scope_ = tostring(Authorization_d.scope)\\r\\n| parse-where scope_ with * 'workflows/' PlaybookName '/' *\\r\\n| where PlaybookName contains \\\"notify\\\" or PlaybookName contains \\\"email\\\" or PlaybookName contains \\\"teams\\\" or PlaybookName contains \\\"ticket\\\" or PlaybookName contains \\\"post\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by PlaybookName\\r\\n| render timechart \",\"size\":0,\"showAnnotations\":true,\"showAnalytics\":true,\"title\":\"[SI-5] Security Alerts, Advisories, and Directives --Notification SOAR Playbooks Triggered\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSI5Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI-5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Software, Firmware, & Information Integrity (SI-7)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#software-firmware-and-information-integrity)\\r\\n\\r\\n\\ta. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]; and\\r\\n\\tb. Take the following actions when unauthorized changes to the software, firmware, and information are detected: [Assignment: organization-defined actions].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Firmware security](https://docs.microsoft.com/azure/security/fundamentals/firmware)<br>\\r\\n💡 [Platform code integrity](https://docs.microsoft.com/azure/security/fundamentals/code-integrity)<br>\\r\\n💡 [Secure Boot](https://docs.microsoft.com/azure/security/fundamentals/secure-boot)<br>\\r\\n💡 [What is Azure role-based access control (Azure RBAC)?](https://docs.microsoft.com/azure/role-based-access-control/overview)<br>\\r\\n💡 [File integrity monitoring in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/defender-for-cloud/file-integrity-monitoring-overview)<br>\\r\\n💡 [Change Tracking and Inventory overview](https://docs.microsoft.com/azure/automation/change-tracking/overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft Entra ID: Roles & Admins](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators)<br>\\r\\n🔀 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SI-7](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SI-7)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"firmware\\\" or Description contains \\\"kernel\\\" or Description contains \\\"OS \\\" or Description contains \\\"BIOS\\\" or Description contains \\\"integrity\\\" or Description contains \\\"software\\\" or Description contains \\\"operating system\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"firmware\\\" or Description contains \\\"kernel\\\" or Description contains \\\"OS \\\" or Description contains \\\"BIOS\\\" or Description contains \\\"integrity\\\" or Description contains \\\"software\\\" or Description contains \\\"operating system\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"firmware\\\" or Description contains \\\"kernel\\\" or Description contains \\\"OS \\\" or Description contains \\\"BIOS\\\" or Description contains \\\"integrity\\\" or Description contains \\\"software\\\" or Description contains \\\"operating system\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SI-7] Software, Firmware & Information Integrity -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSI7Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI-7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Spam Protection (SI-8)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#spam-protection)\\r\\n\\r\\n\\ta. Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and\\r\\n\\tb. Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents)  ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Anti-Spam protection in Exchange Online Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/anti-spam-protection)<br>\\r\\n💡 [Configure Anti-Spam Policies in Exchange Online Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-your-spam-filter-policies)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Office 365 Security & Compliance Center](https://protection.office.com/) \\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SI-8](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SI-8)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MatchingSenderEmails=EmailEvents\\r\\n| extend Spam = tostring(parse_json(ConfidenceLevel).Spam)\\r\\n| where Spam == \\\"Normal\\\" or Spam == \\\"Moderate\\\" or Spam == \\\"High\\\"\\r\\n| where SenderFromAddress <> \\\"\\\"\\r\\n| summarize count() by SenderFromAddress\\r\\n| project SenderFromAddress, EmailsFromSender=count_;\\r\\nlet MatchingSpamEmails_=EmailEvents\\r\\n| extend Spam = tostring(parse_json(ConfidenceLevel).Spam)\\r\\n| where Spam == \\\"Normal\\\" or Spam == \\\"Moderate\\\" or Spam == \\\"High\\\"\\r\\n| where Subject <> \\\"\\\"\\r\\n| summarize count() by Subject\\r\\n| project Subject, EmailsMatchingSubject=count_;\\r\\nEmailEvents\\r\\n| extend Spam = tostring(parse_json(ConfidenceLevel).Spam)\\r\\n| where Spam == \\\"Normal\\\" or Spam == \\\"Moderate\\\" or Spam == \\\"High\\\"\\r\\n| where Subject <> \\\"\\\"\\r\\n| join kind=fullouter(MatchingSenderEmails) on SenderFromAddress\\r\\n| join kind=fullouter(MatchingSpamEmails_) on Subject\\r\\n| where SenderFromAddress <> \\\"\\\"\\r\\n| project Spam, RecipientEmailAddress, SenderFromAddress, DeliveryAction, EmailDirection, ConfidenceLevel, DetectionMethods, EmailAction, EmailActionPolicy, Subject, InternetMessageId, EmailsMatchingSubject, EmailsFromSender, TimeGenerated\\r\\n| sort by EmailsMatchingSubject desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SI-8] Spam Protection -- Anti-Spam Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions                                                                                                                                               •    Confirm Licensing, Availability, and Health of Respective Offerings                                                                                                                                                •    Confirm Log Source is Onboarded to Microsoft Sentinel Workspace                                                                                                                                                     •    Adjust the Time Paramenter for a Larger Data-Set                                                                                                                                                                          •    Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations                                                                                                                                   •    Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SenderFromAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"PersonWithFriend\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DeliveryAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Delivered\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Blocked\",\"representation\":\"4\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Junked\",\"representation\":\"1\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EmailDirection\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Inbound\",\"representation\":\"left\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Outbound\",\"representation\":\"right\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Intra-org\",\"representation\":\"pending\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EmailsMatchingSubject\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"EmailsFromSender\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isSI8Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI-8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Information Handling & Retention (SI-12)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#information-handling-and-retention)\\r\\n\\r\\nManage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/microsoft-sentinel/)\\r\\n\\r\\n### Implementation\\r\\n💡 [Change the data retention period](https://docs.microsoft.com/azure/azure-monitor/logs/manage-cost-storage#change-the-data-retention-period)<br>\\r\\n💡 [Integrate Azure Data Explorer for long-term log retention](https://docs.microsoft.com/azure/sentinel/store-logs-in-azure-data-explorer)<br>\\r\\n💡 [Plan and manage costs for Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/billing)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Azure Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SI-12](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SI-12)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces' \\r\\n| extend state = trim(' ', tostring(properties.provisioningState))\\r\\n\\t\\t,sku   = trim(' ', tostring(properties.sku.name))\\r\\n        ,skuUpdate = trim(' ', tostring(properties.sku.lastSkuUpdate))\\r\\n\\t\\t,retentionDays = trim(' ', tostring(properties.retentionInDays))\\r\\n\\t\\t,dailyquotaGB  = trim(' ', tostring(properties.workspaceCapping.dailyQuotaGb))\\r\\n| extend dailyquotaGB = iif(dailyquotaGB !=-1.0, dailyquotaGB,\\\"Not set\\\")\\r\\n| extend skuUpdate    = iif(strlen(skuUpdate) > 0, skuUpdate,\\\"Unknown\\\")\\r\\n| extend sentinel     = iif(toint(retentionDays) < 90,\\\"If you have Sentinel, you can change your retention to 90days (free)?\\\",\\\"\\\")\\r\\n| project LogAnalyticsWorkspace=id, ['Resource Group']=resourceGroup, \\t\\r\\nLogRetention_Days=retentionDays\\r\\n\",\"size\":2,\"showAnalytics\":true,\"title\":\"[SI-12] Information Handling & Retention -- Log Retention Settings\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogRetention_Days\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"is Empty\",\"representation\":\"4\",\"text\":\"{0}{1}\"},{\"operator\":\"<=\",\"thresholdValue\":\"363\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"364\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Data Retention(days)\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orangeBlue\"}},{\"columnMatch\":\"Computer\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_LogRetention_Days_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_LogRetention_Days_2\",\"sortOrder\":2}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"type\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isSI12Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI-12\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isSIVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"System & Information Integrity Family\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Recommended Data Connectors](https://docs.microsoft.com/azure/sentinel/connect-data-sources)\\r\\n---\\r\\n\\r\\nAfter onboarding Microsoft Sentinel into your workspace, connect data sources to start ingesting your data into Microsoft Sentinel. Microsoft Sentinel comes with many connectors for Microsoft products, available out of the box and providing real-time integration. For example, service-to-service connectors include Microsoft 365 Defender connectors and Microsoft 365 sources, such as Office 365, Microsoft Entra ID, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. Check out these references if you're new to Microsoft Sentinel.\"},\"customWidth\":\"40\",\"name\":\"NS Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"b1cd1f8a-e807-4deb-93f4-7812e5ed014a\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Data Connectors >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorsBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\"}}]},\"customWidth\":\"20\",\"name\":\"EL0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/best-practices\",\"linkTarget\":\"Url\",\"linkLabel\":\"Best Practices\",\"style\":\"link\"},{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-all-in-one-accelerator/ba-p/1807933\",\"linkTarget\":\"Url\",\"linkLabel\":\"Microsoft Sentinel All-In-One Accelerator\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://docs.microsoft.com/learn/browse/?wt.mc_id=resilience_skilling_webpage_gdc&terms=sentinel\",\"linkTarget\":\"Url\",\"linkLabel\":\"Microsoft Sentinel Training\",\"style\":\"link\"}]},\"customWidth\":\"40\",\"name\":\"links - 29\"}],\"exportParameters\":true},\"name\":\"group - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Foundational Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Activity Connector](https://docs.microsoft.com/azure/azure-monitor/essentials/activity-log)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"909d0019-23cb-43ad-8285-9f1dca1cd1be\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureActivity\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureActivity\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"58cc25ab-a9af-4516-99e1-fa22e0637a76\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActivity\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"33\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Entra ID Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"23ba579d-c894-43be-9fe1-d1b04bc34d7a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SignInLogs\",\"label\":\"Status\",\"type\":1,\"query\":\"SigninLogs\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Active Directory\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"7c97e893-29f3-4d4c-a379-f220bb82518c\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActiveDirectory\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Active Directory (AAD) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Office 365 Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-365-formerly-office-365)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"68bd12c8-e473-45d1-8bbc-2dd9f326ea69\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"OfficeActivity\",\"label\":\"Status\",\"type\":1,\"query\":\"OfficeActivity\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"6a86eb8d-5487-4aad-ae7b-b526e68a249f\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Office365\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Office 365 Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for Cloud Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#tenant-based-microsoft-defender-for-cloud)\\r\\n\\r\\n\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"1673e4cf-354f-4a42-bed2-2374be47779e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MDfC\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"Azure Security Center\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"56600b70-0e55-433a-be86-b7c561bced8b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureSecurityCenter\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft Defender for Cloud Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Network Security Groups (NSG) Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#network-security-groups)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"b17ce357-e8d5-4c7c-a4f0-765598462a1c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NSG\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"NetworkSecurityGroupEvent\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"935bb630-1fce-4021-b7b4-c010b9e05973\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureNSG\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Network Security Groups (NSG) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Windows Security Events (AMA) Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-windows-microsoft-services?tabs=SA%2CAMA#windows-agent-based-connections)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"d9af27d9-8c90-4c85-a57f-f329257d9956\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AMA\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityEvent\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d002eb41-c632-429b-8504-846b69314620\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WindowsSecurityEvents\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Windows Security Events (AMA) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Security Events via Legacy Agent Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-windows-microsoft-services?tabs=SA%2CLAA#windows-agent-based-connections)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"b2737fbc-c0e2-4584-9fba-ee7d057d7db0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecurityEvent\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityEvent\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"9a8b0649-e79b-4a30-be25-4a5486f302ee\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"SecurityEvents\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Security Events via Legacy Agent Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [DNS Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#dns)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"8b7ac3ca-b46c-43e0-ae8c-e2b5189596bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DNS\",\"label\":\"Status\",\"type\":1,\"query\":\"DnsEvents\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"2d8731f5-c225-4a39-9914-6391b2c89ecb\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"DNS\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"DNS Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Storage Accounts Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-storage-account)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"4f291c03-8d98-47b6-ba82-1282322bb7a5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"StorageLogs\",\"label\":\"Status\",\"type\":1,\"query\":\"StorageBlobLogs\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"6d9cd26b-3fcd-4556-b2eb-3dcb711c4de4\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureStorageAccount\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Storage Logs Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Common Event Format (CEF) Connector](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"4fcf795c-75b8-4010-bd24-1d66511ff6e8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CommonSecurityLog\",\"label\":\"Status\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"452e02e1-b0c4-4b9b-8a54-bc9295db22b9\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"CEF\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Common Event Format (CEF) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Syslog Connector](https://docs.microsoft.com/azure/sentinel/connect-syslog)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"fa63a08f-dd08-4e11-bcb6-c075a6d6c15c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Syslog\",\"label\":\"Status\",\"type\":1,\"query\":\"Syslog\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"021644a3-bd51-4b09-8117-017a89c71d58\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Syslog\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Syslog Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Amazon Web Services (AWS) Connector](https://docs.microsoft.com/azure/sentinel/connect-aws?tabs=s3)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"18ed59f0-c497-44b1-94b7-8700051cf189\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AWS\",\"label\":\"Status\",\"type\":1,\"query\":\"AWSCloudTrail\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"393c465e-4398-428b-8da2-87ac07d8a987\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AWS\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Amazon Web Services (AWS) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Amazon Web Services (AWS) S3 Connector](https://docs.microsoft.com/azure/sentinel/connect-aws?tabs=s3)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AWSS3\",\"label\":\"Status\",\"type\":1,\"query\":\"AWSVPCFlow\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AwsS3\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Amazon Web Services (AWS) S3 Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Google Cloud Platform IAM Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#google-cloud-platform-iam-via-codeless-connector-framework)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"GCP\",\"label\":\"Status\",\"type\":1,\"query\":\"GCP_IAM_CL\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"1f2ba663-dd7a-49b6-87ba-0b8adf6d2d34\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Amazon Web Services (AWS) S3 Connector - Copy\",\"styleSettings\":{\"showBorder\":true}}],\"exportParameters\":true},\"name\":\"group - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Basic Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft 365 Defender Connector](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender?tabs=MDE)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"M365Defender\",\"label\":\"Status\",\"type\":1,\"query\":\"AlertEvidence\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"MicrosoftThreatProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft 365 Defender Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for Endpoint Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-endpoint)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MDE\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"MDATP\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"MicrosoftDefenderAdvancedThreatProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft 365 Defender Connector - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-firewall)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureFirewall\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureFirewall\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Firewall Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Windows Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#windows-firewall)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WindowsFirewall\",\"label\":\"Status\",\"type\":1,\"query\":\"WindowsFirewall\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WindowsFirewall\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Windows Firewall Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Web Application Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-web-application-firewall-waf)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureWAF\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where ResourceType in (\\\"APPLICATIONGATEWAYS\\\", \\\"FRONTDOORS\\\", \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\", \\\"PROFILES\\\")\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WAF\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Web Application Firewall Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure SQL Databases Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-sql-databases)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"8b7ac3ca-b46c-43e0-ae8c-e2b5189596bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SQL\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where Category contains \\\"SQL\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"2d8731f5-c225-4a39-9914-6391b2c89ecb\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureSql\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"SQL Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Key Vault Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-key-vault)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureKeyVault\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where ResourceProvider == \\\"MICROSOFT.KEYVAULT\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureKeyVault\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Key Vault Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure DDoS Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-ddos-protection)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DDoS\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where ResourceType == \\\"PUBLICIPADDRESSES\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"DDOS\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure DDoS Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [VMware Carbon Black Cloud via AWS S3](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#vmware-carbon-black-cloud-via-aws-s3)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"VMwareCarbon\",\"label\":\"Status\",\"type\":1,\"query\":\"CarbonBlack_Alerts_CL\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"VMwareESXi\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"VMware ESXi Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for Cloud: Continuous Export](https://docs.microsoft.com/azure/defender-for-cloud/continuous-export?tabs=azure-portal)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecurityRecommendation\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityRecommendation\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Feature\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Continuous Export Connector\",\"styleSettings\":{\"showBorder\":true}}],\"exportParameters\":true},\"name\":\"group - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Intermediate Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Purview Information Protection](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-purview-information-protection)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MicrosoftPurviewInformationProtection\",\"type\":1,\"query\":\"MicrosoftPurviewInformationProtection​​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"Status\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureInformationProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Information Protection Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Dynamics 365 Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#dynamics365)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Dynamics365Activity\",\"label\":\"Status\",\"type\":1,\"query\":\"Dynamics365Activity\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Dynamics365\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Dynamics 365 Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Kubernetes Service (AKS) Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-kubernetes-service-aks)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AKS\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"kube-audit\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureKubernetes\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Kubernetes Service (AKS) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Qualys Vulnerability Management Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#qualys-vulnerability-management-via-codeless-connector-framework)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Qualys\",\"label\":\"Status\",\"type\":1,\"query\":\"QualysHostDetectionV3_CL\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"QualysVulnerabilityManagement\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Qualys Vulnerability Management Connector\",\"styleSettings\":{\"showBorder\":true}}],\"exportParameters\":true},\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Advanced Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Entity Behavior (UEBA)](https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"BehaviorAnalytics\",\"label\":\"Status\",\"type\":1,\"query\":\"BehaviorAnalytics​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Feature\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"EntitySearchBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\"}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Entity Behavior (UEBA) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Entra ID Protection Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-entra-id-protection)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AADIP\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert | where ProductName == \\\"Azure Active Directory Identity Protection\\\"​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActiveDirectoryIdentityProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Active Directory Identity Protection Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Threat Intelligence TAXII Connector](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence-taxii)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TAXII\",\"label\":\"Status\",\"type\":1,\"query\":\"ThreatIntelligenceIndicator | where SourceSystem !in (\\\"SecurityGraph\\\", \\\"Azure Sentinel\\\", \\\"Microsoft Sentinel\\\") ​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"ThreatIntelligenceTaxii\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Threat Intelligence TAXII Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Threat Intelligence Platform Connector](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence-tip)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatIntelligence\",\"label\":\"Status\",\"type\":1,\"query\":\"ThreatIntelligenceIndicator | where SourceSystem in (\\\"SecurityGraph\\\", \\\"Azure Sentinel\\\", \\\"Microsoft Sentinel\\\") ​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"ThreatIntelligence\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Threat Intelligence Platform Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for IoT Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-iot)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MD4IOT\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert | where ProductName == \\\"Azure Security Center for IoT\\\"​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"IoT\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft Defender for IoT Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Purview: Insider Risk Management Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-purview-information-protection)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IRM\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert\\r\\n| where ProductName == \\\"Microsoft 365 Insider Risk Management\\\"​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"OfficeIRM\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft Purview: Insider Risk Management Connector\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 6\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"isDCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Recommended Data Connectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Recommended Content](https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog)\\r\\n---\\r\\n\\r\\nThe following content packages provide utility for regulated industries use cases.\"},\"name\":\"NS Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/sentinel-solutions\",\"linkTarget\":\"Url\",\"linkLabel\":\"About Microsoft Sentinel Content & Solutions\",\"style\":\"link\"},{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog\",\"linkTarget\":\"Url\",\"linkLabel\":\"Content Hub Catalog\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"40\",\"name\":\"group - 4\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"76c7831e-386d-4289-8145-486f52cba8ec\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Content Hub >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"ContentHub.ReactView\",\"extensionName\":\"Microsoft_Azure_SentinelUS\"}}]},\"customWidth\":\"40\",\"name\":\"EL0\"}]},\"name\":\"group - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Threat Analysis & Response Solution](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ThreatAnalysis%26Response)\\r\\n---\\r\\n\\r\\nThis solution enables SecOps Analysts, Threat Intelligence Professional, and Threat Hunters to gain situational awareness for threats in cloud environment. The Solution includes (2) Workbooks designed to enable threat hunting programs. Threat analysis provides an understanding of where the attacker is in the cycle which often drives both a historic lens of where the threat may have progressed, but also predictive analytics on the threat’s objectives. This approach is adversarial as understanding of the threat’s attack cycle drives defense actions in a red versus blue model. The Threat Analysis & Response Solution augments the customer burden of building threat hunting programs.\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FThreatAnalysis%26Response%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FThreatAnalysis%26Response%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ThreatAnalysis%26Response\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ThreatAnalysis%26Response/Workbooks/Images/ThreatAnalysis%26ResponseWhite1.png?raw=true)\"},\"customWidth\":\" 100\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [NIST SP 800-53 Solution](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\\r\\n\\r\\n---\\r\\nThis solution is designed to augment staffing through automation, machine learning, query/alerting generation, and visualizations. This workbook leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with NIST SP 800-53 control requirements. This offering telemetry from 25+ Microsoft Security products (1P/3P/Multi-Cloud/Hybrid/On-Premises). Each NIST SP 800-53 control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads.<br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNISTSP80053%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNISTSP80053%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-nist-sp-800-53-solution/ba-p/3381485\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/ju9hxtYnj7s\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NISTSP80053\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NISTSP80053/Workbooks/Images/NISTSP80053Black.png?raw=true)\"},\"customWidth\":\"90\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Zero Trust (TIC 3.0) Solution](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\\r\\n\\r\\n---\\r\\nThe Microsoft Sentinel Zero Trust (TIC 3.0) Solution provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft and partner ecosystem. This solution enables governance and compliance teams to design, build, monitor, and respond to Zero Trust (TIC 3.0) requirements across cloud, multi-cloud, 1st/3rd party workloads. The solution includes the new Zero Trust (TIC 3.0) Workbook, (1) Analytics Rule, and (3) Playbooks. While only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, the solution is enhanced with numerous Microsoft offerings.<br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroTrust(TIC3.0)%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroTrust(TIC3.0)%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/next-evolution-of-the-microsoft-sentinel-zero-trust-tic-3-0/ba-p/3278097\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/CxLzTRPuw-4\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ZeroTrust(TIC3.0)\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"Zero Trust Solution\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Cybersecurity Maturity Model Certification (CMMC) 2.0](https://dodcio.defense.gov/CMMC/)\\r\\n---\\r\\n\\r\\nThis solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This solution includes (1) Workbook for build/design/assessment/reporting, (2) Analytics rules for monitoring and (3) Playbooks for response/remediation. CMMC 2.0 is the next iteration of the Department’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity – Foundational, Advanced and Expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.<br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersecurityMaturityModelCertification(CMMC)2.0%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersecurityMaturityModelCertification(CMMC)2.0%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-cybersecurity-maturity-model/ba-p/3295095\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/-_a5HxJgriE\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Azure Security Benchmark v3](https://docs.microsoft.com/security/benchmark/azure/)\\r\\n---\\r\\n\\r\\nEnables Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to gain situational awareness for cloud security posture and hardening. Benchmark recommendations provide a starting point for selecting specific security configuration settings and facilitate risk reduction. The Azure Security Benchmark includes a collection of high-impact security recommendations for improving posture. This workbook provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Security-Center%2Fmain%2FWorkbooks%2FAzure%20Security%20Benchmark%20v3%2FarmTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Security-Center%2Fmain%2FWorkbooks%2FAzure%20Security%20Benchmark%20v3%2FarmTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/azure-security-benchmark-v3-workbook/ba-p/3257673\",\"linkTarget\":\"Url\",\"linkLabel\":\"Announce Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/v57gWjvcY4o\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"cc5f4830-f090-4f5e-afb2-47adba6be532\",\"cellValue\":\"https://youtu.be/qVJjwOipHDA\",\"linkTarget\":\"Url\",\"linkLabel\":\"ASC in the Field\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Workbooks/Azure%20Security%20Benchmark%20v3\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Microsoft Insider Risk Management Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-microsoft-insider-risk/ba-p/2955786)\\r\\n---\\r\\n\\r\\nInsider risk management helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Insider risk policies allow you to define the types of risks to identify and detect in your organization, including acting on cases and escalating cases to Microsoft Advanced eDiscovery. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards. Insider risks come in various forms including both witting (intentional) and unwitting (unintentional). This workbook provides an automated visualization of Insider risk behavior cross walked to Microsoft security offerings. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMicrosoftPurviewInsiderRiskManagement%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMicrosoftPurviewInsiderRiskManagement%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-microsoft-insider-risk/ba-p/2955786\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MicrosoftPurviewInsiderRiskManagement\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [IT/OT Threat Monitoring Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/defending-critical-infrastructure-with-the-microsoft-sentinel-it/ba-p/3061184)\\r\\n---\\r\\n\\r\\nThis solution provides the foundation for building a SOC for monitoring IoT/ OT and includes (1) workbook for visibility/reporting, (14) analytics rules for monitoring, and (4) playbooks for response. The workbook leverages Microsoft Sentinel telemetry to create visualization to understand, analyze, and respond to IoT/OT threats. Understanding alerts over time provides unprecedented insights into security posture and where teams need to focus to harden against threats. Deep links directly to Microsoft Defender for IoT alerts empower analysts to focus on remediating threats rather than pivoting between tools. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FIoTOTThreatMonitoringwithDefenderforIoT%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FIoTOTThreatMonitoringwithDefenderforIoT%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/defending-critical-infrastructure-with-the-microsoft-sentinel-it/ba-p/3061184\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"8f7dce97-a41c-42b3-b62f-a21fbf5a1420\",\"cellValue\":\"https://youtu.be/hZS2aplJoy8\",\"linkTarget\":\"Url\",\"linkLabel\":\"YouTube Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/readme.md\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Maturity Model for Event Log Management Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/modernize-log-management-with-the-maturity-model-for-event-log/ba-p/3072842)\\r\\n---\\r\\n\\r\\nThis solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to increase visibility before, during, and after a cybersecurity incident.\\\"Executive Order 14028, Improving the Nation's Cybersecurity, directs decisive action to improve the Federal Government’s investigative and remediation capabilities. This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency.\\\" For more information, see 💡[OMB's M-21-31 Memorandum](https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMaturityModelForEventLogManagementM2131%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMaturityModelForEventLogManagementM2131%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/modernize-log-management-with-the-maturity-model-for-event-log/ba-p/3072842\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/quV_80ts__k\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MaturityModelForEventLogManagementM2131\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Threat Intelligence Workbook](https://docs.microsoft.com/security/benchmark/azure/)\\r\\n---\\r\\n\\r\\nThe most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. <br>\\r\\n\\r\\n---\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-azure-sentinel-threat-intelligence-workbook/ba-p/2858265\",\"linkTarget\":\"Url\",\"linkLabel\":\"Workbook Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/SjEG7iVVBbI\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/ThreatIntelligence.json\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"Zero Trust Solution - Copy - Copy - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isGCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Recommended Content\"}],\"fromTemplateId\":\"sentinel-NISTSP80053\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Getting Started\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\",\"value\":\"No\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"314d02bf-4691-43fa-af59-d67073c8b8fa\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2592000000}],\"allowCustom\":true},\"value\":{\"durationMs\":604800000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"<svg viewBox=\\\"0 0 19 19\\\" width=\\\"20\\\" class=\\\"fxt-escapeShadow\\\" role=\\\"presentation\\\" focusable=\\\"false\\\" xmlns:svg=\\\"http://www.w3.org/2000/svg\\\" xmlns:xlink=\\\"http://www.w3.org/1999/xlink\\\" aria-hidden=\\\"true\\\"><g><path fill=\\\"#1b93eb\\\" d=\\\"M16.82 8.886c0 4.81-5.752 8.574-7.006 9.411a.477.477 0 01-.523 0C8.036 17.565 2.18 13.7 2.18 8.886V3.135a.451.451 0 01.42-.419C7.2 2.612 6.154.625 9.5.625s2.3 1.987 6.8 2.091a.479.479 0 01.523.419z\\\"></path><path fill=\\\"url(#0024423711759027356)\\\" d=\\\"M16.192 8.99c0 4.392-5.333 7.947-6.483 8.575a.319.319 0 01-.418 0c-1.15-.732-6.483-4.183-6.483-8.575V3.762a.575.575 0 01.313-.523C7.2 3.135 6.258 1.357 9.4 1.357s2.2 1.882 6.274 1.882a.45.45 0 01.419.418z\\\"></path><path d=\\\"M9.219 5.378a.313.313 0 01.562 0l.875 1.772a.314.314 0 00.236.172l1.957.284a.314.314 0 01.174.535l-1.416 1.38a.312.312 0 00-.09.278l.334 1.949a.313.313 0 01-.455.33l-1.75-.92a.314.314 0 00-.292 0l-1.75.92a.313.313 0 01-.455-.33L7.483 9.8a.312.312 0 00-.09-.278L5.977 8.141a.314.314 0 01.174-.535l1.957-.284a.314.314 0 00.236-.172z\\\" class=\\\"msportalfx-svg-c01\\\"></path></g></svg>&nbsp;<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> Please take time to answer a quick survey,\\r\\n</span>[<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> click here. </span>](https://forms.office.com/r/nEbCCA5rcn)\"},\"name\":\"Survey\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Getting Started\\r\\nThis solution is designed to augment staffing through automation, machine learning, query/alerting generation, and visualizations. This workbook leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with NIST SP 800-53 control requirements. A filter set is available for custom reporting by guides, subscriptions, workspaces, time-filtering, control family, and controls. This offering telemetry from 25+ Microsoft Security products, while only Microsoft Sentinel/Microsoft Defender for Cloud are required to get started, each offering provides additional enrichment for aligning with control requirements. Each NIST SP 800-53 control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads. \\r\\n\\r\\n### [Recommended Microsoft Sentinel Roles](https://docs.microsoft.com/azure/sentinel/roles) / [Recommended Microsoft Defender for Cloud Roles](https://docs.microsoft.com/azure/defender-for-cloud/permissions#roles-and-allowed-actions)\\r\\n| <strong> Roles </strong> | <strong> Rights </strong> | \\r\\n|:--|:--|\\r\\n|Security Reader | View Workbooks, Analytics, Hunting, Security Recommendations |\\r\\n|Security Contributor| Deploy/Modify Workbooks, Analytics, Hunting Queries, Apply Security Recommendations |\\r\\n|Automation Contributor| Deploy/Modify Playbooks & Automation Rules |\\r\\n|Owner| Assign Regulatory Compliance Initiatives|\\r\\n\\r\\n### Onboarding Prerequisites \\r\\n1️⃣ [Access Microsoft 365 Compliance Manager: Assessments](https://compliance.microsoft.com/compliancemanager?viewid=Assessments)<br>\\r\\n2️⃣  [Onboard Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)<br>\\r\\n3️⃣  [Onboard Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-get-started)<br>\\r\\n4️⃣ [Add the Microsoft Defender for Cloud: NIST SP 800-53 R4 & R5 Assessments to Your Dashboard](https://docs.microsoft.com/azure/security-center/update-regulatory-compliance-packages#add-a-regulatory-standard-to-your-dashboard)<br>\\r\\n5️⃣ [Continuously Export Security Center Data to Log Analytics Workspace](https://docs.microsoft.com/azure/security-center/continuous-export)<br>\\r\\n6️⃣ [Extend Microsoft Sentinel Across Workspaces and Tenants](https://docs.microsoft.com/azure/sentinel/extend-sentinel-across-workspaces-tenants)<br>\\r\\n7️⃣ [Configure Auto Provisioning of Microsoft Defender for Cloud Agents](https://docs.microsoft.com/azure/defender-for-cloud/enable-data-collection)<br>\\r\\n8️⃣ [Review Microsoft Service Trust Portal Documentation/Audit/Resources](https://servicetrust.microsoft.com/)<br>\\r\\n\\r\\n### Print/Export Report\\r\\n1️⃣ Set Background Theme: Settings > Appearance > Theme: Azure > Apply<br>\\r\\n2️⃣ Print/Export Report: More Content Actions (...) > Print Content<br>\\r\\n3️⃣ Settings: Layout (Landscape), Pages (All), Print (One Sided), Scale (60), Pages Per Sheet (1), Quality (1,200 DPI), Margins (None) > Print<br>\\r\\n4️⃣ Executive Summary: Microsoft Defender for Cloud > Regulatory Compliance > Download Report > Report Standard (NIST SP 800 53 R4), Format (PDF)\\r\\n\\r\\n### Important\\r\\nEach control below is associated with one or more 💡[Azure Policy](https://docs.microsoft.com/azure/governance/policy/overview) definitions. These policies may help you 💡[Assess Compliance](https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data) with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the 💡[GitHub Commit History](https://github.com/Azure/azure-policy/commits/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/NIST80053_audit.json). For more information, see 💡[Details of the NIST SP 800-53 Regulatory Compliance built-in initiative](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4)\\r\\n\\r\\nCustomer experience will vary by user and some panels may require additional configurations for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective requirements. This workbook does not address all controls within the framework. It should be considered a supplemental tool to gain visibility of technical controls within cloud, multi-cloud, and hybrid networks. For the full listing of respective controls, see the💡[Microsoft Cloud Service Trust Portal](https://servicetrust.microsoft.com/)\\r\\n\",\"style\":\"info\"},\"name\":\"Help\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 30\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [NIST SP 800-53 Solution](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4)\\n---\\n\\nThis Solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This Solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. The Microsoft Sentinel: NIST SP 800-53 Solution demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. All requirements, validations, and controls are governed by the 💡[National Institute of Standards and Technology (NIST)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final)\\n\"},\"name\":\"Workbook Overview\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-nist-sp-800-53-solution/ba-p/3381485\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/ju9hxtYnj7s\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NISTSP80053\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"79\",\"name\":\"group - 22\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"customWidth\":\"20\",\"name\":\"Microsoft Sentinel Logo\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Executive Summary\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Assessment\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Controls Crosswalk\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Azure Lighthouse for Multi-Tenant\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AL\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Access Control [AC]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Audit & Accountability [AU]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AU\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Security Assessment & Authorization [CA]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CA\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Configuration Management [CM]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Contingency Planning [CP]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CP\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"Control Family \",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7b682fc9-cb6b-4475-a24c-41dcb43d0cef\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAssessmentVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Assessment\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"295d01be-8a71-4186-8584-a3091ea8ca61\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isALVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AL\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"844962c7-7d4e-4761-badd-869852e4a3a1\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isACVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"07022701-185b-43a6-815f-a61176ddd405\"},{\"id\":\"c01e6494-1f74-4194-88b3-c98bbabdf84f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAUVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AU\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"e85f9ad6-e6ae-4525-817c-50ddfa04ed68\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCAVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CA\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCMVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"02596750-83d0-48ad-b9e0-2897e262ab29\"},{\"id\":\"a932ee8a-1039-4482-9fc8-ed79fe6f2ebb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCPVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CP\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\t\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Identification & Authentication [IA]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IA\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Incident Response [IR]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IR\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Media Protection [MP]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MP\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Risk Assessment [RA]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"RA\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"System & Communications Protection [SC]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"System & Information Integrity [SI]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SI\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Recommended Data Connectors\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Recommended Content\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"GC\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"Control Family  - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"63b30cf4-73c6-413b-9728-18a2684ae7cd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIAVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IA\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIRVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IR\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9a923dbe-b3ea-48ef-b8fa-ab28651209e7\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMPVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MP\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9da202ed-b5c8-4e37-ab27-ac112511cd9f\"},{\"id\":\"0af0cea9-8f28-4850-b48e-93a195efa02b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRAVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"RA\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"c16d4f92-ce1a-4ff0-9576-23b39836e95d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSIVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SI\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9637281c-861a-4ba6-90cd-6650f187f00c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"35ede265-e571-41b9-bdc6-49af189a9a2c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isGCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"GC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"87b43444-cd60-469b-8433-c62927ed9b1e\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Executive Summary](https://docs.microsoft.com/azure/defender-for-cloud/regulatory-compliance-dashboard)\\r\\n---\\r\\n\\r\\nThis section leverages Microsoft Defender for Cloud: Regulatory Compliance for policy assessments. Find, fix, and resolve recommendations aligned to the NIST SP 800-53 Regulatory Compliance Initiative. A selector provides capability to filter by all, specific, or groups of controls by level. Upon selection, subordinate panels will summarize recommendations by control family, status over time, recommendations, and resources identified.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"99a47f97-1aa4-4840-91ee-119aad6d6217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ComplianceDomain\",\"label\":\"Control Family\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityRegulatoryCompliance\\r\\n| where ComplianceStandard == \\\"NIST-SP-800-53-R4\\\"\\r\\n| extend ComplianceDomain=iff(ComplianceControl contains \\\"AC.\\\", \\\"Access Control\\\", iff(ComplianceControl contains \\\"AT.\\\", \\\"Security Awareness & Training\\\", iff(ComplianceControl contains \\\"AU.\\\", \\\"Audit & Accountability\\\", iff(ComplianceControl contains \\\"CA.\\\", \\\"Security Assessment\\\", iff(ComplianceControl contains \\\"CM.\\\", \\\"Configuration Management\\\", iff(ComplianceControl contains \\\"CP.\\\", \\\"Contingency Planning\\\", iff(ComplianceControl contains \\\"IA.\\\", \\\"Identification & Authentication\\\", iff(ComplianceControl contains \\\"IR.\\\", \\\"Incident Response\\\", iff(ComplianceControl contains \\\"MA.\\\", \\\"System Maintenance\\\", iff(ComplianceControl contains \\\"MP.\\\", \\\"Media Protection\\\", iff(ComplianceControl contains \\\"PE.\\\", \\\"Physical Protection\\\", iff(ComplianceControl contains \\\"PL.\\\", \\\"Security Planning\\\", iff(ComplianceControl contains \\\"PS.\\\", \\\"Personnel Security\\\",iff(ComplianceControl contains \\\"RA.\\\", \\\"Risk Assessment\\\",iff(ComplianceControl contains \\\"SA.\\\", \\\"System & Services Acquisition\\\",iff(ComplianceControl contains \\\"SC.\\\", \\\"System & Communications Protection\\\",iff(ComplianceControl contains \\\"SI.\\\", \\\"System & Information Integrity\\\",\\\"Other\\\")))))))))))))))))\\r\\n| summarize count() by ComplianceDomain\\r\\n| sort by count_ desc\\r\\n| project-away count_\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"40\",\"name\":\"parameters - 26\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n| join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName\\r\\n    | extend ComplianceDomain=iff(controlId contains \\\"AC.\\\", \\\"Access Control\\\", iff(controlId contains \\\"AT.\\\", \\\"Security Awareness & Training\\\", iff(controlId contains \\\"AU.\\\", \\\"Audit & Accountability\\\", iff(controlId contains \\\"CA.\\\", \\\"Security Assessment\\\", iff(controlId contains \\\"CM.\\\", \\\"Configuration Management\\\", iff(controlId contains \\\"CP.\\\", \\\"Contingency Planning\\\", iff(controlId contains \\\"IA.\\\", \\\"Identification & Authentication\\\", iff(controlId contains \\\"IR.\\\", \\\"Incident Response\\\", iff(controlId contains \\\"MA.\\\", \\\"System Maintenance\\\", iff(controlId contains \\\"MP.\\\", \\\"Media Protection\\\", iff(controlId contains \\\"PE.\\\", \\\"Physical Protection\\\", iff(controlId contains \\\"PL.\\\", \\\"Security Planning\\\", iff(controlId contains \\\"PS.\\\", \\\"Personnel Security\\\",iff(controlId contains \\\"RA.\\\", \\\"Risk Assessment\\\",iff(controlId contains \\\"SA.\\\", \\\"System & Services Acquisition\\\",iff(controlId contains \\\"SC.\\\", \\\"System & Communications Protection\\\",iff(controlId contains \\\"SI.\\\", \\\"System & Information Integrity\\\",\\\"Other\\\")))))))))))))))))\\r\\n| where ComplianceDomain in ({ComplianceDomain}) \\r\\n  | distinct RecommendationName, ComplianceDomain, tostring(RecommendationLink), tostring(state), tostring(complianceState)\\r\\n  | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"), NotApplicable = countif(state == \\\"NotApplicable\\\"), Applicable = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"),Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\" or state == \\\"NotApplicable\\\") by ComplianceDomain\\r\\n    | extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n    | project ControlFamily=ComplianceDomain, Total, PassedControls, Passed, Failed, Applicable, NotApplicable\\r\\n    | sort by Total, Passed desc\\r\\n \",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations by Control Family\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 3-5\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Remediate >>\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"), NotApplicable = countif(state == \\\"NotApplicable\\\"), Applicable = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"),Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\" or state == \\\"NotApplicable\\\") by RecommendationName, ControlID = controlId\\r\\n    | extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink, name) on RecommendationName\\r\\n    | extend ComplianceDomain=iff(ControlID contains \\\"AC.\\\", \\\"Access Control\\\", iff(ControlID contains \\\"AT.\\\", \\\"Security Awareness & Training\\\", iff(ControlID contains \\\"AU.\\\", \\\"Audit & Accountability\\\", iff(ControlID contains \\\"CA.\\\", \\\"Security Assessment\\\", iff(ControlID contains \\\"CM.\\\", \\\"Configuration Management\\\", iff(ControlID contains \\\"CP.\\\", \\\"Contingency Planning\\\", iff(ControlID contains \\\"IA.\\\", \\\"Identification & Authentication\\\", iff(ControlID contains \\\"IR.\\\", \\\"Incident Response\\\", iff(ControlID contains \\\"MA.\\\", \\\"System Maintenance\\\", iff(ControlID contains \\\"MP.\\\", \\\"Media Protection\\\", iff(ControlID contains \\\"PE.\\\", \\\"Physical Protection\\\", iff(ControlID contains \\\"PL.\\\", \\\"Security Planning\\\", iff(ControlID contains \\\"PS.\\\", \\\"Personnel Security\\\",iff(ControlID contains \\\"RA.\\\", \\\"Risk Assessment\\\",iff(ControlID contains \\\"SA.\\\", \\\"System & Services Acquisition\\\",iff(ControlID contains \\\"SC.\\\", \\\"System & Communications Protection\\\",iff(ControlID contains \\\"SI.\\\", \\\"System & Information Integrity\\\",\\\"Other\\\")))))))))))))))))\\r\\n| where ComplianceDomain in ({ComplianceDomain}) \\r\\n    | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, NotApplicable, Applicable, name\\r\\n    | sort by Total, Passed desc\\r\\n    | limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations \",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 3-5\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"name\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":5,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"name\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend ComplianceDomain=iff(controlId contains \\\"AC.\\\", \\\"Access Control\\\", iff(controlId contains \\\"AT.\\\", \\\"Security Awareness & Training\\\", iff(controlId contains \\\"AU.\\\", \\\"Audit & Accountability\\\", iff(controlId contains \\\"CA.\\\", \\\"Security Assessment\\\", iff(controlId contains \\\"CM.\\\", \\\"Configuration Management\\\", iff(controlId contains \\\"CP.\\\", \\\"Contingency Planning\\\", iff(controlId contains \\\"IA.\\\", \\\"Identification & Authentication\\\", iff(controlId contains \\\"IR.\\\", \\\"Incident Response\\\", iff(controlId contains \\\"MA.\\\", \\\"System Maintenance\\\", iff(controlId contains \\\"MP.\\\", \\\"Media Protection\\\", iff(controlId contains \\\"PE.\\\", \\\"Physical Protection\\\", iff(controlId contains \\\"PL.\\\", \\\"Security Planning\\\", iff(controlId contains \\\"PS.\\\", \\\"Personnel Security\\\",iff(controlId contains \\\"RA.\\\", \\\"Risk Assessment\\\",iff(controlId contains \\\"SA.\\\", \\\"System & Services Acquisition\\\",iff(controlId contains \\\"SC.\\\", \\\"System & Communications Protection\\\",iff(controlId contains \\\"SI.\\\", \\\"System & Information Integrity\\\",\\\"Other\\\")))))))))))))))))\\r\\n| where ComplianceDomain in ({ComplianceDomain}) \\r\\n| distinct RecommendationName, resourceId, tostring(state), tostring(complianceState)\\r\\n| summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"), NotApplicable = countif(state == \\\"NotApplicable\\\"), Applicable = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"),Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\" or state == \\\"NotApplicable\\\") by resourceId\\r\\n| extend PassedControls = (Passed/todouble(Applicable))*100\\r\\n| where Failed > 0\\r\\n| project AssessedResourceId=resourceId, Total, PassedControls, Passed, Failed, Applicable, NotApplicable\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations by Asset\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 3-5\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AssessedResourceId\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"[\\\"Passed\\\"]/[\\\"Applicable\\\"]\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"},{\"columnName\":\"NotApplicable\",\"color\":\"gray\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Passed\",\"formatter\":5},{\"columnMatch\":\"Failed\",\"formatter\":5},{\"columnMatch\":\"Applicable\",\"formatter\":5},{\"columnMatch\":\"NotApplicable\",\"formatter\":5},{\"columnMatch\":\"resourceId\",\"formatter\":13,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Remediate >>\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRegulatoryCompliance\\r\\n| where ComplianceStandard == \\\"NIST-SP-800-53-R4\\\"\\r\\n| extend ComplianceDomain=iff(ComplianceControl contains \\\"AC.\\\", \\\"Access Control\\\", iff(ComplianceControl contains \\\"AT.\\\", \\\"Security Awareness & Training\\\", iff(ComplianceControl contains \\\"AU.\\\", \\\"Audit & Accountability\\\", iff(ComplianceControl contains \\\"CA.\\\", \\\"Security Assessment\\\", iff(ComplianceControl contains \\\"CM.\\\", \\\"Configuration Management\\\", iff(ComplianceControl contains \\\"CP.\\\", \\\"Contingency Planning\\\", iff(ComplianceControl contains \\\"IA.\\\", \\\"Identification & Authentication\\\", iff(ComplianceControl contains \\\"IR.\\\", \\\"Incident Response\\\", iff(ComplianceControl contains \\\"MA.\\\", \\\"System Maintenance\\\", iff(ComplianceControl contains \\\"MP.\\\", \\\"Media Protection\\\", iff(ComplianceControl contains \\\"PE.\\\", \\\"Physical Protection\\\", iff(ComplianceControl contains \\\"PL.\\\", \\\"Security Planning\\\", iff(ComplianceControl contains \\\"PS.\\\", \\\"Personnel Security\\\",iff(ComplianceControl contains \\\"RA.\\\", \\\"Risk Assessment\\\",iff(ComplianceControl contains \\\"SA.\\\", \\\"System & Services Acquisition\\\",iff(ComplianceControl contains \\\"SC.\\\", \\\"System & Communications Protection\\\",iff(ComplianceControl contains \\\"SI.\\\", \\\"System & Information Integrity\\\",\\\"Other\\\")))))))))))))))))\\r\\n| where ComplianceDomain in ({ComplianceDomain})\\r\\n| where State == \\\"Failed\\\"\\r\\n| make-series count() default=0 on TimeGenerated from startofday({TimeRange:start}) to startofday({TimeRange:end}) step 1d by ComplianceDomain\\r\\n| render timechart \",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations over Time\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 3-5\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AssessedResourceId\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationDisplayName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend azurePortalRecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | where state == \\\"Unhealthy\\\"\\r\\n    | extend Recommendation = strcat(\\\"https://\\\",azurePortalRecommendationLink), ResourceID = resourceId, ResourceType = resourceType, ResourceGroup = resourceGroup1, Severity = severity, State = state, ControlID = controlId\\r\\n    | extend ComplianceDomain=iff(ControlID contains \\\"AC.\\\", \\\"Access Control\\\", iff(ControlID contains \\\"AT.\\\", \\\"Security Awareness & Training\\\", iff(ControlID contains \\\"AU.\\\", \\\"Audit & Accountability\\\", iff(ControlID contains \\\"CA.\\\", \\\"Security Assessment\\\", iff(ControlID contains \\\"CM.\\\", \\\"Configuration Management\\\", iff(ControlID contains \\\"CP.\\\", \\\"Contingency Planning\\\", iff(ControlID contains \\\"IA.\\\", \\\"Identification & Authentication\\\", iff(ControlID contains \\\"IR.\\\", \\\"Incident Response\\\", iff(ControlID contains \\\"MA.\\\", \\\"System Maintenance\\\", iff(ControlID contains \\\"MP.\\\", \\\"Media Protection\\\", iff(ControlID contains \\\"PE.\\\", \\\"Physical Protection\\\", iff(ControlID contains \\\"PL.\\\", \\\"Security Planning\\\", iff(ControlID contains \\\"PS.\\\", \\\"Personnel Security\\\",iff(ControlID contains \\\"RA.\\\", \\\"Risk Assessment\\\",iff(ControlID contains \\\"SA.\\\", \\\"System & Services Acquisition\\\",iff(ControlID contains \\\"SC.\\\", \\\"System & Communications Protection\\\",iff(ControlID contains \\\"SI.\\\", \\\"System & Information Integrity\\\",\\\"Other\\\")))))))))))))))))\\r\\n    | extend FirstObserved = properties1.status.statusChangeDate\\r\\n    | where ComplianceDomain in ({ComplianceDomain})\\r\\n    | project ResourceID, RecommendationName=RecommendationDisplayName, ControlFamily=ComplianceDomain, ControlID, Severity=tostring(Severity), CurrentState=State, RecommendationLink=Recommendation, name, FirstObserved\\r\\n| extend Rank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, 0)))\\r\\n| sort by Rank desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Current Recommendation Details\",\"noDataMessage\":\"Select Getting Started in Top Left of Workbook. Follow Guidance for Steps 3-5\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ResourceID\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlID\",\"formatter\":1},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":1},{\"columnMatch\":\"Recommendation\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"name\"}]}}},{\"columnMatch\":\"name\",\"formatter\":5},{\"columnMatch\":\"FirstObserved\",\"formatter\":6},{\"columnMatch\":\"Rank\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true}},\"name\":\"query - 8\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAssessmentVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Assessment\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Controls Crosswalk](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-nist-sp-800-53-solution/ba-p/3381485)\\r\\n---\\r\\nControls crosswalk provides a mapping of NIST SP 800-53 controls across respective offerings. This provides free-text search capabilities mapping NIST SP 800-53 controls to Microsoft offerings.\"},\"customWidth\":\"40\",\"name\":\"Controls Mapping\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Crosswalk = datatable([\\\"Control Name\\\"]: string, [\\\"Control ID\\\"]: string, [\\\"Control Family\\\"]: string, [\\\"Microsoft Offerings\\\"]: string) [\\r\\n\\\"Account Management\\\", \\\"AC-2\\\", \\\"Access Control\\\", \\\"Azure Active Directory | Microsoft Defender for Cloud | Microsoft Sentinel\\\",\\r\\n\\\"Access Enforcement\\\", \\\"AC-3\\\", \\\"Access Control\\\", \\\"Microsoft Defender for Cloud\\\",\\r\\n\\\"Information Flow Enforcement\\\", \\\"AC-4\\\", \\\"Access Control\\\", \\\"Microsoft Defender for Cloud | Azure WAF | Front Door | Microsoft Information Protection | Microsoft Endpoint Manager \\\",\\r\\n\\\"Separation of Duties\\\", \\\"AC-5\\\", \\\"Access Control\\\", \\\"Azure Active Directory | Microsoft Sentinel | Privileged Identity Management\\\",\\r\\n\\\"Least Privilege\\\", \\\"AC-6\\\", \\\"Access Control\\\", \\\"Azure Active Directory | Privileged Identity Management\\\",\\r\\n\\\"Unsuccessful Logon Attempts\\\", \\\"AC-7\\\", \\\"Access Control\\\", \\\"Azure Active Directory | Privileged Identity Management | M365 Compliance Manager | Microsoft Endpoint Manager\\\",\\r\\n\\\"System Use Notification\\\", \\\"AC-8\\\", \\\"Access Control\\\", \\\"Azure Active Directory | Microsoft Defender for Cloud | Microsoft Endpoint Manager\\\",\\r\\n\\\"Session Lock\\\", \\\"AC-11\\\", \\\"Access Control\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager\\\",\\r\\n\\\"Session Termination\\\", \\\"AC-12\\\", \\\"Access Control\\\", \\\"Azure Active Directory\\\",\\r\\n\\\"Security Attributes\\\", \\\"AC-16\\\", \\\"Access Control\\\", \\\"Azure Active Directory | Azure Information Protection\\\",\\r\\n\\\"Remote Access\\\", \\\"AC-17\\\", \\\"Access Control\\\", \\\"Microsoft Defender for Cloud | Azure Active Directory | Front Door | Azure Bastion | ExpressRoute | Azure WAF | Microsoft Endpoint Manager\\\",\\r\\n\\\"Wireless Access\\\", \\\"AC-18\\\", \\\"Access Control\\\", \\\"Microsoft Endpoint Manager | Azure Active Directory | Microsoft Defender for Cloud\\\",\\r\\n\\\"Access Control for Mobile Devices\\\", \\\"AC-19\\\", \\\"Access Control\\\", \\\"Azure Active Directory | Microsoft Endpoint Manager\\\",\\r\\n\\\"Use of External Information Systems\\\", \\\"AC-20\\\", \\\"Access Control\\\", \\\"Microsoft Defender for Cloud | Azure Active Directory | Microsoft Defender for Cloud Apps\\\",\\r\\n\\\"Audit Events\\\", \\\"AU-2\\\", \\\"Audit & Accountability\\\", \\\"Azure Monitor | Microsoft 365 Defender\\\",\\r\\n\\\"Content of Audit Records\\\", \\\"AU-3\\\", \\\"Audit & Accountability\\\", \\\"Azure Monitor | Azure Active Directory\\\",\\r\\n\\\"Response to Audit Processing Failures\\\", \\\"AU-5\\\", \\\"Audit & Accountability\\\", \\\"Azure Monitor | Microsoft Sentinel\\\",\\r\\n\\\"Audit Review, Analysis, & Reporting\\\", \\\"AU-6\\\", \\\"Audit & Accountability\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager | Microsoft 365 Compliance Manager | Azure Active Directory | Azure Monitor\\\",\\r\\n\\\"Audit Reduction & Report Generation\\\", \\\"AU-7\\\", \\\"Audit & Accountability\\\", \\\"Microsoft Sentinel\\\",\\r\\n\\\"Time Stamps\\\", \\\"AU-8\\\", \\\"Audit & Accountability\\\", \\\"Microsoft Defender for Cloud\\\",\\r\\n\\\"Protection of Audit Information\\\", \\\"AU-9\\\", \\\"Audit & Accountability\\\", \\\"Microsoft Sentinel | Azure Monitor | Microsoft Defender for Cloud | Azure Active Directory | Key Vault | Microsoft 365 Compliance Manager\\\",\\r\\n\\\"Audit Record Retention\\\", \\\"AU-11\\\", \\\"Audit & Accountability\\\", \\\"Microsoft Sentinel | Azure Monitor | Azure Data Explorer\\\",\\r\\n\\\"Audit Generation\\\", \\\"AU-12\\\", \\\"Audit & Accountability\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager | Microsoft 365 Compliance Manager | Azure Active Directory | Azure Monitor\\\",\\r\\n\\\"Security Assessments\\\", \\\"CA-2\\\", \\\"Security Assessment & Authorization\\\", \\\"Microsoft Defender for Cloud | Microsoft 365 Defender\\\",\\r\\n\\\"System Interconnections\\\", \\\"CA-3\\\", \\\"Security Assessment & Authorization\\\", \\\"Virtual Network | Network Security Groups | Network Watcher | Azure Firewall | ExpressRoute | Traffic Manager | VPN Gateway\\\",\\r\\n\\\"Continuous Monitoring\\\", \\\"CA-4\\\", \\\"Security Assessment & Authorization\\\", \\\"Microsoft Defender for Cloud | Microsoft Sentinel\\\",\\r\\n\\\"Baseline Configuration\\\", \\\"CM-2\\\", \\\"Configuration Management\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager\\\",\\r\\n\\\"Configuration Change Control\\\", \\\"CM-3\\\", \\\"Configuration Management\\\", \\\"Virtual Machines | Automation Accounts\\\",\\r\\n\\\"Security Impact Analysis\\\", \\\"CM-4\\\", \\\"Configuration Management\\\", \\\"Microsoft Defender for Cloud | Azure Active Directory | Microsoft Endpoint Manager\\\",\\r\\n\\\"Access Restrictions for Change\\\", \\\"CM-5\\\", \\\"Configuration Management\\\", \\\"Azure Active Directory | Privileged Identity Management | Microsoft Endpoint Manager\\\",\\r\\n\\\"Configuration Settings\\\", \\\"CM-6\\\", \\\"Configuration Management\\\", \\\"Microsoft Defender for Cloud | Azure Policy | Microsoft Endpoint Manager\\\",\\r\\n\\\"Least Functionality\\\", \\\"CM-7\\\", \\\"Configuration Management\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager | Azure Active Directory | Managed Identities\\\",\\r\\n\\\"System Component Inventory\\\", \\\"CM-8\\\", \\\"Configuration Management\\\", \\\"Microsoft Defender for Cloud | Microsoft 365 Defender\\\",\\r\\n\\\"Configuration Management Plan\\\", \\\"CM-9\\\", \\\"Configuration Management\\\", \\\"Maintenance Configurations | Auto-manage | Automation Accounts | File Integrity Monitoring | Inventory\\\",\\r\\n\\\"Software Usage Restrictions\\\", \\\"CM-10\\\", \\\"Configuration Management\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager | Azure Active Directory | Automation Accounts\\\",\\r\\n\\\"User-Installed Software\\\", \\\"CM-11\\\", \\\"Configuration Management\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager | Azure Active Directory | Automation Accounts\\\",\\r\\n\\\"Alternate Storage Site\\\", \\\"CP-6\\\", \\\"Contingency Planning\\\", \\\"Storage Accounts | SQL Databases | Microsoft Defender for Cloud\\\",\\r\\n\\\"Alternate Processing Site\\\", \\\"CP-7\\\", \\\"Contingency Planning\\\", \\\"Microsoft Defender for Cloud | Availability Sets | Virtual Machine Scale Sets\\\",\\r\\n\\\"Information System Backup\\\", \\\"CP-9\\\", \\\"Contingency Planning\\\", \\\"Backup Center | Recovery Services Vaults | Key Vault\\\",\\r\\n\\\"Organizational Users\\\", \\\"IA-2\\\", \\\"Identification & Authentication\\\", \\\"Azure Active Directory | Microsoft Defender for Cloud\\\",\\r\\n\\\"Identifier Management\\\", \\\"IA-4\\\", \\\"Identification & Authentication\\\", \\\"Azure Active Directory | Microsoft Defender for Cloud | Microsoft Defender for Cloud Apps\\\",\\r\\n\\\"Authenticator Management\\\", \\\"IA-5\\\", \\\"Identification & Authentication\\\", \\\"Azure Active Directory | Microsoft Defender for Cloud | Microsoft Endpoint Manager | Key Vault\\\",\\r\\n\\\"Authenticator Feedback\\\", \\\"IA-6\\\", \\\"Identification & Authentication\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager\\\",\\r\\n\\\"Cryptographic Module Authentication\\\", \\\"IA-7\\\", \\\"Identification & Authentication\\\", \\\"Azure Active Directory | Microsoft Defender for Cloud\\\",\\r\\n\\\"Non-Organizational Users\\\", \\\"IA-8\\\", \\\"Identification & Authentication\\\", \\\"Azure Active Directory | Microsoft Defender for Cloud\\\",\\r\\n\\\"Incident Response Testing\\\", \\\"IR-3\\\", \\\"Incident Response\\\", \\\"Microsoft Sentinel | Microsoft 365 Defender\\\",\\r\\n\\\"Incident Handling\\\", \\\"IR-4\\\", \\\"Incident Response\\\", \\\"Microsoft Sentinel | Microsoft 365 Defender\\\",\\r\\n\\\"Incident Monitoring\\\", \\\"IR-5\\\", \\\"Incident Response\\\", \\\"Microsoft Sentinel | Microsoft 365 Defender\\\",\\r\\n\\\"Incident Reporting\\\", \\\"IR-6\\\", \\\"Incident Response\\\", \\\"Microsoft Sentinel | Microsoft 365 Defender\\\",\\r\\n\\\"Media Access\\\", \\\"MP-2\\\", \\\"Media Protection\\\", \\\"Azure Information Protection | Microsoft Defender for Cloud Apps | Microsoft 365 Compliance Manager\\\",\\r\\n\\\"Media Marking \\\", \\\"MP-3\\\", \\\"Media Protection\\\", \\\"Azure Information Protection\\\",\\r\\n\\\"Media Transport\\\", \\\"MP-5\\\", \\\"Media Protection\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager | Key Vault | Customer Lockbox\\\",\\r\\n\\\"Media Sanitization\\\", \\\"MP-6\\\", \\\"Media Protection\\\", \\\"Microsoft Defender for Cloud | Key Vault\\\",\\r\\n\\\"Media Use\\\", \\\"MP-7\\\", \\\"Media Protection\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager\\\",\\r\\n\\\"Security Categorization\\\", \\\"RA-2\\\", \\\"Risk Assessment\\\", \\\"Microsoft Defender for Cloud | Microsoft 365 Defender\\\",\\r\\n\\\"Risk Assessment\\\", \\\"RA-3\\\", \\\"Risk Assessment\\\", \\\"Microsoft Defender for Cloud | Azure Active Directory | Microsoft Sentinel\\\",\\r\\n\\\"Vulnerability Scanning\\\", \\\"RA-5\\\", \\\"Risk Assessment\\\", \\\"Microsoft Defender for Cloud | Microsoft 365 Defender\\\",\\r\\n\\\"Security Function Isolation\\\", \\\"SC-3\\\", \\\"System & Communications Protection\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager | Microsoft 365 Defender\\\",\\r\\n\\\"Denial of Service Protection\\\", \\\"SC-5\\\", \\\"System & Communications Protection\\\", \\\"Azure DDoS\\\",\\r\\n\\\"Resource Availability\\\", \\\"SC-6\\\", \\\"System & Communications Protection\\\", \\\"Load Balancers | Traffic Manager | Front Door | Application Gateway | Virtual Machine Scale Sets | SQL Databases\\\",\\r\\n\\\"Boundary Protection\\\", \\\"SC-7\\\", \\\"System & Communications Protection\\\", \\\"Virtual Networks | Network Security Groups | Virtual Network Gateways | ExpressRoute | Azure Firewall | Azure WAF | Application Gateway | Network Watcher\\\",\\r\\n\\\"Transmission Confidentiality & Integrity\\\", \\\"SC-8\\\", \\\"System & Communications Protection\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager | Azure Active Directory | Key Vault | Virtual Network Gateway | ExpressRoute\\\",\\r\\n\\\"Network Disconnect\\\", \\\"SC-10\\\", \\\"System & Communications Protection\\\", \\\"Azure Active Directory | Virtual Network Gateways | Microsoft Defender for Cloud\\\",\\r\\n\\\"Cryptographic Key Management\\\", \\\"SC-12\\\", \\\"System & Communications Protection\\\", \\\"Microsoft Defender for Cloud | Key Vault\\\",\\r\\n\\\"Cryptographic Protection\\\", \\\"SC-13\\\", \\\"System & Communications Protection\\\", \\\"Microsoft Defender for Cloud | Key Vault\\\",\\r\\n\\\"Public Key Infrastructure Certificates\\\", \\\"SC-17\\\", \\\"System & Communications Protection\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager | Key Vault | Azure Active Directory\\\",\\r\\n\\\"Mobile Code\\\", \\\"SC-18\\\", \\\"System & Communications Protection\\\", \\\"Microsoft 365 Defender | Microsoft Endpoint Manager\\\",\\r\\n\\\"Voice Over Internet Protocol\\\", \\\"SC-19\\\", \\\"System & Communications Protection\\\", \\\"Microsoft Teams\\\",\\r\\n\\\"Secure Name Resolution Service\\\", \\\"SC-21\\\", \\\"System & Communications Protection\\\", \\\"Microsoft Defender for Cloud | Azure DNS\\\",\\r\\n\\\"Provisioning Address Resolution Service\\\", \\\"SC-22\\\", \\\"System & Communications Protection\\\", \\\"Microsoft Defender for Cloud | Azure DNS\\\",\\r\\n\\\"Session Authenticity\\\", \\\"SC-23\\\", \\\"System & Communications Protection\\\", \\\"Microsoft Defender for Cloud | Azure Active Directory\\\",\\r\\n\\\"Honeypots\\\", \\\"SC-26\\\", \\\"System & Communications Protection\\\", \\\"Microsoft Sentinel | Key Vault\\\",\\r\\n\\\"Protection of Information at Rest\\\", \\\"SC-28\\\", \\\"System & Communications Protection\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager | Key Vault | SQL Databases\\\",\\r\\n\\\"Flaw Remediation\\\", \\\"SI-2\\\", \\\"System & Information Integrity\\\", \\\"Microsoft Defender for Cloud | Microsoft 365 Defender | Microsoft Endpoint Manager\\\",\\r\\n\\\"Malicious Code Protection\\\", \\\"SI-3\\\", \\\"System & Information Integrity\\\", \\\"Microsoft Sentinel | Microsoft Defender for Cloud | Microsoft 365 Defender | Microsoft Endpoint Manager\\\",\\r\\n\\\"Information System Monitoring\\\", \\\"SI-4\\\", \\\"System & Information Integrity\\\", \\\"Microsoft Sentinel | Microsoft Defender for Cloud\\\",\\r\\n\\\"Security Alerts, Advisories, & Directives\\\", \\\"SI-5\\\", \\\"System & Information Integrity\\\", \\\"Microsoft Defender for Cloud | Microsoft Sentinel\\\",\\r\\n\\\"Software, Firmware, & Information Integrity\\\", \\\"SI-7\\\", \\\"System & Information Integrity\\\", \\\"Microsoft Defender for Cloud | Azure Active Directory | Automation Accounts\\\",\\r\\n\\\"Spam Protection\\\", \\\"SI-8\\\", \\\"System & Information Integrity\\\", \\\"Microsoft Defender for Office 365\\\",\\r\\n\\\"Information Handling & Retention\\\", \\\"SI-12\\\", \\\"System & Information Integrity\\\", \\\"Microsoft Sentinel | Azure Monitor\\\",\\r\\n\\\"Memory Protection\\\", \\\"SI-16\\\", \\\"System & Information Integrity\\\", \\\"Microsoft Defender for Cloud | Microsoft Endpoint Manager\\\"\\r\\n];\\r\\nCrosswalk\\r\\n| project [\\\"Control Name\\\"],[\\\"Control ID\\\"],[\\\"Control Family\\\"],[\\\"Microsoft Offerings\\\"]\",\"size\":0,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Control Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Control Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Microsoft Offerings\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Controls Mapping\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/)\\r\\n---\\r\\nAzure Lighthouse helps service providers simplify customer engagement and onboarding experiences, while managing delegated resources at scale with agility and precision. Authorized users, groups, and service principals can work directly in the context of a customer subscription without having an account in that customer's Microsoft Entra ID tenant or being a co-owner of the customer's tenant. The mechanism used to support this access is called Azure delegated resource management. \"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"1cf637a7-121d-4722-b511-b0c460625e31\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Access Azure Lighthouse\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"LighthouseBlade\",\"extensionName\":\"Microsoft_Azure_CustomerHub\"}}]},\"customWidth\":\"50\",\"name\":\"links - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"managedservicesresources\\r\\n| where type == \\\"microsoft.managedservices/registrationassignments\\\"\\r\\n| where properties.provisioningState == \\\"Succeeded\\\"\\r\\n| extend ManageeTenantName = properties.registrationDefinition.properties.manageeTenantName\\r\\n| extend ManagedByTenantName = properties.registrationDefinition.properties.managedByTenantName\\r\\n| extend ManagedByTenantId = properties.registrationDefinition.properties.managedByTenantId\\r\\n| extend ManageeTenantId = tostring(properties.registrationDefinition.properties.manageeTenantId)\\r\\n| extend PermanentAccess = properties.registrationDefinition.properties.authorizations\\r\\n| extend JITAccess = properties.registrationDefinition.properties.eligibleAuthorizations\\r\\n| extend AddedDate = properties.registrationDefinition.systemData.createdAt\\r\\n| extend CreatedBy = systemData.createdBy\\r\\n| project ManageeTenantName, ManageeTenantId, ManagedByTenantName, ManagedByTenantId, AddedDate, CreatedBy\",\"size\":1,\"showAnalytics\":true,\"title\":\"Azure Lighthouse Delegations\",\"noDataMessage\":\"No Azure Lighthouse Delegations/Customers Detected\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ManageeTenantName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Download\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ManageeTenantId\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"ManagedByTenantName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Upload\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ManagedByTenantId\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"AddedDate\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Clock\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"CreatedBy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"PermanentAccess\",\"formatter\":1},{\"columnMatch\":\"JITAccess\",\"formatter\":1}],\"filter\":true}},\"name\":\"query - 21 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isALVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"group - 21\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/controls?version=5.1&family=AC)\\r\\n---\\r\\nAccess Control is the process of authorizing users, groups, and computers to access objects on a network, asset, and/or cloud. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Account Management [AC-2]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-2.\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Access Enforcement [AC-3]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-3\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Information Flow Enforcement [AC-4]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-4\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Separation of Duties [AC-5]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-5\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Least Privilege [AC-6]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-6\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Unsuccessful Logon Attempts [AC-7]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-7\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"System Use Notification [AC-8]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-8\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC2Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-2.\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC3Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-3\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4e1641a6-9ed2-4725-aab9-7ae3212d2a5d\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC4Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-4\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"11b9dffc-183e-4365-9db9-f0b027e497a9\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC5Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-5\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a97dabbf-ffa2-4ca0-8fff-eccb9e5b096c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC6Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-6\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"06ae683e-fd15-455b-be2d-0d0822287dfa\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC7Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-7\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"6a82c6f2-dde9-45d9-acf4-23e96b5b2647\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC8Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-8\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"32eef6d6-6f06-421b-b88e-216496da06fa\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Session Lock [AC-11]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-11\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Session Termination [AC-12]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-12\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Attributes [AC-16]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-16\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Remote Access [AC-17]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-17\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Wireless Access [AC-18]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-18\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Access Control for Mobile Devices [AC-19]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-19\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Use of External Information Systems [AC-20]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AC-20\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c2c9eb47-127a-427a-b53d-25edd282b137\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC11Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-11\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC12Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-12\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"73feb40f-e952-4fad-b176-4b91cbc959f1\"},{\"id\":\"77350ee2-df63-4aab-937e-9d7a77ec458c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC16Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-16\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"d23f23ae-55d4-4905-b76d-7e2c73bff732\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC17Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-17\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"9a183985-6073-4d09-8fd2-20078b1cd218\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC18Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-18\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"331f130c-8c5b-4a7e-9baf-e944146c3d6c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC19Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-19\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"6483c9b8-9174-49e3-9f98-2e9cca2ed7eb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAC20Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AC-20\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Account Management (AC-2)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#account-management) \\r\\n\\r\\n\\ta. Define and document the types of accounts allowed and specifically prohibited for use within the system;\\r\\n\\tb. Assign account managers;\\r\\n\\tc. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership;\\r\\n\\td. Specify:\\r\\n\\t\\t1. Authorized users of the system;\\r\\n\\t\\t2. Group and role membership; and\\r\\n\\t\\t3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account;\\r\\n\\te. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts;\\r\\n\\tf. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];\\r\\n\\tg. Monitor the use of accounts;\\r\\n\\th. Notify account managers and [Assignment: organization-defined personnel or roles] within:\\r\\n\\t\\t1. [Assignment: organization-defined time period] when accounts are no longer required;\\r\\n\\t\\t2. [Assignment: organization-defined time period] when users are terminated or transferred; and\\r\\n\\t\\t3. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual;\\r\\n\\ti. Authorize access to the system based on:\\r\\n\\t\\t1. A valid access authorization;\\r\\n\\t\\t2. Intended system usage; and\\r\\n\\t\\t3. [Assignment: organization-defined attributes (as required)];\\r\\n\\tj. Review accounts for compliance with account management requirements [Assignment: organization-defined frequency];\\r\\n\\tk. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and\\r\\n\\tl. Align account management processes with personnel termination and transfer processes.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) 🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) 🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Microsoft Entra ID feature deployment guide](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-deployment-checklist-p2)<br>\\r\\n💡 [Deploying Active Directory Federation Services in Azure](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs)<br>\\r\\n💡 [User sign-in with Microsoft Entra ID Pass-through Authentication](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-pta)<br>\\r\\n💡 [Tutorial: Grant a user access to Azure resources using the Azure portal](https://docs.microsoft.com/azure/role-based-access-control/quickstart-assign-role-user-portal)<br>\\r\\n💡 [Azure RBAC documentation](https://docs.microsoft.com/azure/role-based-access-control/)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Privileged Identity Management](https://ms.portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://ms.portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22) <br>\\r\\n\\r\\n### NIST SP 800-53 R5 Guidance\\r\\n[AC-2]( https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-2)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"AC.2.*\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n| parse RecommendationLink with * '#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *\\r\\n| distinct RecommendationName, ControlID, Total, RecommendationLink, PassedControls, Passed, Failed, assessmentKey\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-2] Account Management -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where ResultType == \\\"0\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| summarize LastSignIn = datetime_diff(\\\"day\\\", now(), max(TimeGenerated)) by UserPrincipalName, LastSignInTime=TimeGenerated, UserId\\r\\n| where LastSignIn >= 28\\r\\n| project UserPrincipalName, LastSignIn, LastSignInTime, AADProfile=UserId\\r\\n| sort by LastSignIn desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-2(3)] Account Management | Disable Accounts -- Inactive Microsoft Entra ID Accounts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LastSignIn\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"},\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"AADProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"AADProfile\"}]}}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"SignInsBeforeInactive\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let PreviousRoles = IdentityInfo\\r\\n| where TimeGenerated > ago(7d)\\r\\n| extend UserPrincipalName = AccountUPN;\\r\\nIdentityInfo\\r\\n| extend UserPrincipalName = AccountUPN\\r\\n| join (PreviousRoles) on UserPrincipalName\\r\\n| extend ChangedRoles = set_difference(AssignedRoles, AssignedRoles1)\\r\\n| extend ChangedGroups = set_difference(GroupMembership, GroupMembership1)\\r\\n| where ChangedRoles contains \\\"security\\\" or ChangedRoles contains \\\"admin\\\" or ChangedGroups contains \\\"security\\\" or ChangedGroups contains \\\"admin\\\"\\r\\n| join (SigninLogs| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)|project UserPrincipalName, UserProfile, UserId) on UserPrincipalName\\r\\n| project UserPrincipalName, UserProfile, ChangedRoles, ChangedGroups, ChangeObservedTime=TimeGenerated, UserId\\r\\n| extend ChangedRoles=strcat(ChangedRoles)\\r\\n| extend ChangedGroups=strcat(ChangedGroups)\\r\\n| distinct UserPrincipalName, UserProfile, ChangedRoles, ChangedGroups, ChangeObservedTime, UserId\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-2(7)] Account Management | Privileged User Accounts  -- Microsoft Entra ID Privileged Role/Attribute Changes\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"LastSignIn\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"},\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"SignInsBeforeInactive\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| where OperationName contains \\\"PIM\\\"\\r\\n| extend PIM = strcat(\\\"https://ms.portal.azure.com/#blade/Microsoft_Azure_PIMCommon/MyAuditsMenuBlade/aadmigratedroles\\\")\\r\\n| distinct OperationName, Identity, AADOperationType, PIM, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-2(7)] Account Management | Privileged User Accounts  -- Privileged Identity Management (PIM) Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"OperationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Identity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"PIM\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Privileged Identity Management >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"MyAuditsMenuBlade\",\"extensionName\":\"Microsoft_Azure_PIMCommon\"}}},{\"columnMatch\":\"GrantedTo\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go To: AAD Profile >\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"name\":\"query - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"[AC-2] Account Management  -- Review Roles & Groups by Usage\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"IdentityInfo\\r\\n| summarize arg_max(TimeGenerated, *) by AccountUPN\\r\\n| mv-expand AssignedRoles\\r\\n| summarize count() by AssignedRoles=strcat(AssignedRoles)\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assigned Roles by User Count\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"IdentityInfo\\r\\n| summarize arg_max(TimeGenerated, *) by AccountUPN\\r\\n| mv-expand GroupMembership\\r\\n| summarize count() by GroupMembership=strcat(GroupMembership)\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Group Memberships by User Count\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9 - Copy\"}]},\"name\":\"group - 5\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC2Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Enforcement (AC-3)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#access-enforcement)\\r\\n\\r\\nEnforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [What is Azure role-based access control (Azure RBAC)?](https://docs.microsoft.com/azure/role-based-access-control/overview)<br>\\r\\n💡 [Microsoft Entra ID Identity Governance documentation](https://docs.microsoft.com/azure/active-directory/governance/)<br>\\r\\n💡 [What is Microsoft Entra ID Privileged Identity Management?](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\\r\\n💡 [Enable and request just-in-time access for Azure Managed Applications](https://docs.microsoft.com/azure/azure-resource-manager/managed-applications/request-just-in-time-access)<br>\\r\\n💡 [How it works: Microsoft Entra ID Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-3](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-3)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"AC.3\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-3] Access Enforcement -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC3Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Information Flow Enforcement (AC-4)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#information-flow-enforcement)\\r\\n\\r\\nEnforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [How to configure the policy settings for Azure Information Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-settings)<br>\\r\\n💡 [Tutorial: Create a Web Application Firewall policy on Azure Front Door using the Azure portal](https://docs.microsoft.com/azure/web-application-firewall/afds/waf-front-door-create-portal)<br>\\r\\n💡 [What is Azure Front Door?](https://docs.microsoft.com/azure/frontdoor/front-door-overview)<br>\\r\\n💡 [Microsoft Endpoint Manager overview](https://docs.microsoft.com/mem/endpoint-manager-overview)<br>\\r\\n💡 [Network access control (NAC) integration with Intune](https://docs.microsoft.com/mem/intune/protect/network-access-control-integrate)<br>\\r\\n💡 [What are common ways to use Conditional Access with Intune?](https://docs.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use)<br>\\r\\n💡 [Prevent data leaks on non-managed devices using Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/data-leak-prevention)<br>\\r\\n💡 [App protection policies overview](https://docs.microsoft.com/mem/intune/apps/app-protection-policy)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Azure Web Application Firewall](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies) <br>\\r\\n🔀 [Front Doors](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/frontdoors) <br>\\r\\n🔀 [Microsoft Information Protection](https://compliance.microsoft.com/informationprotection?viewid=overview) <br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/) <br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-4](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-4)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"AC.4\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-4] Information Flow Enforcement -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC4Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Separation of Duties (AC-5)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#separation-of-duties)\\r\\n\\r\\n\\ta. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and\\r\\n\\tb. Define system access authorizations to support separation of duties.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation\\r\\n💡 [What is Azure role-based access control (Azure RBAC)?](https://docs.microsoft.com/azure/role-based-access-control/overview)<br>\\r\\n💡 [Azure custom roles](https://docs.microsoft.com/azure/role-based-access-control/custom-roles)<br>\\r\\n💡 [Steps to assign an Azure role](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-steps)<br>\\r\\n💡 [What is Microsoft Entra ID Privileged Identity Management?](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\\r\\n💡 [Enable and request just-in-time access for Azure Managed Applications](https://docs.microsoft.com/azure/azure-resource-manager/managed-applications/request-just-in-time-access)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Entra ID: Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) <br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-5](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-5)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Roles = IdentityInfo\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName=AccountUPN\\r\\n| project UserPrincipalName, AssignedRoles=strcat(AssignedRoles), GroupMemberships=strcat(GroupMembership);\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| join (Roles) on UserPrincipalName\\r\\n| project UserPrincipalName, UserProfile, AssignedRoles, GroupMemberships, UserId\\r\\n| sort by UserPrincipalName asc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-5] Separation of Duties  -- Review User Roles and Groups\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"LastSignIn\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"},\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"SignInsBeforeInactive\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":2500,\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC5Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Least Privilege (AC-6)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#least-privilege)\\r\\n\\r\\nEmploy the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs?WT.mc_id=Portal-fx) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [What is Azure role-based access control (Azure RBAC)?](https://docs.microsoft.com/azure/role-based-access-control/overview)<br>\\r\\n💡 [What is Microsoft Entra ID Privileged Identity Management?](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\\r\\n💡 [Enable and request just-in-time access for Azure Managed Applications](https://docs.microsoft.com/azure/azure-resource-manager/managed-applications/request-just-in-time-access)<br>\\r\\n💡 [Office 365 Security & Compliance: Enable Auditing for Admins](https://docs.microsoft.com/microsoft-365/compliance/turn-audit-log-search-on-or-off)<br>\\r\\n💡 [Audited Activities](https://docs.microsoft.com/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance)<br>\\r\\n💡 [Use audit logs to track and monitor events in Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/monitor-audit-logs)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [ Microsoft Entra ID : Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) <br>\\r\\n🔀 [Microsoft 365 Compliance: Audit](https://compliance.microsoft.com/auditlogsearch?viewid=Test%20Tab) <br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/) <br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-6](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-6)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| where OperationName contains \\\"PIM\\\"\\r\\n| extend PIM = strcat(\\\"https://ms.portal.azure.com/#blade/Microsoft_Azure_PIMCommon/MyAuditsMenuBlade/aadmigratedroles\\\")\\r\\n| distinct OperationName, Identity, AADOperationType, PIM, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-6] Least Privilege  -- Privileged Identity Management (PIM) Elevations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"OperationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Identity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"PIM\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Privileged Identity Management >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"MyAuditsMenuBlade\",\"extensionName\":\"Microsoft_Azure_PIMCommon\"}}},{\"columnMatch\":\"GrantedTo\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go To: AAD Profile >\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC6Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Unsuccessful Logon Attempts (AC-7)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#unsuccessful-logon-attempts)\\r\\n\\r\\n\\ta. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and\\r\\n\\tb. Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm]; notify system administrator; take other [Assignment: organization-defined action]] when the maximum number of unsuccessful attempts is exceeded.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Protect user accounts from attacks with Microsoft Entra ID smart lockout](https://docs.microsoft.com/azure/active-directory/authentication/howto-password-smart-lockout)<br>\\r\\n💡 [Manage Microsoft Entra ID smart lockout values](https://docs.microsoft.com/azure/active-directory/authentication/howto-password-smart-lockout#manage-azure-ad-smart-lockout-values)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-7](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-7)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SignInFailures = SigninLogs\\r\\n| where ResultType <> 0\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| summarize count() by UserPrincipalName, UserId, UserProfile\\r\\n| extend FailedSignInCount=count_;\\r\\nlet LastObserved = SigninLogs\\r\\n| where ResultType <> 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastFailedSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| where ResultType <> 0\\r\\n| make-series Trend = dcount(ResultType) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by UserPrincipalName\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| join (SignInFailures) on UserPrincipalName\\r\\n| project UserPrincipalName, UserProfile, FailedSignInCount, Trend, LastFailedSignIn, UserId\\r\\n| sort by FailedSignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-7] Unsuccessful Logon Attempts -- Monitor Logon Failures\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"FailedSignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC7Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [System Use Notification (AC-8)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#system-use-notification)\\r\\n\\r\\n\\ta. Display [Assignment: organization-defined system use notification message or banner] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:\\r\\n\\t\\t1. Users are accessing a U.S. Government system;\\r\\n\\t\\t2. System usage may be monitored, recorded, and subject to audit;\\r\\n\\t\\t3. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and\\r\\n\\t\\t4. Use of the system indicates consent to monitoring and recording;\\r\\n\\tb. Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and\\r\\n\\tc. For publicly accessible systems:\\r\\n\\t\\t1. Display system use information [Assignment: organization-defined conditions], before granting further access to the publicly accessible system;\\r\\n\\t\\t2. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and\\r\\n\\t\\t3. Include a description of the authorized uses of the system.\\r\\n\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Microsoft Entra ID terms of use](https://docs.microsoft.com/azure/active-directory/conditional-access/terms-of-use)<br>\\r\\n💡 [Create terms and conditions](https://docs.microsoft.com/mem/intune/enrollment/terms-and-conditions-create#create-terms-and-conditions)<br>\\r\\n💡 [Choosing the right Terms solution for your organization](https://techcommunity.microsoft.com/t5/intune-customer-success/choosing-the-right-terms-solution-for-your-organization/ba-p/280180)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID: Conditional Access - Terms of Use](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/TermsOfUse)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center: Terms & Conditions](https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/TenantAdminMenu/termsAndConditions)<br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-8](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-8)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"banner\\\" or Description contains \\\"agree\\\" or Description contains \\\"notification\\\" or Description contains \\\"terms\\\" or Description contains \\\"privacy\\\" or Description contains \\\"notice\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"banner\\\" or Description contains \\\"agree\\\" or Description contains \\\"notification\\\" or Description contains \\\"terms\\\" or Description contains \\\"privacy\\\" or Description contains \\\"notice\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"banner\\\" or Description contains \\\"agree\\\" or Description contains \\\"notification\\\" or Description contains \\\"terms\\\" or Description contains \\\"privacy\\\" or Description contains \\\"notice\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-8] System Use Notifications -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC8Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Session Control (AC-11)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#session-lock)\\r\\n\\r\\n\\ta. Prevent further access to the system by [Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended]; and\\r\\n\\tb. Retain the device lock until the user reestablishes access using established identification and authentication procedures.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Require device to be marked as compliant](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-grant#require-device-to-be-marked-as-compliant)<br>\\r\\n💡 [Locked screen experience](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#locked-screen-experience)<br>\\r\\n💡 [Password box](https://docs.microsoft.com/windows/apps/design/controls/password-box)<br>\\r\\n💡 [Policy CSP - CredentialsUI](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialsui)<br>\\r\\n💡 [Interactive logon: Machine inactivity limit](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit)<br>\\r\\n💡 [Account Lockout Policy](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/account-lockout-policy)<br>\\r\\n💡 [Disable Password Reveal Option](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialsui#credentialsui-disablepasswordreveal)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) <br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-11](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-11)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"lock\\\" or Description contains \\\"pattern\\\" or Description contains \\\"screen\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"lock\\\" or Description contains \\\"pattern\\\" or Description contains \\\"screen\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"lock\\\" or Description contains \\\"pattern\\\" or Description contains \\\"screen\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-11] Session Control -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC11Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-11\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Session Termination (AC-12)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#session-termination)\\r\\n\\r\\nAutomatically terminate a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AADUserRiskEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/aaduserriskevents) ✳️ [](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Conditional Access: Sign-in risk-based Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-risk)<br>\\r\\n💡 [Conditional Access: User risk-based Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-risk-user)<br>\\r\\n💡 [Continuous access evaluation](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation)<br>\\r\\n💡 [Account lockout threshold](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/account-lockout-threshold)<br>\\r\\n💡 [Protecting your organization against password spray attacks](https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/)<br>\\r\\n💡 [Protect user accounts from attacks with Microsoft Entra ID smart lockout](https://docs.microsoft.com/azure/active-directory/authentication/howto-password-smart-lockout)<br>\\r\\n💡 [AD FS Extranet Lockout and Extranet Smart Lockout](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID: Risky Sign-Ins](https://portal.azure.com/#blade/Microsoft_AAD_IAM/RiskySignInsBlade) <br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-12](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-12)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"IdentityInfo\\r\\n| summarize arg_max(TimeGenerated,*) by AccountUPN\\r\\n| join kind=inner(\\r\\nSigninLogs) on $left.AccountUPN==$right.UserPrincipalName\\r\\n| project SigninTime=TimeGenerated1, UserPrincipalName, AppDisplayName, ResultType, AssignedRoles, Location, UserAgent, AuthenticationRequirement, Country, City, CorrelationId\\r\\n| join kind=inner (\\r\\nAADUserRiskEvents) on CorrelationId\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId), AssignedRoles=strcat(AssignedRoles)\\r\\n| distinct UserPrincipalName, UserProfile,  RiskLevel, AppDisplayName, AssignedRoles, Country, SigninTime, UserId\\r\\n| extend Rank=iff(RiskLevel == \\\"high\\\", 3, iff(RiskLevel == \\\"medium\\\", 2, iff(RiskLevel == \\\"low\\\", 1, 0)))\\r\\n| sort by Rank desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-12] Review/Terminate User Session Risk Events\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"RiskLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AppDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"Rank\",\"formatter\":5},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC12Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Attributes (AC-16)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#security-attributes)\\r\\n\\r\\n\\ta. Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission;\\r\\n\\tb. Ensure that the attribute associations are made and retained with the information;\\r\\n\\tc. Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for [Assignment: organization-defined systems]: [Assignment: organization-defined security and privacy attributes];\\r\\n\\td. Determine the following permitted attribute values or ranges for each of the established attributes: [Assignment: organization-defined attribute values or ranges for established attributes];\\r\\n\\te. Audit changes to attributes; and\\r\\n\\tf. Review [Assignment: organization-defined security and privacy attributes] for applicability [Assignment: organization-defined frequency].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionEvents](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [What is Azure attribute-based access control (Azure ABAC)?](https://docs.microsoft.com/azure/role-based-access-control/conditions-overview)<br>\\r\\n💡 [Azure role assignment conditions](https://docs.microsoft.com/azure/storage/common/storage-auth-abac-examples)<br>\\r\\n💡 [Apply a sensitivity label to content automatically](https://docs.microsoft.com/microsoft-365/compliance/apply-sensitivity-label-automatically?)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID: Custom Security attributes](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/CustomAttributesCatalog)<br>\\r\\n🔀 [Azure Information Protection: Labels](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/globalBlade)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-16](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-16)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionEvents\\r\\n| extend AIP = strcat(\\\"https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/ActivityLogsBlade\\\")\\r\\n| project User, AIP, LabelName, Activity, ItemName, ItemPath, Platform, ApplicationName, ProtectionOwner, IpAddress, Time\\r\\n| sort by Time desc\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-16] Security Attributes -- Azure Information Protection DLP Logs\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LabelName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AIP\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Information Protection >>\",\"bladeOpenContext\":{\"bladeName\":\"DataClassGroupEditBlade\",\"extensionName\":\"Microsoft_Azure_InformationProtection\"}}},{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProtectionOwner\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"PersonWithFriend\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC16Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-16\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Remote Access (AC-17)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#security-attributes)\\r\\n\\r\\n\\ta. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and\\r\\n\\tb. Authorize each type of remote access to the system prior to allowing such connections.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n🔷 [resources](https://docs.microsoft.com/azure/governance/resource-graph/overview) ✳️ [Azure Front Door](https://azure.microsoft.com/services/frontdoor/)\\r\\n✳️ [Azure ExpressRoute](https://azure.microsoft.com/services/expressroute/) ✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) ✳️ [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) ✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [What is Azure Bastion?](https://docs.microsoft.com/azure/bastion/bastion-overview)<br>\\r\\n💡 [Create a bastion host](https://docs.microsoft.com/azure/bastion/tutorial-create-host-portal#createhost)<br>\\r\\n💡 [Network access control (NAC) integration with Intune](https://docs.microsoft.com/mem/intune/protect/network-access-control-integrate)<br>\\r\\n💡 [Create a Conditional Access policy](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa#create-a-conditional-access-policy)<br>\\r\\n💡 [What is Azure ExpressRoute?](https://docs.microsoft.com/azure/expressroute/expressroute-introduction)<br>\\r\\n💡 [Configuring a VPN Gateway](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpngateways#configuring)<br>\\r\\n💡 [Using the location condition in a Conditional Access policy](https://docs.microsoft.com/azure/active-directory/conditional-access/location-condition)<br>\\r\\n💡 [Customize Web Application Firewall rules using the Azure portal](https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-customize-waf-rules-portal)<br>\\r\\n💡 [What is Azure Front Door?](https://docs.microsoft.com/azure/frontdoor/front-door-overview)<br>\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Entra ID: Conditional Access - Named Locations](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/NamedLocations)<br>\\r\\n🔀 [Front Door](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/frontdoors)<br>\\r\\n🔀 [Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FbastionHosts)<br>\\r\\n🔀 [ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits)<br>\\r\\n🔀 [Web Application Firewall policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-17](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-17)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"AC.17.*\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-17] Remote Access -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"bastion\\\" or type contains \\\"applicationgateways\\\" or type contains \\\"front\\\" or type contains \\\"private\\\" or type contains \\\"express\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-17] Remote Access (Bastion, Front Door, ExpressRoute, WAF, VPN Gateways)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where Location <> \\\"\\\"\\r\\n| where ResultType == 0\\r\\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude)\\r\\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)\\r\\n| extend city_ = tostring(LocationDetails.city)\\r\\n\",\"size\":2,\"title\":\"[AC-17] Remote Access -- Sign-Ins by Geolocation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":12,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\",\"heatmapMax\":100},\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}}},\"customWidth\":\"50\",\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC17Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-17\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Wireless Access (AC-18)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#wireless-access)\\r\\n\\r\\n\\ta. Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and\\r\\n\\tb. Authorize each type of wireless access to the system prior to allowing such connections.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Microsoft Endpoint Manager overview](https://docs.microsoft.com/mem/endpoint-manager-overview)<br>\\r\\n💡 [Network access control (NAC) integration with Intune](https://docs.microsoft.com/mem/intune/protect/network-access-control-integrate)<br>\\r\\n💡 [What are common ways to use Conditional Access with Intune?](https://docs.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use)<br>\\r\\n💡 [Add and use Wi-Fi settings on your devices in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/wi-fi-settings-configure)<br>\\r\\n💡 [Add Wi-Fi settings for Windows 10 and newer devices in Intune](https://docs.microsoft.com/mem/intune/configuration/wi-fi-settings-windows)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Microsoft Entra ID: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)<br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-18](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-18)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"wire\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"wire\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"wire\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-18] Wireless Access -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC18Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-18\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control for Mobile Devices (AC-19)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#access-control-for-mobile-devices)\\r\\n\\r\\n\\ta. Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and\\r\\n\\tb. Authorize the connection of mobile devices to organizational systems.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [App management capabilities by platform](https://docs.microsoft.com/mem/intune/apps/app-management#app-management-capabilities-by-platform)<br>\\r\\n💡 [Microsoft Intune protected apps](https://docs.microsoft.com/mem/intune/apps/apps-supported-intune-apps)<br>\\r\\n💡 [Network access control (NAC) integration with Intune](https://docs.microsoft.com/mem/intune/protect/network-access-control-integrate)<br>\\r\\n💡 [What are common ways to use Conditional Access with Intune?](https://docs.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use)<br>\\r\\n💡 [How to create and assign app protection policies](https://docs.microsoft.com/mem/intune/apps/app-protection-policies)<br>\\r\\n💡 [Android app protection policy settings in Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/app-protection-policy-settings-android)<br>\\r\\n💡 [iOS app protection policy settings](https://docs.microsoft.com/mem/intune/apps/app-protection-policy-settings-ios)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center: Devices](https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesMenu/overview)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-19](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-19)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where ResultType == 0\\r\\n| extend OperatingSystem = tostring(DeviceDetail.operatingSystem)\\r\\n| extend Browser = tostring(DeviceDetail.browser)\\r\\n| where OperatingSystem contains \\\"Android\\\" or OperatingSystem contains \\\"iOS\\\"\\r\\n| summarize count() by OperatingSystem, Browser, AppDisplayName\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-19] Access Control for Mobile Devices -- Monitor Mobile Device Access\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"OperatingSystem\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Command and Control\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC19Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-19\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Use of External Information Systems (AC-20)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#use-of-external-information-systems)\\r\\n\\r\\n\\ta. [Selection (one or more): Establish [Assignment: organization-defined terms and conditions]; Identify [Assignment: organization-defined controls asserted to be implemented on external systems]], consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:\\r\\n\\t\\t1. Access the system from external systems; and\\r\\n\\t\\t2. Process, store, or transmit organization-controlled information using external systems; or\\r\\n\\tb. Prohibit the use of [Assignment: organizationally-defined types of external systems].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Conditional Access: Block access by location](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-location)<br>\\r\\n💡 [Microsoft Entra ID Conditional Access documentation](https://docs.microsoft.com/azure/active-directory/conditional-access/)<br>\\r\\n💡 [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)<br>\\r\\n💡 [Microsoft Defender for Cloud Apps overview](https://docs.microsoft.com/defender-cloud-apps/what-is-defender-for-cloud-apps)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft Entra ID: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)<br>\\r\\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AC-20](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AC-20)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n   | distinct RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink\\r\\n    | where RecommendationName contains \\\"external\\\" or RecommendationName contains \\\"private\\\" or RecommendationName contains \\\"internet\\\" or RecommendationName contains \\\"public\\\" or RecommendationName contains \\\"firewall\\\"\\r\\n    | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-20] Use of External Information Systems -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where RuleSetting contains \\\"DisableRemovableDriveScanning\\\" or RuleSetting contains \\\"NoDriveTypeAutoRun\\\" or RuleSetting contains \\\"EnableInstallerDetection\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where RuleSetting contains \\\"DisableRemovableDriveScanning\\\" or RuleSetting contains \\\"NoDriveTypeAutoRun\\\" or RuleSetting contains \\\"EnableInstallerDetection\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where RuleSetting contains \\\"DisableRemovableDriveScanning\\\" or RuleSetting contains \\\"NoDriveTypeAutoRun\\\" or RuleSetting contains \\\"EnableInstallerDetection\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AC-20(2)] Portable Storage Devices -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true}},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAC20Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AC-20\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isACVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Access Control Family\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Audit & Accountability](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/controls?version=5.1&family=AU)\\r\\n---\\r\\nAudit & Accountability involves the evaluation of configurable security and logging options to help identify gaps in security policies and mechanisms. \"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Audit Events [AU-2]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AU-2\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Content of Audit Records [AU-3]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AU-3\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Response to Audit Processing Failures [AU-5]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AU-5\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Audit Review, Analysis, & Reporting [AU-6]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AU-6\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Audit Reduction & Report Generation [AU-7]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AU-7\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"08e0e1cd-ecba-4272-845b-5222e3663f99\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAU2Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AU-2\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"88dfbbbd-0e93-49b0-a137-3fb16359c32c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAU3Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AU-3\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"db4691d5-4576-401b-9ca8-69652d4a654c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAU5Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AU-5\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"5ae1d8fa-8261-4f63-a365-5905d355cdad\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAU6Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AU-6\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAU7Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AU-7\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e98e5e7a-0206-449e-8370-f3acaa083b09\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Time Stamps [AU-8]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AU-8\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Protection of Audit Information [AU-9]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AU-9\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Audit Record Retention [AU-11]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AU-11\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Audit Generation [AU-12]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AU-12\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"eff2d5b1-f90d-4651-bb10-d1a7c297a305\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAU8Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AU-8\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"77d29821-4e6d-4b82-8603-c0a88687a78a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAU9Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AU-9\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"cf4f3461-2ff3-4613-9625-6cd9fcaea68d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAU11Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AU-11\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"cfd61ba8-00ad-4d6c-b6cc-20bfb32a4ed1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAU12Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AU-12\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Audit Events (AU-2)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#audit-events)\\r\\n\\r\\n\\ta. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging];\\r\\n\\tb. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;\\r\\n\\tc. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type];\\r\\n\\td. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and\\r\\n\\te. Review and update the event types selected for logging [Assignment: organization-defined frequency].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) <br>\\r\\n🔷 [OfficeActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/officeactivity) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br> \\r\\n🔷 [SecurityEvent](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br> \\r\\n🔷 [CommonSecurityLog](https://docs.microsoft.com/azure/azure-monitor/reference/tables/CommonSecurityLog) ✳️ [Syslog/CEF Connector](https://docs.microsoft.com/azure/sentinel/connect-log-forwarder?tabs=rsyslog)<br> \\r\\n🔷 [AWSCloudTrail](https://docs.microsoft.com/azure/azure-monitor/reference/tables/AWSCloudTrail) ✳️ [AWS CloudTrail](https://docs.microsoft.com/azure/sentinel/connect-aws?tabs=s3)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Azure Activity Log](https://docs.microsoft.com/azure/azure-monitor/essentials/activity-log)<br>\\r\\n💡 [Connect data from Microsoft 365 Defender to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender?tabs=MDE)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview)<br>\\r\\n🔀 [Microsoft 365 Defender: Audit](https://security.microsoft.com/auditlogsearch?viewid=Test%20Tab)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AU-2](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AU-2)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-2] Audit Events (Azure Activity)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-2] Audit Events (Office Activity)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-2] Audit Events (Security Events)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-2] Audit Events (Linux/Unix)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AWSCloudTrail\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-2] Audit Events (AWS CloudTrail)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAU2Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU-2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Content of Audit Records (AU-3)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#content-of-audit-records)\\r\\n\\r\\n\\tEnsure that audit records contain information that establishes the following:\\r\\n\\ta. What type of event occurred;\\r\\n\\tb. When the event occurred;\\r\\n\\tc. Where the event occurred;\\r\\n\\td. Source of the event;\\r\\n\\te. Outcome of the event; and\\r\\n\\tf. Identity of any individuals, subjects, or objects/entities associated with the event.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) ✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Audit logs in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs)<br>\\r\\n💡 [Connect Microsoft Entra ID data to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AU-3](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AU-3)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Usage\\r\\n| summarize count() by DataType\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-3] Content of Audit Records -- Log Entries by Type\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Backlog\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAU3Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU-3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Response to Audit Processing Failures (AU-5)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#response-to-audit-processing-failures)\\r\\n\\r\\n\\ta. Alert [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] in the event of an audit logging process failure; and\\r\\n\\tb. Take the following additional actions: [Assignment: organization-defined additional actions].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Heartbeat](https://docs.microsoft.com/azure/azure-monitor/reference/tables/heartbeat) 🔷 [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) <br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Monitor the health of your data connectors with this Microsoft Sentinel workbook](https://docs.microsoft.com/azure/sentinel/monitor-data-connector-health)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AU-5](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AU-5)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastLogTime = union withsource = _TableName *\\r\\n| summarize LastLog_Time = arg_max(TimeGenerated, *) by _TableName;\\r\\nunion withsource = _TableName *\\r\\n| summarize last_log = datetime_diff(\\\"second\\\",now(), max(TimeGenerated)) by _TableName\\r\\n| where last_log > 0\\r\\n| join kind=inner (LastLogTime) on _TableName\\r\\n| project DataTable = _TableName, ['Last Log Received'] = last_log, LastLog_Time\\r\\n| where DataTable !contains \\\"SRCH\\\"\\r\\n| order by ['Last Log Received'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-5] Response to Audit Processing Failures -- Monitor/Alert on DataTable Failures\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataTable\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Last Log Received\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":0}}},{\"columnMatch\":\"MaturityLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Event Logging (EL0)\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Basic Event Logging (EL1)\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Intermediate Event Logging (EL2)\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Advanced Event Logging\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Ellipsis\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Last Record Received\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\"}}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_bar_Last Log Received_1\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_Last Log Received_1\",\"sortOrder\":2}]},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastHeartbeatTime = Heartbeat\\r\\n| summarize LastHeartbeat_Time = arg_max(TimeGenerated, *) by ResourceId;\\r\\nHeartbeat\\r\\n| summarize LastHeartbeat = datetime_diff(\\\"second\\\",now(), max(TimeGenerated)) by ResourceId\\r\\n| where ResourceId <> \\\"\\\"\\r\\n| where ResourceId <> \\\"None\\\"\\r\\n| join kind=inner (LastHeartbeatTime) on ResourceId\\r\\n| project ResourceId, LastHeartbeat, LastHeartbeat_Time\\r\\n| sort by LastHeartbeat desc\\r\\n| limit 250\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-5] Response to Audit Processing Failures -- Monitor/Alert on Heartbeat Failures\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LastHeartbeat\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":0}}},{\"columnMatch\":\"Computer\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OSType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Windows\",\"representation\":\"blue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Linux\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"mac\",\"representation\":\"magenta\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Category\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"trenddown\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAU5Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU-5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Audit Review, Analysis, and Reporting (AU-6)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#audit-review-analysis-and-reporting)\\r\\n\\r\\n\\ta. Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity;\\r\\n\\tb. Report findings to [Assignment: organization-defined personnel or roles]; and\\r\\n\\tc. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Connect Microsoft Entra ID data to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)<br>\\r\\n💡 [Use Azure Monitor workbooks to visualize and monitor your data](https://docs.microsoft.com/azure/sentinel/monitor-your-data)<br>\\r\\n💡 [Create new workbook](https://docs.microsoft.com/azure/sentinel/monitor-your-data#create-new-workbook)<br>\\r\\n💡 [Microsoft Sentinel data connectors](https://docs.microsoft.com/azure/sentinel/connect-data-sources)<br>\\r\\n💡 [Turn auditing on or off](https://docs.microsoft.com/microsoft-365/compliance/turn-audit-log-search-on-or-off?#turn-on-audit-log-search)<br>\\r\\n💡 [Security & Compliance Center](https://docs.microsoft.com/office365/servicedescriptions/office-365-platform-service-description/office-365-securitycompliance-center)<br>\\r\\n💡 [Audited activities](https://docs.microsoft.com/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?#audited-activities)<br>\\r\\n💡 [Use audit logs to track and monitor events in Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/monitor-audit-logs)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Microsoft 365 Compliance Manager](https://compliance.microsoft.com/homepage)<br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n🔀 [Azure Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview)<br>\\r\\n\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AU-6](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AU-6)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"AU.6.\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-6] Audit Review, Analysis, & Reporting -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAU6Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU-6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Audit Reduction and Report Generation (AU-7)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#audit-reduction-and-report-generation)\\r\\n\\r\\n\\tProvide and implement an audit record reduction and report generation capability that:\\r\\n\\ta. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and\\r\\n\\tb. Does not alter the original content or time ordering of audit records.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Investigate incidents with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/investigate-cases)<br>\\r\\n💡 [Audit logs in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs)<br>\\r\\n💡 [Azure security logging and auditing](https://docs.microsoft.com/azure/security/fundamentals/log-audit)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AU-7](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AU-7)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * 'https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-7] Audit Reduction and Report Generation -- Microsoft Sentinel: Security Incidents\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAU7Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU-7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Time Stamps (AU-8)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#time-stamps)\\r\\n\\r\\n\\ta. Use internal system clocks to generate time stamps for audit records; and\\r\\n\\tb. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Time sync for Windows VMs in Azure](https://docs.microsoft.com/azure/virtual-machines/windows/time-sync)<br>\\r\\n💡 [Windows Time service tools and settings](https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings)<br>\\r\\n💡 [How to configure an authoritative time server in Windows Server](https://docs.microsoft.com/troubleshoot/windows-server/identity/configure-authoritative-time-server)<br>\\r\\n💡 [Time sync for Linux VMs in Azure](https://docs.microsoft.com/azure/virtual-machines/linux/time-sync)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AU-8](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AU-8)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"NTP\\\" or Description contains \\\"clock\\\" or Description contains \\\"time\\\" or Description contains \\\"sync\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"NTP\\\" or Description contains \\\"clock\\\" or Description contains \\\"time\\\" or Description contains \\\"sync\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"NTP\\\" or Description contains \\\"clock\\\" or Description contains \\\"time\\\" or Description contains \\\"sync\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-8] Time Stamps -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAU8Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU-8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Protection of Audit Information (AU-9)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#protection-of-audit-information)\\r\\n\\r\\n\\ta. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and\\r\\n\\tb. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) 🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Audit logging overview](https://docs.microsoft.com/compliance/assurance/assurance-audit-logging)<br>\\r\\n💡 [Audit logs for Azure Attestation](https://docs.microsoft.com/azure/attestation/audit-logs)<br>\\r\\n💡 [Permissions in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/roles)<br>\\r\\n💡 [Set up Microsoft Sentinel customer-managed key](https://docs.microsoft.com/azure/sentinel/customer-managed-keys)<br>\\r\\n💡 [Search the audit log in the compliance center](https://docs.microsoft.com/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Azure Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview)<br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n🔀 [Key Vault](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)<br>\\r\\n🔀 [Microsoft 365 Compliance Manager: Audit](https://compliance.microsoft.com/auditlogsearch?viewid=Test%20Tab)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AU-9](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AU-9)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Roles = IdentityInfo\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName=AccountUPN\\r\\n| where AssignedRoles contains \\\"Reader\\\" or AssignedRoles contains \\\"Admin\\\" or AssignedRoles contains \\\"Contributor\\\" or AssignedRoles contains \\\"Owner\\\" or AssignedRoles contains \\\"Security\\\" \\r\\n| project UserPrincipalName, AssignedRoles=strcat(AssignedRoles);\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| join (Roles) on UserPrincipalName\\r\\n| project UserPrincipalName, UserProfile, AssignedRoles, UserId\\r\\n| sort by UserPrincipalName asc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-9] Protection of Audit Information -- Users with Access to Audit Information\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"LastSignIn\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"},\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"SignInsBeforeInactive\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"audit\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"audit\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"audit\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-9] Protection of Audit Information -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| where OperationNameValue contains \\\"insights\\\" or OperationNameValue contains \\\"cluster\\\" or OperationNameValue contains \\\"storage\\\"\\r\\n| where OperationName contains \\\"Delete\\\" or OperationName contains \\\"Remove\\\"\\r\\n| summarize count() by OperationName, Caller\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-9] Protection of Audit Information -- Monitor Delete Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"OperationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Caller\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Last Record Received\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\"}}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAU9Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU-9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Audit Record Retention (AU-11)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#audit-record-retention)\\r\\n\\r\\nRetain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) <br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Change Data Retention Period](https://docs.microsoft.com/azure/azure-monitor/logs/manage-cost-storage#change-the-data-retention-period)<br>\\r\\n💡 [Move Your Microsoft Sentinel Logs to Long-Term Storage with Ease](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/move-your-microsoft-sentinel-logs-to-long-term-storage-with-ease/ba-p/1407153)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Azure Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview)<br>\\r\\n🔀 [Azure Data Explorer](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Kusto%2Fclusters)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AU-11](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AU-11)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces' \\r\\n| extend state = trim(' ', tostring(properties.provisioningState))\\r\\n\\t\\t,sku   = trim(' ', tostring(properties.sku.name))\\r\\n        ,skuUpdate = trim(' ', tostring(properties.sku.lastSkuUpdate))\\r\\n\\t\\t,retentionDays = trim(' ', tostring(properties.retentionInDays))\\r\\n\\t\\t,dailyquotaGB  = trim(' ', tostring(properties.workspaceCapping.dailyQuotaGb))\\r\\n| extend dailyquotaGB = iif(dailyquotaGB !=-1.0, dailyquotaGB,\\\"Not set\\\")\\r\\n| extend skuUpdate    = iif(strlen(skuUpdate) > 0, skuUpdate,\\\"Unknown\\\")\\r\\n| extend sentinel     = iif(toint(retentionDays) < 90,\\\"If you have Sentinel, you can change your retention to 90days (free)?\\\",\\\"\\\")\\r\\n| project LogAnalyticsWorkspace=id, ['Resource Group']=resourceGroup, \\t\\r\\nLogRetention_Days=retentionDays\\r\\n\",\"size\":2,\"showAnalytics\":true,\"title\":\"[AU-11] Retains Audit Records -- Log Retention Settings\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogRetention_Days\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"is Empty\",\"representation\":\"4\",\"text\":\"{0}{1}\"},{\"operator\":\"<=\",\"thresholdValue\":\"363\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"364\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Data Retention(days)\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orangeBlue\"}},{\"columnMatch\":\"Computer\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_LogRetention_Days_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_LogRetention_Days_2\",\"sortOrder\":2}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"type\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAU11Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU-11\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Audit Generation (AU-12)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#audit-record-retention)\\r\\n\\r\\n\\ta. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components];\\r\\n\\tb. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and\\r\\n\\tc. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Connect Microsoft Entra ID data to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)<br>\\r\\n💡 [Use Azure Monitor workbooks to visualize and monitor your data](https://docs.microsoft.com/azure/sentinel/monitor-your-data)<br>\\r\\n💡 [Create new workbook](https://docs.microsoft.com/azure/sentinel/monitor-your-data#create-new-workbook)<br>\\r\\n💡 [Microsoft Sentinel data connectors](https://docs.microsoft.com/azure/sentinel/connect-data-sources)<br>\\r\\n💡 [Turn auditing on or off](https://docs.microsoft.com/microsoft-365/compliance/turn-audit-log-search-on-or-off?#turn-on-audit-log-search)<br>\\r\\n💡 [Security & Compliance Center](https://docs.microsoft.com/office365/servicedescriptions/office-365-platform-service-description/office-365-securitycompliance-center)<br>\\r\\n💡 [Audited activities](https://docs.microsoft.com/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?#audited-activities)<br>\\r\\n💡 [Use audit logs to track and monitor events in Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/monitor-audit-logs)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Microsoft 365 Compliance Manager](https://compliance.microsoft.com/homepage)<br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n🔀 [Azure Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[AU-12](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=AU-12)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"AU.12\\\" and complianceControlId !contains \\\"*\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[AU-12] Audit Generation -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAU12Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AU-12\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isAUVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Audit & Accountability Family - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Assessment & Authorization](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/controls?version=5.1&family=CA)\\r\\n---\\r\\nSecurity Assessment includes periodic evaluation of security controls for effectiveness.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Assessments [CA-2]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CA-2\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"System Interconnections [CA-3]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CA-3\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Continuous Monitoring [CA-7]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CA-7\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCA2Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CA-2\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"cb0f25c4-5ae6-42c2-9977-c4f30293e804\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCA3Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CA-3\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"51fa60cc-b672-48a5-9eb3-af9c5d0a8446\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCA7Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CA-7\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e74e5218-b420-40cd-adf5-bac6df74b383\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Assessments (CA-2)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#security-assessments)\\r\\n\\r\\n\\ta. Select the appropriate assessor or assessment team for the type of assessment to be conducted;\\r\\n\\tb. Develop a control assessment plan that describes the scope of the assessment including:\\r\\n\\t\\t1. Controls and control enhancements under assessment;\\r\\n\\t\\t2. Assessment procedures to be used to determine control effectiveness; and\\r\\n\\t\\t3. Assessment environment, assessment team, and assessment roles and responsibilities;\\r\\n\\tc. Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;\\r\\n\\td. Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;\\r\\n\\te. Produce a control assessment report that document the results of the assessment; and\\r\\n\\tf. Provide the results of the control assessment to [Assignment: organization-defined individuals or roles].\\t\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecureScores](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securescores) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Secure Score in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/defender-for-cloud/secure-score-security-controls)<br>\\r\\n💡 [Microsoft Secure Score](https://docs.microsoft.com/microsoft-365/security/defender/microsoft-secure-score?)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft 365 Defender: Secure Scores](https://security.microsoft.com/securescore)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CA-2](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CA-2)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecureScores\\r\\n| where MaxScore>0\\r\\n| extend subscriptionScore = CurrentScore/MaxScore \\r\\n| extend subScoreXsubWeight = subscriptionScore*Weight \\r\\n| extend Day = startofday(TimeGenerated) \\r\\n| summarize upperValue = sum(subScoreXsubWeight), underValue = sum(todouble(Weight)) by Day\\r\\n| extend OverallScore = 100*((upperValue)/(underValue))\\r\\n| project OverallScore, Day\",\"size\":0,\"aggregation\":5,\"showAnnotations\":true,\"title\":\"[CA-2] Security Assessments --  Secure Score Over Time\",\"noDataMessage\":\"No data available. Check your continuous export configuration for the selected workspaces.\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"timeBrushExportOnlyWhenBrushed\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"ControlId\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"WeightedAvgPerControl\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"overallScore\",\"label\":\"Overall Score\",\"color\":\"lightBlue\"}],\"ySettings\":{\"min\":0,\"max\":100}}},\"customWidth\":\"50\",\"showPin\":true,\"name\":\"ScoreOvertime\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCA2Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CA-2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [System Interconnections (CA-3)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#security-assessments)\\r\\n\\r\\n\\ta. Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreements; [Assignment: organization-defined type of agreement]];\\r\\n\\tb. Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and\\r\\n\\tc. Review and update the agreements [Assignment: organization-defined frequency].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) ✳️ [Network Watcher](https://azure.microsoft.com/services/network-watcher/) ✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) ✳️ [ExpressRoute]( https://azure.microsoft.com/services/expressroute/)  ✳️ [Traffic Manager]( https://azure.microsoft.com/services/traffic-manager/) ✳️ [VPN Gateway]( https://azure.microsoft.com/services/vpn-gateway/) \\r\\n\\r\\n### Implementation\\r\\n💡 [Quickstart: Create a virtual network using the Azure portal](https://docs.microsoft.com/azure/virtual-network/quick-create-portal)<br>\\r\\n💡 [Create, change, or delete a network security group](https://docs.microsoft.com/azure/virtual-network/manage-network-security-group)<br>\\r\\n💡 [Quickstart: Diagnose a virtual machine network traffic filter problem using the Azure portal](https://docs.microsoft.com/azure/network-watcher/diagnose-vm-network-traffic-filtering-problem)<br>\\r\\n💡 [Tutorial: Deploy and configure Azure Firewall and policy using the Azure portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal-policy)<br>\\r\\n💡 [Quickstart: Create and modify an ExpressRoute circuit](https://docs.microsoft.com/azure/expressroute/expressroute-howto-circuit-portal-resource-manager)<br>\\r\\n💡 [Quickstart: Create a Traffic Manager profile using the Azure portal](https://docs.microsoft.com/azure/traffic-manager/quickstart-create-traffic-manager-profile)<br>\\r\\n💡 [Tutorial: Create and manage a VPN gateway using Azure portal](https://docs.microsoft.com/azure/vpn-gateway/tutorial-create-gateway-portal)<br>\\r\\n💡 [Find your Microsoft Sentinel data connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Virtual Network](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks)<br>\\r\\n🔀 [Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)<br>\\r\\n🔀 [Network Watcher](https://portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/overview)<br>\\r\\n🔀 [Azure Firewall](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)<br>\\r\\n🔀 [ExpressRoute](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits)<br>\\r\\n🔀 [Traffic Manager](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/TrafficManagers)<br>\\r\\n🔀 [VPN Gateway](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworkGateways)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CA-3](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CA-3)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"Microsoft.Network\\\" \\r\\n| summarize count() by type\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CA-3] System Interconnections -- Control/Montitor System Interconnections via Network Controls\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"type\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCA3Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CA-3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Continuous Monitoring (CA-7)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#continuous-monitoring)\\r\\n\\r\\n\\tDevelop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:\\r\\n\\ta. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics];\\r\\n\\tb. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness;\\r\\n\\tc. Ongoing control assessments in accordance with the continuous monitoring strategy;\\r\\n\\td. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;\\r\\n\\te. Correlation and analysis of information generated by control assessments and monitoring;\\r\\n\\tf. Response actions to address results of the analysis of control assessment and monitoring information; and\\r\\n\\tg. Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Onboard Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-get-started)<br>\\r\\n💡 [Add the Microsoft Defender for Cloud: NIST SP 800-53 R4 Assessment to Your Dashboard](https://docs.microsoft.com/azure/security-center/update-regulatory-compliance-packages#add-a-regulatory-standard-to-your-dashboard)<br>\\r\\n💡 [Automatically create incidents from Microsoft security alerts](https://docs.microsoft.com/azure/sentinel/create-incidents-from-alerts)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CA-7](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CA-7)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n| join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName\\r\\n    | extend ComplianceDomain=iff(controlId contains \\\"AC.\\\", \\\"Access Control\\\", iff(controlId contains \\\"AT.\\\", \\\"Security Awareness & Training\\\", iff(controlId contains \\\"AU.\\\", \\\"Audit & Accountability\\\", iff(controlId contains \\\"CA.\\\", \\\"Security Assessment\\\", iff(controlId contains \\\"CM.\\\", \\\"Configuration Management\\\", iff(controlId contains \\\"CP.\\\", \\\"Contingency Planning\\\", iff(controlId contains \\\"IA.\\\", \\\"Identification & Authentication\\\", iff(controlId contains \\\"IR.\\\", \\\"Incident Response\\\", iff(controlId contains \\\"MA.\\\", \\\"System Maintenance\\\", iff(controlId contains \\\"MP.\\\", \\\"Media Protection\\\", iff(controlId contains \\\"PE.\\\", \\\"Physical Protection\\\", iff(controlId contains \\\"PL.\\\", \\\"Security Planning\\\", iff(controlId contains \\\"PS.\\\", \\\"Personnel Security\\\",iff(controlId contains \\\"RA.\\\", \\\"Risk Assessment\\\",iff(controlId contains \\\"SA.\\\", \\\"System & Services Acquisition\\\",iff(controlId contains \\\"SC.\\\", \\\"System & Communications Protection\\\",iff(controlId contains \\\"SI.\\\", \\\"System & Information Integrity\\\",\\\"Other\\\"))))))))))))))))) \\r\\n  | distinct RecommendationName, ComplianceDomain, tostring(RecommendationLink), tostring(state), tostring(complianceState)\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\" or complianceState == \\\"Failed\\\"), Passed = countif(state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\" or complianceState == \\\"Passed\\\" or complianceState == \\\"Failed\\\") by ComplianceDomain\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | project ControlFamily=ComplianceDomain, Total, PassedControls, Passed, Failed\\r\\n    | sort by Total, Passed desc\\r\\n \",\"size\":0,\"showAnalytics\":true,\"title\":\"[CA-7] Continuous Monitoring -- Monitor/Alert on Compliance Posture Deviations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Remediate >>\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SecurityProducts = datatable(ProviderName: string, Product: string, Capability: string, Portal: string) [\\r\\n    \\\"ASI Scheduled Alerts\\\", \\\"Microsoft Sentinel\\\",\\\"Security Information Event Management (SIEM)\\\", \\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n    \\\"MCAS\\\", \\\"Microsoft Cloud App Security\\\",\\\"Cloud Application Security Broker (CASB)\\\",\\\"https://portal.cloudappsecurity.com/\\\",\\r\\n    \\\"MDATP\\\", \\\"Microsoft Defender for Endpoint\\\", \\\"Endpoint Detection & Response (EDR)\\\",\\\"https://security.microsoft.com/homepage\\\",\\r\\n    \\\"Azure Security Center\\\", \\\"Microsoft Defender for Cloud\\\", \\\"Cloud Workload Protection Platform (CWPP)\\\",\\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0\\\",\\r\\n    \\\"Detection-WarmPathV2\\\", \\\"Microsoft Defender for Cloud\\\", \\\"Cloud Workload Protection Platform (CWPP)\\\",\\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0\\\",\\r\\n    \\\"MicrosoftThreatProtection\\\", \\\"Microsoft 365 Defender\\\", \\\"Extensible Detection & Response (XDR)\\\",\\\"https://security.microsoft.com/homepage\\\",\\r\\n    \\\"IPC\\\", \\\"Azure Active Directory Identity Protection\\\", \\\"Identity & Access Management (IAM)\\\",\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/IdentityProtectionMenuBlade/Overview\\\",\\r\\n    \\\"Detection-Fusion\\\", \\\"Machine Learning Fusion Alert\\\", \\\"Machine Learning (ML)\\\",\\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n    \\\"Sentinel Fusion\\\", \\\"Machine Learning Fusion Alert\\\", \\\"Machine Learning (ML)\\\",\\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n    \\\"Azure Advanced Threat Protection\\\", \\\"Microsoft Defender for Identity\\\", \\\"Identity Protection (IP)\\\",\\\"https://security.microsoft.com/settings/identities\\\",\\r\\n    \\\"Threat Intelligence Alerts\\\", \\\"Threat Intelligence\\\", \\\"Threat Intelligence (TI)\\\",\\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n    \\\"IoTSecurity\\\", \\\"Azure Defender for IoT\\\", \\\"Industrial IoT Platform\\\",\\\"https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started\\\",\\r\\n    \\\"MSTIC\\\", \\\"Microsoft Intelligent Security Graph\\\", \\\"Threat Intelligence (TI)\\\",\\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n    \\\"AntimalwarePublisher\\\", \\\"Microsoft Anti-Malware\\\", \\\"Anti-Virus (AV)\\\",\\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0\\\", \\r\\n    \\\"OATP\\\", \\\"Microsoft Defender for Office 365\\\", \\\"Email Defense\\\",\\\"https://security.microsoft.com/homepage\\\",\\r\\n    \\\"AdaptiveNetworkHardenings\\\", \\\"ASC Adaptive Network Hardening\\\", \\\"Network Detection & Response (NDR)\\\",\\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0\\\",\\r\\n    \\\"StorageThreatDetection\\\", \\\"Azure Defender for Storage\\\", \\\"Storage Protection\\\",\\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0\\\",\\r\\n    \\\"CloudNetworkSecurity\\\", \\\"Azure Network Security\\\",\\\"Network Detection & Response (NDR)\\\",\\\"https://portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/overview\\\",\\r\\n    \\\"SQLThreatDetection\\\", \\\"Azure Defender for SQL\\\", \\\"Database Protection\\\",\\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0\\\"\\r\\n];\\r\\nSecurityAlert\\r\\n| join kind=inner SecurityProducts on ProviderName\\r\\n| summarize count() by Product, Capability, Portal\\r\\n| project Product, Capability, AlertsCount=count_, Portal\\r\\n| sort by AlertsCount desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CA-7] Continuous Monitoring -- Monitor/Respond to Security Alerts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Product\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Capability\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertsCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Portal\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Product >>\"}}],\"filter\":true}},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCA7Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CA-7\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isCAVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Security Assessment Family \"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Configuration Management](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/controls?version=5.1&family=CM)\\r\\n---\\r\\nConfiguration Management establishes security baselines and measures deviations provides the basis for tracking the security posture of cloud assets.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Baseline Configuration [CM-2]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM-2\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Configuration Change Control [CM-3]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM-3\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Impact Analysis [CM-4]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM-4\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Access Restrictions for Change [CM-5]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM-5\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Configuration Settings [CM-6]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM-6\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCM2Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM-2\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"17f70fb6-9010-4611-99de-6fabfe7deae9\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCM3Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM-3\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"80c1b0ff-8d50-4d7d-9e54-5cb94c15de2a\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCM4Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM-4\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a4724d6f-19cc-453d-abb7-0a4bd343a7c6\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCM5Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM-5\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"d92ec5cb-6cbd-4ebe-81bd-904a5313e8c4\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCM6Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM-6\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"670fad9b-f6d5-465a-9657-13727bc0546f\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Least Functionality [CM-7]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM-7\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"System Component Inventory [CM-8]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM-8\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Configuration Management Plan [CM-9]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM-9\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Software Usage Restrictions [CM-10]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM-10\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"User-Installed Software [CM-11]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CM-11\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCM7Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM-7\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"0688d498-3f43-4241-a716-cdd97aeabbce\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCM8Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM-8\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e7787bd2-dcb2-47c0-9e5e-7ca07f0afe89\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCM9Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM-9\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4215e9b3-cd53-4747-9343-37a8e2a60eab\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCM10Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM-10\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9bde1721-44b5-4aa1-97a8-b67de2e91fcb\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCM11Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CM-11\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"017bd293-9d8d-4c27-85cd-0f3c0451a3d2\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Baseline Configuration (CM-2)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#baseline-configuration)\\r\\n\\r\\n\\ta. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and\\r\\n\\tb. Review and update the baseline configuration of the system:\\r\\n\\t\\t1. [Assignment: organization-defined frequency];\\r\\n\\t\\t2. When required due to [Assignment: organization-defined circumstances]; and\\r\\n\\t\\t3. When system components are installed or upgraded.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) <br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Azure security baseline for Azure Cloud Services](https://docs.microsoft.com/security/benchmark/azure/baselines/cloud-services-security-baseline)<br>\\r\\n💡 [Manage security baseline profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/security-baselines-configure)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CM-2](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CM-2)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CM-2] Baseline Configuration -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCM2Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM-2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Configuration Change Control (CM-3)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#baseline-configuration)\\r\\n\\r\\n\\ta. Determine and document the types of changes to the system that are configuration-controlled;\\r\\n\\tb. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;\\r\\n\\tc. Document configuration change decisions associated with the system;\\r\\n\\td. Implement approved configuration-controlled changes to the system;\\r\\n\\te. Retain records of configuration-controlled changes to the system for [Assignment: organization-defined time period];\\r\\n\\tf. Monitor and review activities associated with configuration-controlled changes to the system; and\\r\\n\\tg. Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; when [Assignment: organization-defined configuration change conditions]].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [ConfigurationChange](https://docs.microsoft.com/azure/azure-monitor/reference/tables/configurationchange) ✳️ [Virtual Machines]( https://azure.microsoft.com/services/virtual-machines/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Enable Change Tracking and Inventory from Azure portal](https://docs.microsoft.com/azure/automation/change-tracking/enable-from-portal)<br>\\r\\n💡 [Change Tracking and Inventory overview](https://docs.microsoft.com/azure/automation/change-tracking/overview)<br>\\r\\n💡 [File integrity monitoring in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/defender-for-cloud/file-integrity-monitoring-overview)<br>\\r\\n💡 [Get resource changes](https://docs.microsoft.com/azure/governance/resource-graph/how-to/get-resource-changes)<br>\\r\\n💡 [Enable Change Tracking and Inventory from an Automation account](https://docs.microsoft.com/azure/automation/change-tracking/enable-from-automation-account)<br>\\r\\n💡 [Get resource changes](https://docs.microsoft.com/azure/governance/resource-graph/how-to/get-resource-changes)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)<br>\\r\\n🔀 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CM-3](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CM-3)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ConfigurationChange \\r\\n| project _ResourceId, ConfigChangeType, ChangeCategory, RegistryKey, ValueName, ValueData, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250 \",\"size\":0,\"showAnalytics\":true,\"title\":\"[CM-3] Configuration Change Control -- Enable/Monitor Asset Configuration Changes\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ConfigChangeType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Files\",\"representation\":\"Folder\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ChangeCategory\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Added\",\"representation\":\"Add\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Removed\",\"representation\":\"FilterRemove\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Modified\",\"representation\":\"Wrench\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCM3Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM-3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Impact Analysis (CM-4)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#security-impact-analysis)\\r\\n\\r\\nAnalyze changes to the system to determine potential security and privacy impacts prior to change implementation.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Review your security recommendations](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)<br>\\r\\n💡 [Microsoft Sentinel: Training Lab Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/learning-with-the-microsoft-sentinel-training-lab/ba-p/2953403)<br>\\r\\n💡 [The simulated enterprise base configuration](https://docs.microsoft.com/microsoft-365/enterprise/simulated-ent-base-configuration-microsoft-365-enterprise)<br>\\r\\n💡 [Azure DevTest Labs](https://azure.microsoft.com/services/devtest-lab/)<br>\\r\\n💡 [Microsoft 365 for enterprise Test Lab Guides](https://docs.microsoft.com/microsoft-365/enterprise/m365-enterprise-test-lab-guides)<br>\\r\\n💡 [What is Conditional Access report-only mode?](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-report-only)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft Entra ID: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CM-4](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CM-4)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationState == \\\"Unhealthy\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by RecommendationSeverity\\r\\n| render areachart \",\"size\":0,\"showAnalytics\":true,\"title\":\"[CM-4] Security Impact Analysis -- Assess/Monitor Security Impacts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ConfigChangeType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Files\",\"representation\":\"File\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Registry\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCM4Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM-4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Restrictions for Change (CM-5)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#access-restrictions-for-change)\\r\\n\\r\\nDefine, document, approve, and enforce physical and logical access restrictions associated with changes to the system.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs?WT.mc_id=Portal-fx) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [What is Azure role-based access control (Azure RBAC)?](https://docs.microsoft.com/azure/role-based-access-control/overview)<br>\\r\\n💡 [What is Microsoft Entra ID Privileged Identity Management?](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\\r\\n💡 [Enable and request just-in-time access for Azure Managed Applications](https://docs.microsoft.com/azure/azure-resource-manager/managed-applications/request-just-in-time-access)<br>\\r\\n💡 [Office 365 Security & Compliance: Enable Auditing for Admins](https://docs.microsoft.com/microsoft-365/compliance/turn-audit-log-search-on-or-off)<br>\\r\\n💡 [Audited Activities](https://docs.microsoft.com/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance)<br>\\r\\n💡 [Use audit logs to track and monitor events in Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/monitor-audit-logs)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Entra ID: Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) <br>\\r\\n🔀 [Microsoft 365 Compliance: Audit](https://compliance.microsoft.com/auditlogsearch?viewid=Test%20Tab) <br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/) <br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CM-5](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CM-5)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| where OperationName contains \\\"PIM\\\"\\r\\n| extend PIM = strcat(\\\"https://ms.portal.azure.com/#blade/Microsoft_Azure_PIMCommon/MyAuditsMenuBlade/aadmigratedroles\\\")\\r\\n| distinct Identity, PIM, OperationName, AADOperationType, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CM-5] Access Restrictions for Change -- Restrict Changes with PIM\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"OperationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Identity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"PIM\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"PIM >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"MyAuditsMenuBlade\",\"extensionName\":\"Microsoft_Azure_PIMCommon\"}}},{\"columnMatch\":\"GrantedTo\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go To: AAD Profile >\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCM5Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM-5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Configuration Settings (CM-6)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#configuration-settings)\\r\\n\\r\\n\\ta. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations];\\r\\n\\tb. Implement the configuration settings;\\r\\n\\tc. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and\\r\\n\\td. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Overview of the Azure Security Benchmark (v3)](https://docs.microsoft.com/security/benchmark/azure/overview)<br>\\r\\n💡 [What is Azure Policy?](https://docs.microsoft.com/azure/governance/policy/overview)<br>\\r\\n💡 [Use adaptive application controls to reduce your machines' attack surfaces](https://docs.microsoft.com/azure/defender-for-cloud/adaptive-application-controls)<br>\\r\\n💡 [Available security baselines](https://docs.microsoft.com/mem/intune/protect/security-baselines#available-security-baselines)<br>\\r\\n💡 [Use Windows 10 templates to configure group policy settings in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/administrative-templates-windows)<br>\\r\\n💡 [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-configure#create-the-profile)<br>\\r\\n💡 [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-grant)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Azure Policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade/Overview)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CM-6](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CM-6)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"CM.6\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CM-6] Configuration Settings -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCM6Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM-6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Least Functionality (CM-7)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#least-functionality)\\r\\n\\r\\n\\ta. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and\\r\\n\\tb. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Remote access to on-premises applications through Microsoft Entra ID Application Proxy](https://learn.microsoft.com/en-us/entra/identity/app-proxy/)<br>\\r\\n💡 [Conditional Access: Grant](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-grant)<br>\\r\\n💡 [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-configure#create-the-profile)<br>\\r\\n💡 [Use Windows 10 templates to configure group policy settings in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/administrative-templates-windows)<br>\\r\\n💡 [Analyze your on-premises group policy objects (GPO) using Group Policy analytics in Microsoft Endpoint Manager](https://docs.microsoft.com/mem/intune/configuration/group-policy-analytics)<br>\\r\\n💡 [What are managed identities for Azure resources?](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview)<br>\\r\\n💡 [Manage user-assigned managed identities](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Microsoft Entra ID: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)<br>\\r\\n🔀 [Managed Identities](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.ManagedIdentity%2FuserAssignedIdentities)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CM-7](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CM-7)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"CM.7\\\" or RecommendationName contains \\\"port\\\" or RecommendationName contains \\\"protocol\\\" or RecommendationName contains \\\"functionality\\\" or RecommendationName contains \\\"least\\\" or RecommendationName contains \\\"restrict\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n| parse RecommendationLink with * '#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *\\r\\n| distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, assessmentKey\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CM-7] Least Functionality -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCM7Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM-7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [System Component Inventory (CM-8)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#information-system-component-inventory)\\r\\n\\r\\n\\ta. Develop and document an inventory of system components that:\\r\\n\\t1. Accurately reflects the system;\\r\\n\\t2. Includes all components within the system;\\r\\n\\t3. Does not include duplicate accounting of components or components assigned to any other system;\\r\\n\\t4. Is at the level of granularity deemed necessary for tracking and reporting; and\\r\\n\\t5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability];\\r\\n\\tb. Review and update the system component inventory [Assignment: organization-defined frequency]\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Use asset inventory to manage your resources' security posture](https://docs.microsoft.com/azure/defender-for-cloud/asset-inventory)<br>\\r\\n💡 [Software inventory - threat and vulnerability management](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-software-inventory)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Inventory](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/25)<br>\\r\\n🔀 [Microsoft 365 Defender: Software Inventory](https://security.microsoft.com/software-inventory/applications)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CM-8](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CM-8)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| extend Azure_Inventory=location\\r\\n| extend M365_Inventory=strcat(\\\"https://security.microsoft.com/machines\\\")\\r\\n| project AssetID=id,AssetType=type, Azure_Inventory, M365_Inventory\\r\\n| sort by AssetID asc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CM-8] Information System Component Inventory -- Review Asset Inventory\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Azure_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Inventory >>\",\"bladeOpenContext\":{\"bladeName\":\"InventoryBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"\",\"source\":\"static\",\"value\":\"25\"}]}}},{\"columnMatch\":\"M365_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"M365 Inventory >>\"}}],\"rowLimit\":2500,\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"type\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| summarize count() by type\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CM-8] Information System Component Inventory -- Asset Count by Type\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"type\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true}},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCM8Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM-8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Configuration Management Plan (CM-9)\\r\\n\\r\\n\\tDevelop, document, and implement a configuration management plan for the system that:\\r\\n\\ta. Addresses roles, responsibilities, and configuration management processes and procedures;\\r\\n\\tb. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;\\r\\n\\tc. Defines the configuration items for the system and places the configuration items under configuration management;\\r\\n\\td. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and\\r\\n\\te. Protects the configuration management plan from unauthorized disclosure and modification.\\r\\n\\r\\n### Implementation\\r\\n💡 [Enable Change Tracking and Inventory from Azure portal](https://docs.microsoft.com/azure/automation/change-tracking/enable-from-portal)<br>\\r\\n💡 [Change Tracking and Inventory overview](https://docs.microsoft.com/azure/automation/change-tracking/overview)<br>\\r\\n💡 [File integrity monitoring in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/defender-for-cloud/file-integrity-monitoring-overview)<br>\\r\\n💡 [Get resource changes](https://docs.microsoft.com/azure/governance/resource-graph/how-to/get-resource-changes)<br>\\r\\n💡 [Enable Change Tracking and Inventory from an Automation account](https://docs.microsoft.com/azure/automation/change-tracking/enable-from-automation-account)<br>\\r\\n💡 [Get resource changes](https://docs.microsoft.com/azure/governance/resource-graph/how-to/get-resource-changes)<br>\\r\\n\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Maintenance Configurations](https://ms.portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Maintenance%2FmaintenanceConfigurations)<br>\\r\\n🔀 [Automanage](https://ms.portal.azure.com/#blade/Microsoft_Azure_AutoManagedVirtualMachines/AutomanageMenuBlade/overview)<br>\\r\\n🔀 [Automation Accounts](https://ms.portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts)<br>\\r\\n🔀 [File Integrity Monitoring](https://ms.portal.azure.com/#blade/Microsoft_Azure_Security/FileIntegrityMonitoringWorkspaceSelectorBlade)<br>\\r\\n🔀 [Inventory](https://ms.portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/25)<br>\\r\\n\\r\\n### NIST SP 800-53 R5 Guidance\\r\\n[CM-9](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CM-9)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"[CM-9] Configuration Management Plan -- Develop Plan via Tooling\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"fec6091e-2608-497c-8f51-a0d8005bc542\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Maintenance Configurations\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.Maintenance/maintenanceConfigurations\"}]}},{\"id\":\"c18c0336-095d-4a57-848f-b0f134c6c10a\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Automanage\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"AutomanageMenuBlade\",\"extensionName\":\"Microsoft_Azure_AutoManagedVirtualMachines\"}},{\"id\":\"4701a78b-5790-43a3-a971-68a539851fc5\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Automation Accounts\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.Automation/AutomationAccounts\"}]}},{\"id\":\"0bf51734-cccc-4825-92d8-f17824344ab7\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"File Integrity Monitoring\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"FileIntegrityMonitoringWorkspaceSelectorBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}},{\"id\":\"a32b5156-4cec-481d-83b3-165ca9208301\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Inventory\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}}]},\"name\":\"links - 1\"}]},\"customWidth\":\"50\",\"name\":\"Configuration Management\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCM9Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM-9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Software Usage Restrictions (CM-10)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#software-usage-restrictions)\\r\\n\\r\\n\\ta. Use software and associated documentation in accordance with contract agreements and copyright laws;\\r\\n\\tb. Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and\\r\\n\\tc. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Introduction to Microsoft Defender for servers](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-servers-introduction)<br>\\r\\n💡 [Use adaptive application controls to reduce your machines' attack surfaces](https://docs.microsoft.com/azure/defender-for-cloud/adaptive-application-controls)<br>\\r\\n💡 [Change Tracking and Inventory overview](https://docs.microsoft.com/azure/automation/change-tracking/overview)<br>\\r\\n💡 [Quickstart: Enable enhanced security features](https://docs.microsoft.com/azure/defender-for-cloud/enable-enhanced-security)<br>\\r\\n💡 [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/agents/log-analytics-agent)<br>\\r\\n💡 [Conditional Access: Grant](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-grant)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Microsoft Entra ID: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)<br>\\r\\n🔀 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CM-10](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CM-10)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"CM.10\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CM-10] Software Usage Restrictions -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCM10Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM-10\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [User-Installed Software (CM-11)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#user-installed-software)\\r\\n\\r\\n\\ta. Establish [Assignment: organization-defined policies] governing the installation of software by users;\\r\\n\\tb. Enforce software installation policies through the following methods: [Assignment: organization-defined methods]; and\\r\\n\\tc. Monitor policy compliance [Assignment: organization-defined frequency].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Introduction to Microsoft Defender for servers](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-servers-introduction)<br>\\r\\n💡 [Use adaptive application controls to reduce your machines' attack surfaces](https://docs.microsoft.com/azure/defender-for-cloud/adaptive-application-controls)<br>\\r\\n💡 [Change Tracking and Inventory overview](https://docs.microsoft.com/azure/automation/change-tracking/overview)<br>\\r\\n💡 [Quickstart: Enable enhanced security features](https://docs.microsoft.com/azure/defender-for-cloud/enable-enhanced-security)<br>\\r\\n💡 [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/agents/log-analytics-agent)<br>\\r\\n💡 [Conditional Access: Grant](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-grant)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Microsoft Entra ID: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)<br>\\r\\n🔀 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CM-11](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CM-11)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"CM.11\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CM-11] User-Installed Software -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCM11Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CM-11\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isCMVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Configuration Management Family\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Contingency Planning](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/controls?version=5.1&family=CP)\\r\\n---\\r\\nContingency Planning includes processes and procedures aligned to recovering from a disaster and ensuring business continuity.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Alternate Storage Site [CP-6]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CP-6\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Alternate Processing Site [CP-7]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CP-7\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Information System Backup [CP-9]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CP-9\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"17f70fb6-9010-4611-99de-6fabfe7deae9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCP6Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CP-6\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCP7Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CP-7\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"3fa97282-c124-4358-a413-22ce34a2dea9\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCP9Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CP-9\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"0a4b7234-ef17-4440-b66f-3448734905bb\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Alternate Storage Site (CP-6)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#alternate-storage-site)\\r\\n\\r\\n\\ta. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and\\r\\n\\tb. Ensure that the alternate storage site provides controls equivalent to that of the primary site.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Storage Services](https://azure.microsoft.com/product-categories/storage/) ✳️ [Azure Databases](https://azure.microsoft.com/product-categories/databases/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Business continuity management in Azure](https://docs.microsoft.com/azure/availability-zones/business-continuity-management-program)<br>\\r\\n💡 [Azure Storage redundancy](https://docs.microsoft.com/azure/virtual-machines/availability#azure-storage-redundancy)<br>\\r\\n💡 [Resiliency in Azure](https://docs.microsoft.com/azure/availability-zones/overview)<br>\\r\\n💡 [Create VM restore points](https://docs.microsoft.com/azure/virtual-machines/virtual-machines-create-restore-points)<br>\\r\\n💡 [Create a storage account](https://docs.microsoft.com/azure/storage/common/storage-account-create?tabs=azure-portal)<br>\\r\\n💡 [Replicate data to Azure SQL Database using Data Export Service](https://docs.microsoft.com/power-platform/admin/replicate-data-microsoft-azure-sql-database)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Storage Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts)<br>\\r\\n🔀 [SQL databases](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Sql%2Fservers%2Fdatabases)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CP-6](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CP-6)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"CP.6.*\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CP-6] Alternate Storage Site -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"restorepoint\\\" or type contains \\\"storage\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CP-6] Alternate Storage Site -- Storage & Restore Points\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCP6Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"group - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Alternate Processing Site (CP-7)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#alternate-processing-site-1)\\r\\n\\r\\n\\ta. Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;\\r\\n\\tb. Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and\\r\\n\\tc. Provide controls at the alternate processing site that are equivalent to those at the primary site.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Availabilty Zones](https://azure.microsoft.com/global-infrastructure/availability-zones/) <br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Resiliency in Azure](https://docs.microsoft.com/azure/availability-zones/overview)<br>\\r\\n💡 [Regions and availability zones](https://docs.microsoft.com/azure/availability-zones/az-overview)<br>\\r\\n💡 [Create a virtual machine in an availability zone using the Azure portal](https://docs.microsoft.com/azure/virtual-machines/windows/create-portal-availability-zone)<br>\\r\\n💡 [Quickstart: Create a virtual machine scale set in the Azure portal](https://docs.microsoft.com/azure/virtual-machine-scale-sets/quick-create-portal)<br>\\r\\n\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Availability Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FavailabilitySets)<br>\\r\\n🔀 [Virtual Machine Scale Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Compute%2FvirtualMachineScaleSets)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CP-7](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CP-7)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"CP.7\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CP-7] Alternate Processing Site -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"scalesets\\\" or type contains \\\"availabilitysets\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CP-7] Alternate Processing Site -- Availability Sets & Scale Sets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCP7Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"group - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Information System Backup (CP-9)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#information-system-backup)\\r\\n\\r\\n\\ta. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];\\r\\n\\tb. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];\\r\\n\\tc. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and\\r\\n\\td. Protect the confidentiality, integrity, and availability of backup information.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Backup](https://azure.microsoft.com/services/backup/)✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) <br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Azure Backup service documentation](https://docs.microsoft.com/azure/backup/)<br>\\r\\n💡 [Recovery Services vaults overview](https://docs.microsoft.com/azure/backup/backup-azure-recovery-services-vault-overview)<br>\\r\\n💡 [Azure Key Vault backup and restore](https://docs.microsoft.com/azure/key-vault/general/backup)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Backup Center](https://portal.azure.com/#blade/Microsoft_Azure_DataProtection/BackupCenterMenuBlade/overview)<br>\\r\\n🔀 [Recovery Services Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.RecoveryServices%2Fvaults)<br>\\r\\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[CP-9](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=CP-9)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"CP.9\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CP-9] Information System Backup -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"[CP-9(1)] Contingency Plan  -- Test for Reliability/Integrity of Backups via Contingency Tooling\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"a32b5156-4cec-481d-83b3-165ca9208301\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Backup Center\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BackupCenterMenuBlade\",\"extensionName\":\"Microsoft_Azure_DataProtection\"}},{\"id\":\"900442ab-f711-4162-ab1a-309f39c1a64a\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Backup Vaults\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.DataProtection/BackupVaults\"}]}},{\"id\":\"7a6098fe-3036-4e9f-8586-4cb0e6b86090\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Backup Items\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems\"}]}},{\"id\":\"7702dcc5-bcac-4649-82bb-9b4ca295d965\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Recovery Services Vaults\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.RecoveryServices/vaults\"}]}},{\"id\":\"4c495517-17a6-4ffd-ab2c-354fa78ebe14\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Availability Sets\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"BrowseResource\",\"extensionName\":\"HubsExtension\",\"bladeParameters\":[{\"name\":\"resourceType\",\"source\":\"static\",\"value\":\"Microsoft.Compute/availabilitySets\"}]}},{\"id\":\"39914af1-c88c-4506-9cb8-3cee5811e964\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Inventory\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}}]},\"name\":\"links - 1\"}]},\"customWidth\":\"50\",\"name\":\"Configuration Management\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"recover\\\" or type contains \\\"restore\\\" or type contains \\\"keyvault\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CP-9] Information System Backup -- Azure Backups & Key Vaults\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"back\\\" or Description contains \\\"recover\\\" or Description contains \\\"restore\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"back\\\" or Description contains \\\"recover\\\" or Description contains \\\"restore\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"back\\\" or Description contains \\\"recover\\\" or Description contains \\\"restore\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| where Description !contains \\\"feedback\\\" and Description !contains \\\"fallback\\\"\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[CP-9] Information System Backup -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCP9Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"CP-9\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isCPVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Contingency Planning Family\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Identification & Authentication](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/controls?version=5.1&family=IA)\\r\\n---\\r\\nIdentification & Authentication Management is the process of managing user, system, asset identities and controlling access to authorized resources.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Organizational Users [IA-2]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IA-2\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Identifier Management [IA-4]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IA-4\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Authenticator Management [IA-5]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IA-5\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIA2Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IA-2\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"6f7f419d-796c-46f8-b74b-5b783f4a90ce\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIA4Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IA-4\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"c97a42bd-0a6b-47c6-8cad-65a6ab3e1fc7\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIA5Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IA-5\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4c5d94f9-f3fc-4fac-adb5-adc0dcfd93c2\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Authenticator Feedback [IA-6]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IA-6\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Cryptographic Module Authentication [IA-7]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IA-7\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Non-Organizational Users [IA-8]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IA-8\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIA6Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IA-6\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"d9a45678-63e7-41e1-a843-0fef03138190\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIA7Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IA-7\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"ac00a653-fbbf-4e3a-8ef2-093b6ecc908e\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIA8Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IA-8\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"c97b2bb1-a3e6-4de1-be11-1bfb9f3e6aa7\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Organizational Users (IA-2)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#identification-and-authentication-organizational-users)\\r\\n\\r\\nUniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)<br>\\r\\n💡 [Building a Conditional Access policy](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policies)<br>\\r\\n💡 [How it works: Microsoft Entra ID Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks)<br>\\r\\n💡 [Plan an Microsoft Entra ID Multi-Factor Authentication deployment](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted)<br>\\r\\n💡 [What is Azure role-based access control (Azure RBAC)?](https://docs.microsoft.com/azure/role-based-access-control/overview)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Entra ID: Users](https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/MsGraphUsers)<br>\\r\\n🔀 [Microsoft Entra ID: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[IA-2](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=IA-2)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserType, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| where UserType == \\\"Member\\\"\\r\\n| project UserPrincipalName, UserType, SignInCount=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IA-2] Identification and Authentication -- Organizational Users\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"authentication\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"authentication\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"authentication\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IA-2] Identification and Authentication -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"IA.2.*\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IA-2] Identification and Authentication -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIA2Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA-2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Identifier Management (IA-4)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#identifier-management)\\r\\n\\r\\n\\tManage system identifiers by:\\r\\n\\ta. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, service, or device identifier;\\r\\n\\tb. Selecting an identifier that identifies an individual, group, role, service, or device;\\r\\n\\tc. Assigning the identifier to the intended individual, group, role, service, or device; and\\r\\n\\td. Preventing reuse of identifiers for [Assignment: organization-defined time period].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Microsoft Entra ID fundamentals documentation](https://docs.microsoft.com/azure/active-directory/fundamentals/)<br>\\r\\n💡 [Govern access for external users in Microsoft Entra ID entitlement management](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-external-users)<br>\\r\\n💡 [Use activity filters and create action policies with Microsoft Defender for Identity in Microsoft Defender for Cloud Apps](https://docs.microsoft.com/defender-for-identity/activities-filtering-mcas)<br>\\r\\n💡 [Security assessment: Dormant entities in sensitive groups](https://docs.microsoft.com/defender-for-identity/cas-isp-dormant-entities#how-do-i-use-this-security-assessment)<br>\\r\\n💡 [Create an access review of groups and applications in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/governance/create-access-review)<br>\\r\\n💡 [How to detect inactive user accounts](https://docs.microsoft.com/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts#how-to-detect-inactive-user-accounts)<br>\\r\\n💡 [How To: Manage inactive user accounts in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n🔀 [Microsoft Entra ID: Identity Governance - Access Reviews](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/Controls)<br>\\r\\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[IA-4](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=IA-4)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"IA.4\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IA-4] Identifier Management -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"account\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"account\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"account\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IA-4] Identifier Management -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_1\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_1\",\"sortOrder\":2}]},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIA4Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA-4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Authenticator Management (IA-5)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#identifier-management)\\r\\n\\r\\n\\tManage system authenticators by:\\r\\n\\ta. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;\\r\\n\\tb. Establishing initial authenticator content for any authenticators issued by the organization;\\r\\n\\tc. Ensuring that authenticators have sufficient strength of mechanism for their intended use;\\r\\n\\td. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;\\r\\n\\te. Changing default authenticators prior to first use;\\r\\n\\tf. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur;\\r\\n\\tg. Protecting authenticator content from unauthorized disclosure and modification;\\r\\n\\th. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and\\r\\n\\ti. Changing authenticators for group or role accounts when membership to those accounts changes.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Enforce on-premises Microsoft Entra ID Password Protection for Active Directory Domain Services\\r\\n](https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad-on-premises)<br>\\r\\n💡 [Create a custom password policy](https://docs.microsoft.com/azure/active-directory-domain-services/password-policy#create-a-custom-password-policy)<br>\\r\\n💡 [Password policies and account restrictions in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-policy)<br>\\r\\n💡 [Global banned password list](https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad#global-banned-password-list)<br>\\r\\n💡 [Custom banned password list](https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad#custom-banned-password-list)<br>\\r\\n💡 [Device password requirements](https://docs.microsoft.com/mem/intune/user-help/password-does-not-meet-it-administrator-requirements)<br>\\r\\n💡 [Compliance policy settings](https://docs.microsoft.com/mem/intune/protect/device-compliance-get-started#compliance-policy-settings)<br>\\r\\n💡 [Integrate with Conditional Access](https://docs.microsoft.com/mem/intune/protect/device-compliance-get-started#integrate-with-conditional-access)<br>\\r\\n💡 [Access model overview](https://docs.microsoft.com/azure/key-vault/general/security-features#access-model-overview)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Microsoft Entra ID: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)<br>\\r\\n🔀 [Microsoft Entra ID: Password Protection](https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordProtectionBlade)<br>\\r\\n🔀 [Microsoft Entra: Authenticator Management](https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/AdminAuthMethods)<br>\\r\\n🔀 [Key Vault](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[IA-5](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=IA-5)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"IA.5\\\" and complianceControlId !contains \\\"*\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IA-5] Authenticator Management -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"password\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"password\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"password\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IA-5] Authenticator Management -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"[IA-5] Authenticator Management -- Leverage Authenticator Tooling\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"a32b5156-4cec-481d-83b3-165ca9208301\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Entra ID: Password Protection (Banned Passwords)\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"PasswordProtectionBlade\",\"extensionName\":\"Microsoft_AAD_IAM\"}},{\"id\":\"27d9b4d1-fc6b-4813-b851-f8bd130d0be5\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Entra ID: Authenticator Management\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"AuthenticationMethodsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\"}},{\"id\":\"d1f6bb1b-7fa4-49cf-91cd-2f67465563aa\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Microsoft Entra ID: Conditional Access\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"ConditionalAccessBlade\",\"extensionName\":\"Microsoft_AAD_IAM\"}}]},\"name\":\"links - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIA5Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA-5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Authenticator Feedback (IA-6)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#authenticator-feedback)\\r\\n\\r\\nObscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Password box](https://docs.microsoft.com/windows/apps/design/controls/password-box)<br>\\r\\n💡 [Policy CSP - CredentialsU](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialsui)<br>\\r\\n💡 [Manage security baseline profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/security-baselines-configure)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center: Security Baselines](https://endpoint.microsoft.com/#blade/Microsoft_Intune_Workflows/SecurityManagementMenu/securityBaselines)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[IA-6](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=IA-6)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where RuleSetting contains \\\"EnableSmartScreen\\\" or RuleSetting contains \\\"DisablePasswordReveal\\\" or RuleSetting contains \\\"DisableLockScreenAppNotifications\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where RuleSetting contains \\\"EnableSmartScreen\\\" or RuleSetting contains \\\"DisablePasswordReveal\\\" or RuleSetting contains \\\"DisableLockScreenAppNotifications\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where RuleSetting contains \\\"EnableSmartScreen\\\" or RuleSetting contains \\\"DisablePasswordReveal\\\" or RuleSetting contains \\\"DisableLockScreenAppNotifications\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IA-6] Authenticator Feedback -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIA6Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA-6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Cryptographic Module Authentication (IA-7)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#cryptographic-module-authentication)\\r\\n\\r\\nImplement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Configure identification and authentication controls to meet FedRAMP High Impact level](https://docs.microsoft.com/azure/active-directory/standards/fedramp-identification-and-authentication-controls)<br>\\r\\n💡 [Configure Microsoft Entra ID to meet NIST authenticator assurance levels](https://docs.microsoft.com/azure/active-directory/standards/nist-overview)<br>\\r\\n💡 [Achieve NIST authenticator assurance level 2 with Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/standards/nist-authenticator-assurance-level-2)<br>\\r\\n💡 [TPM Group Policy settings](https://docs.microsoft.com/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[IA-7](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=IA-7)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| summarize arg_max(TimeGenerated, *) by RecommendationName, AssessedResourceId\\r\\n| where RecommendationDisplayName contains \\\"TPM\\\"\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IA-7] Cryptographic Module Authentication -- Configure/Monitor Authentictor Assurance Levels\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIA7Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA-7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Non-Organizational Users (IA-8)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#identification-and-authentication-non-organizational-users)\\r\\n\\r\\nUniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Quickstart: Add guest users to your directory in the Azure portal](https://docs.microsoft.com/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal)<br>\\r\\n💡 [Restrict guest access permissions in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/enterprise-users/users-restrict-guest-permissions)<br>\\r\\n💡 [Properties of an Microsoft Entra ID B2B collaboration user](https://docs.microsoft.com/azure/active-directory/external-identities/user-properties)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Entra ID: External Identities](https://portal.azure.com/#blade/Microsoft_AAD_IAM/CompanyRelationshipsMenuBlade/ExternalIdentitiesGettingStarted)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[IA-8](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=IA-8)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserType, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| where UserType <> \\\"Member\\\"\\r\\n| project UserPrincipalName, UserType, SignInCount=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IA-8] Identification and Authentication -- Non-Organizational Users\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"guest\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"guest\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"guest\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IA-8] Identification and Authentication -- Non-organizational Users -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIA8Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IA-8\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isIAVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Identification & Authentication Family \"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Incident Response](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/controls?version=5.1&family=IR)\\r\\n---\\r\\nIncident Response is the process of responding to cybersecurity incidents and events. Incident Response includes preparation, identification, containment, eradication, recovery, and lessons learned phases.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Incident Response Testing [IR-3]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IR-3\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Incident Handling [IR-4]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IR-4\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Incident Monitoring [IR-5]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IR-5\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Incident Reporting [IR-6]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IR-6\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIR3Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IR-3\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"8c96f96a-18c1-47d9-9886-0c9d05a6bd75\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIR4Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IR-4\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"2ac699fa-7a03-4c35-a09f-9e2e28e668e1\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIR5Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IR-5\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"fb20a59e-8d30-425d-8fc8-7567195bd1f1\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIR6Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IR-6\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"3d6c20c9-06d7-4d5e-93ae-a5084c409dcc\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Incident Response Testing (IR-3)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#incident-response-testing)\\r\\n\\r\\nTest the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests].\\r\\n\\r\\n## Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Incident response planning](https://docs.microsoft.com/security/compass/incident-response-planning)<br>\\r\\n💡 [Simulate a phishing attack in Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/attack-simulation-training?)<br>\\r\\n💡 [How to Generate Microsoft Sentinel Incidents for Testing](https://techcommunity.microsoft.com/discussions/microsoft-security/new-blog-post--how-to-generate-microsoft-sentinel-incidents-for-testing-and-demo/3256681)<br>\\r\\n💡 [Experience Microsoft Defender for Endpoint through simulated attacks](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-simulations)<br>\\r\\n💡 [Testing with the Microsoft Sentinel Training Lab](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/learning-with-the-microsoft-sentinel-training-lab/ba-p/2953403)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft 365 Defender: Attack Simulation](https://security.microsoft.com/attacksimulator?viewid=overview)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[IR-3](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=IR-3)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"test\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * 'https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IR-3] Incident Response Testing -- Incident Tests\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIR3Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IR-3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Incident Handling (IR-4)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#incident-handling)\\r\\n\\r\\n\\ta. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;\\r\\n\\tb. Coordinate incident handling activities with contingency planning activities;\\r\\n\\tc. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and\\r\\n\\td. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft 365 Defender](https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender) \\r\\n\\r\\n### Implementation\\r\\n💡 [Investigate incidents with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/investigate-cases)<br>\\r\\n💡 [Tutorial: Use playbooks with automation rules in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook)<br>\\r\\n💡 [Keep track of data during incident response with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/bookmarks)<br>\\r\\n💡 [Manage your SOC better with incident metrics](https://docs.microsoft.com/azure/sentinel/manage-soc-with-incident-metrics)<br>\\r\\n💡 [Manage incidents in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/defender/manage-incidents)<br>\\r\\n💡 [Incident response with Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/defender/incidents-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel: Incidents](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft 365 Defender: Incidents](https://security.microsoft.com/incidents)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[IR-4](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=IR-4)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * 'https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IR-4] Incident Handling -- Incidents\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIR4Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IR-4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Incident Monitoring (IR-5)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#incident-monitoring)\\r\\n\\r\\nTrack and document incidents.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft 365 Defender](https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender) \\r\\n\\r\\n### Implementation\\r\\n💡 [Automatically create incidents from Microsoft security alerts](https://docs.microsoft.com/azure/sentinel/create-incidents-from-alerts)<br>\\r\\n💡 [Create custom analytics rules to detect threats](https://docs.microsoft.com/azure/sentinel/detect-threats-custom)<br>\\r\\n💡 [Hybrid Security Monitoring using Microsoft Defender for Cloud and Microsoft Sentinel](https://docs.microsoft.com/azure/architecture/hybrid/hybrid-security-monitoring)<br>\\r\\n💡 [Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)<br>\\r\\n💡 [Automate threat response with playbooks in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/automate-responses-with-playbooks)<br>\\r\\n💡 [Manage incidents in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/defender/manage-incidents)<br>\\r\\n💡 [Incident response with Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/defender/incidents-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel: Incidents](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft 365 Defender: Incidents](https://security.microsoft.com/incidents)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[IR-5](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=IR-5)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Severity\\r\\n| render timechart \\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IR-5] Incident Monitoring -- Incidents over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIR5Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IR-5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Incident Reporting (IR-6)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#incident-reporting)\\r\\n\\r\\n\\ta. Require personnel to report suspected incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and\\r\\n\\tb. Report incident information to [Assignment: organization-defined authorities].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft 365 Defender](https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender) \\r\\n\\r\\n### Implementation\\r\\n💡 [Manage your SOC better with incident metrics](https://docs.microsoft.com/azure/sentinel/manage-soc-with-incident-metrics)<br>\\r\\n💡 [Use Azure Monitor workbooks to visualize and monitor your data](https://docs.microsoft.com/azure/sentinel/monitor-your-data)<br>\\r\\n💡 [Visualize collected data](https://docs.microsoft.com/azure/sentinel/get-visibility)<br>\\r\\n💡 [Manage incidents in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/defender/manage-incidents)<br>\\r\\n💡 [Incident response with Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/defender/incidents-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel: Incidents](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft 365 Defender: Incidents](https://security.microsoft.com/incidents)<br>\\r\\n### NIST SP 800-53 Guidance\\r\\n[IR-6](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=IR-6)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"[IR-6] Incident Reporting -- Incidents by Severity\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where Severity == \\\"High\\\"\\n| summarize count()\\n\\n\\n\\n\",\"size\":4,\"title\":\"High\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where Severity == \\\"Medium\\\"\\n| summarize count()\\n\\n\\n\\n\",\"size\":4,\"title\":\"Medium \",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"orange\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where Severity == \\\"Low\\\"\\n| summarize count()\\n\\n\\n\\n\",\"size\":4,\"title\":\"Low\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"yellow\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where dayofyear(TimeGenerated) == dayofyear(now())\\n| summarize count()\\n\\n\\n\",\"size\":4,\"title\":\"New Today\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":false,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"blueDark\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10\"}]},\"customWidth\":\"50\",\"name\":\"Incidents\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| extend [\\\"MITRE ATT&CK Tactics\\\"] = tostring(parse_json(tostring(AdditionalData.tactics))[0])\\r\\n| where Severity == \\\"High\\\"\\r\\n| summarize count() by [\\\"Incident Name\\\"]=Title, [\\\"MITRE ATT&CK Tactics\\\"]\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IR-5] Incident Monitoring -- High Severity Incident Types\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\r\\n| where Severity == \\\"High\\\"\\r\\n| make-series count() default=0 on FirstModifiedTime from {TimeRange:start} to {TimeRange:end} step 1d by Title\\r\\n| render timechart \\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IR-5] Incident Monitoring -- High Severity Incidents over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber\\r\\n| where Status == \\\"Closed\\\"\\r\\n| extend TimeToRespond =  (CreatedTime - FirstActivityTime)/1d \\r\\n| extend TimeToResolve =  (ClosedTime - CreatedTime)/1d\\r\\n| extend AssignedAnalyst = tostring(Owner.assignedTo)\\r\\n| extend [\\\"MITRE ATT&CK Tactics\\\"] = tostring(parse_json(tostring(AdditionalData.tactics))[0])\\r\\n| parse IncidentUrl with * 'https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, ClosedTime desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, [\\\"MITRE ATT&CK Tactics\\\"], AssignedAnalyst, Classification, ClassificationComment, ClassificationReason, Description, TimeToRespond, TimeToResolve, IncidentStartTime=CreatedTime, IncidentClosedTime=ClosedTime, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[IR-5] Incident Monitoring -- Incident Closure Reports\",\"noDataMessage\":\"No Incidents Observed Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"TimeToRespond\",\"formatter\":0,\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"TimeToResolve\",\"formatter\":0,\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIR6Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IR-6\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isIRVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Incident Response Family\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Media Protection](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/controls?version=5.1&family=MP)\\r\\n---\\r\\nMedia protection includes physical, logical, and administrative controls over sensitive data. \"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Media Access [MP-2]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MP-2\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Media Marking [MP-3]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MP-3\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Media Transport [MP-5]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MP-5\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Media Sanitization [MP-6]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MP-6\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Media Use [MP-7]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"MP-7\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"4700784f-bcd3-436c-a6c9-1678ae081de2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMP2Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MP-2\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMP3Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MP-3\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"357abfc4-fb8e-4162-b003-963f76c37bc6\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMP5Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MP-5\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e32367e5-3bb7-42f5-9464-6cc7b05d468c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMP6Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MP-6\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"d1baed97-9f3a-4269-b160-0ec5834ebb14\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMP7Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"MP-7\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b260fee7-8f91-4bc7-9aa5-0136c8ef7563\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Media Access (MP-2)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#media-access)\\r\\n\\r\\nRestrict access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionEvents](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n🔷 [OfficeActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/officeactivity) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [What is the Azure Information Protection unified labeling scanner?](https://docs.microsoft.com/azure/information-protection/deploy-aip-scanner)<br>\\r\\n💡 [Prevent data leaks on non-managed devices using Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/data-leak-prevention)<br>\\r\\n💡 [App protection policies overview](https://docs.microsoft.com/mem/intune/apps/app-protection-policy)<br>\\r\\n💡 [How to integrate Microsoft Information Protection with Defender for Cloud Apps](https://docs.microsoft.com/defender-cloud-apps/azip-integration#how-to-integrate-azure-information-protection-with-cloud-app-security)<br>\\r\\n💡 [Data loss prevention reference](https://docs.microsoft.com/microsoft-365/compliance/data-loss-prevention-policies?)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)<br>\\r\\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/)<br>\\r\\n🔀 [Microsoft 365 Compliance Manager: Information Protection](https://compliance.microsoft.com/informationprotection?viewid=overview) <br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[MP-2](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=MP-2)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionEvents\\r\\n| extend AIP = strcat(\\\"https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/ActivityLogsBlade\\\")\\r\\n| project LabelName, Activity, AIP, User, ItemName, ItemPath, Platform, ApplicationName, ProtectionOwner, IpAddress, Time\\r\\n| sort by Time desc\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[MP-2] Media Access -- Control/Monitor File Access via AIP\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LabelName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AIP\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Information Protection >>\",\"bladeOpenContext\":{\"bladeName\":\"DataClassGroupEditBlade\",\"extensionName\":\"Microsoft_Azure_InformationProtection\"}}},{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProtectionOwner\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"PersonWithFriend\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"[MP-2] Media Access -- Control/Monitor File Access\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"ac6f7462-59ff-4d82-86b0-0a6eccc35a51\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"UserPrincipalName\",\"label\":\"🔀 User Selector\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SigninLogs\\r\\n| summarize by UserPrincipalName \",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"User Selector Parameter - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where UserId in ({UserPrincipalName})\\r\\n| where Operation contains \\\"file\\\"\\r\\n| extend Path = OfficeObjectId\\r\\n| project UserId, OfficeWorkload, Operation, SourceFileName, SourceFileExtension, Path, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"File Access Activity Details\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Path\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where UserId in ({UserPrincipalName})\\r\\n| where Operation contains \\\"file\\\"\\r\\n| summarize count() by UserId, SourceFileName, SourceFileExtension, OfficeObjectId \\r\\n| project UserId, SourceFileName, count_, OfficeObjectId\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Most Frequently Accessed Files\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SourceFileName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"info\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"OfficeObjectId\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"resource\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"Results80d\"}]},\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMP2Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP-2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Media Marking (MP-3)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#media-marking)\\r\\n\\r\\n\\ta. Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and\\r\\n\\tb. Exempt [Assignment: organization-defined types of system media] from marking if the media remain within [Assignment: organization-defined controlled areas].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionEvents](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [What is the Azure Information Protection unified labeling scanner?](https://docs.microsoft.com/azure/information-protection/deploy-aip-scanner)<br>\\r\\n💡 [How to configure the policy settings for Azure Information Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-settings)<br>\\r\\n💡 [Admin Guide: Custom configurations for the Azure Information Protection unified labeling client](https://docs.microsoft.com/azure/information-protection/rms-client/clientv2-admin-guide-customizations)<br>\\r\\n💡 [Azure Information Protection (AIP) labeling, classification, and protection](https://docs.microsoft.com/azure/information-protection/aip-classification-and-protection)<br>\\r\\n💡 [Quickstart: Create a new Azure Information Protection label for specific users](https://docs.microsoft.com/azure/information-protection/quickstart-label-specificusers)<br>\\r\\n💡 [Quickstart: Find what sensitive information you have in files stored on-premises](https://docs.microsoft.com/azure/information-protection/quickstart-findsensitiveinfo)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Information Protection: Labels](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/globalBlade)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[MP-3](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=MP-3)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionEvents\\r\\n| extend AIP = strcat(\\\"https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/ActivityLogsBlade\\\")\\r\\n| summarize count() by LabelName, AIP\\r\\n| sort by count_ desc\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[MP-3] Media Marking -- Data Labeling via AIP\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LabelName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AIP\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Information Protection >>\",\"bladeOpenContext\":{\"bladeName\":\"DataClassGroupEditBlade\",\"extensionName\":\"Microsoft_Azure_InformationProtection\"}}},{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProtectionOwner\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"PersonWithFriend\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMP3Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP-3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Media Transport (MP-5)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#media-transport)\\r\\n\\r\\n\\ta. Protect and control [Assignment: organization-defined types of system media] during transport outside of controlled areas using [Assignment: organization-defined controls];\\r\\n\\tb. Maintain accountability for system media during transport outside of controlled areas;\\r\\n\\tc. Document activities associated with the transport of system media; and\\r\\n\\td. Restrict the activities associated with the transport of system media to authorized personnel.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Azure Key Vault basic concepts](https://docs.microsoft.com/azure/key-vault/general/basic-concepts)<br>\\r\\n💡 [Quickstart: Create a new Azure Information Protection label for specific users](https://docs.microsoft.com/azure/information-protection/quickstart-label-specificusers)<br>\\r\\n💡 [Microsoft Defender for Endpoint Device Control Device Installation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/mde-device-control-device-installation?#allow-or-block-removable-devices)<br>\\r\\n💡 [Quickstart: Create a new Azure Information Protection label for specific users](https://docs.microsoft.com/azure/information-protection/quickstart-label-specificusers)<br>\\r\\n💡 [Customer Lockbox for Microsoft Azure](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview)<br>\\r\\n💡 [Restrict USB devices by using Intune Administrative Templates](https://docs.microsoft.com/troubleshoot/mem/intune/restrict-usb-with-administrative-template)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Key Vault](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)<br>\\r\\n🔀 [Customer Lockbox](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[MP-5](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=MP-5)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where RuleSetting contains \\\"DisableRemovableDriveScanning\\\" or RuleSetting contains \\\"NoDriveTypeAutoRun\\\" or RuleSetting contains \\\"EnableInstallerDetection\\\" or Description contains \\\"locker\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where RuleSetting contains \\\"DisableRemovableDriveScanning\\\" or RuleSetting contains \\\"NoDriveTypeAutoRun\\\" or RuleSetting contains \\\"EnableInstallerDetection\\\" or Description contains \\\"locker\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where RuleSetting contains \\\"DisableRemovableDriveScanning\\\" or RuleSetting contains \\\"NoDriveTypeAutoRun\\\" or RuleSetting contains \\\"EnableInstallerDetection\\\" or Description contains \\\"locker\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[MP-5] Media Transport -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMP5Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP-5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Media Sanitization (MP-6)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#media-sanitization)\\r\\n\\r\\n\\ta. Sanitize [Assignment: organization-defined system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures]; and\\r\\n\\tb. Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [NIST SP 800-88 R1](https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final)<br>\\r\\n💡 [Set up Microsoft Sentinel customer-managed key](https://docs.microsoft.com/azure/sentinel/customer-managed-keys)<br>\\r\\n💡 [Azure customer data protection](https://docs.microsoft.com/azure/security/fundamentals/protection-customer-data)<br>\\r\\n💡 [Data-bearing device destruction](https://docs.microsoft.com/compliance/assurance/assurance-data-bearing-device-destruction)<br>\\r\\n💡 [Equipment disposal](https://docs.microsoft.com/azure/security/fundamentals/physical-security#equipment-disposal)<br>\\r\\n💡 [Data retention, deletion, and destruction in Microsoft 365](https://docs.microsoft.com/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Key Vault](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[MP-6](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=MP-6)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where RecommendationName contains \\\"managed key\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | distinct RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[MP-6] Media Sanitization -- Leverage CMK for Cryptographic Erasure\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMP6Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP-6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Media Use (MP-7)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4#media-use)\\r\\n\\r\\n\\ta. [Selection: Restrict; Prohibit] the use of [Assignment: organization-defined types of system media] on [Assignment: organization-defined systems or system components] using [Assignment: organization-defined controls]; and\\r\\n\\tb. Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Microsoft Defender for Endpoint Device Control Device Installation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/mde-device-control-device-installation)<br>\\r\\n💡 [Use Windows 10 templates to configure group policy settings in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/administrative-templates-windows)<br>\\r\\n💡 [Policy CSP - DeviceInstallation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[MP-7](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=MP-7)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where Description contains \\\"drive\\\" or Description contains \\\"USB\\\" or Description contains \\\"device\\\" or Description contains \\\"removable\\\" or Description contains \\\"media\\\" or Description contains \\\"print\\\" or Description contains \\\"save\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where Description contains \\\"drive\\\" or Description contains \\\"USB\\\" or Description contains \\\"device\\\" or Description contains \\\"removable\\\" or Description contains \\\"media\\\" or Description contains \\\"print\\\" or Description contains \\\"save\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, RuleSetting\\r\\n| where Description contains \\\"drive\\\" or Description contains \\\"USB\\\" or Description contains \\\"device\\\" or Description contains \\\"removable\\\" or Description contains \\\"media\\\" or Description contains \\\"print\\\" or Description contains \\\"save\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[MP-7] Media Use -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMP7Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"MP-7\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isMPVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Media Protection Family\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Risk Assessment](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/controls?version=5.1&family=RA)\\r\\n---\\r\\nRisk Assessment ensures a consistent approach to the identification, mitigation, and response to security risks.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Categorization [RA-2]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"RA-2\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Risk Assessment [RA-3]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"RA-3\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Vulnerability Scanning [RA-5]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"RA-5\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRA2Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"RA-2\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b1b060d4-95a8-4c72-bc2e-88f62e6a4835\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRA3Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"RA-3\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"688c6b95-1494-4967-8974-fe44d8870639\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRA5Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"RA-5\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"87ba2e69-6c44-4938-98c3-b8e38a919157\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Categorization (RA-2)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#security-categorization)\\r\\n\\r\\n\\ta. Categorize the system and information it processes, stores, and transmits;\\r\\n\\tb. Document the security categorization results, including supporting rationale, in the security plan for the system; and\\r\\n\\tc. Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Use asset inventory to manage your resources' security posture](https://docs.microsoft.com/azure/defender-for-cloud/asset-inventory)<br>\\r\\n💡 [Software inventory - threat and vulnerability management](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-software-inventory)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Inventory](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/25)<br>\\r\\n🔀 [Microsoft 365 Defender: Software Inventory](https://security.microsoft.com/software-inventory/applications)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[RA-2](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=RA-2)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| extend Azure_Inventory=location\\r\\n| extend M365_Inventory=strcat(\\\"https://security.microsoft.com/machines\\\")\\r\\n| project AssetID=id,AssetType=type, Azure_Inventory, M365_Inventory\\r\\n| sort by AssetID asc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"[RA-2] Security Categorization -- Review Asset Inventory\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Azure_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Inventory >>\",\"bladeOpenContext\":{\"bladeName\":\"InventoryBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"\",\"source\":\"static\",\"value\":\"25\"}]}}},{\"columnMatch\":\"M365_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"M365 Inventory >>\"}}],\"rowLimit\":2500,\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"type\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isRA2Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"RA-2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Risk Assessment (RA-3)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#risk-assessment-1)\\r\\n\\r\\n\\ta. Conduct a risk assessment, including:\\r\\n\\t\\t1. Identifying threats to and vulnerabilities in the system;\\r\\n\\t\\t2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and\\r\\n\\t\\t3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;\\r\\n\\tb. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;\\r\\n\\tc. Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]];\\r\\n\\td. Review risk assessment results [Assignment: organization-defined frequency];\\r\\n\\te. Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and\\r\\n\\tf. Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> 🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>  🔷 [AADUserRiskEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID: Identity Protection](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Review your security recommendations](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)<br>\\r\\n💡 [Automatically create incidents from Microsoft security alerts](https://docs.microsoft.com/azure/sentinel/create-incidents-from-alerts)<br>\\r\\n💡 [Microsoft Entra ID Protection integration](https://docs.microsoft.com/defender-cloud-apps/aadip-integration)<br>\\r\\n\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft Entra ID Protection](https://portal.azure.com/#blade/Microsoft_AAD_IAM/IdentityProtectionMenuBlade/Overview)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[RA-3](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=RA-3)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationState == \\\"Unhealthy\\\"\\r\\n| where isnotempty(RecommendationSeverity)\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by RecommendationSeverity\\r\\n| render areachart \",\"size\":0,\"showAnalytics\":true,\"title\":\"[RA-3] Risk Assessment -- Security Recommendation Severity over Time\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud SecurityRecommendation logging is enabled and/or extend time thresholds for a larger data-set.  \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Severity\\r\\n| render areachart \",\"size\":0,\"showAnalytics\":true,\"title\":\"[RA-3] Risk Assessment -- Security Incidents over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AADUserRiskEvents \\r\\n| extend RiskyUsers = strcat(\\\"https://ms.portal.azure.com/#blade/Microsoft_AAD_IAM/RiskyUsersBlade\\\")\\r\\n| summarize count() by UserPrincipalName, RiskLevel, RiskyUsers\\r\\n| extend Rank=iff(RiskLevel == \\\"high\\\", 3, iff(RiskLevel == \\\"medium\\\", 2, iff(RiskLevel == \\\"low\\\", 1, 0)))\\r\\n| where UserPrincipalName <> \\\"\\\"\\r\\n| project UserPrincipalName, RiskLevel, RiskyUsers, count_, Rank\\r\\n| sort by Rank,count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[RA-3] Risk Assessment -- Risky Users\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud SecurityRecommendation logging is enabled and/or extend time thresholds for a larger data-set.  \",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RiskLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RiskyUsers\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Risky User Response >>\",\"bladeOpenContext\":{\"bladeName\":\"RiskyUsersBlade\",\"extensionName\":\"Microsoft_AAD_IAM\"}}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Rank\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isRA3Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"RA-3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Vulnerability Scanning (RA-5)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#vulnerability-scanning)\\r\\n\\r\\n\\ta. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported;\\r\\n\\tb. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:\\r\\n\\t\\t1. Enumerating platforms, software flaws, and improper configurations;\\r\\n\\t\\t2. Formatting checklists and test procedures; and\\r\\n\\t\\t3. Measuring vulnerability impact;\\r\\n\\tc. Analyze vulnerability scan reports and results from vulnerability monitoring;\\r\\n\\td. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk;\\r\\n\\te. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and\\r\\n\\tf. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) 🔷 [SecurityNestedRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitynestedrecommendation)✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Defender for Cloud's integrated Qualys vulnerability scanner for Azure and hybrid machines](https://docs.microsoft.com/azure/defender-for-cloud/deploy-vulnerability-assessment-vm)<br>\\r\\n💡 [Threat and vulnerability management](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt?)<br>\\r\\n💡 [View and remediate findings from vulnerability assessment solutions on your VMs](https://docs.microsoft.com/azure/defender-for-cloud/remediate-vulnerability-findings-vm)<br>\\r\\n💡 [Vulnerabilities in my organization - threat and vulnerability management](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-weaknesses?)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft 365 Defender: Threat & Vulnerability Management](https://security.microsoft.com/tvm_dashboard)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[RA-5](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=RA-5)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n| where type == \\\"microsoft.security/assessments/subassessments\\\"\\r\\n| extend assessmentKey = extract(\\\".*assessments/(.+?)/.*\\\",1,  id)\\r\\n| where assessmentKey == \\\"1195afff-c881-495e-9bc5-1486211ae03f\\\"\\r\\n | project Resource = tolower(extract(\\\"([\\\\\\\\s\\\\\\\\S]*?)(/providers/Microsoft.Security.*)\\\",1,id)), ResourceGroup = trim_end(\\\"/\\\",extract(\\\".*resourceGroups/(.+?)/\\\",0,id)), ResourceType = tolower(split(id,\\\"/\\\").[6]), subscriptionId, severity = tostring(parse_json(properties).status.severity), status = tostring(parse_json(properties).status.code), VulnId = tostring(parse_json(properties).id), description = tostring(parse_json(properties).displayName), patchable = parse_json(properties.additionalData).patchable, cve = parse_json(properties.additionalData).cve\\r\\n | where status == 'Unhealthy'\\r\\n | summarize dcount(VulnId) by ResourceGroup, Resource, severity, VulnId, description, tostring(patchable), tostring(cve)\\r\\n | summarize Total = count(dcount_VulnId), sevH=countif(severity=='High'), sevM=countif(severity=='Medium'), sevL=countif(severity=='Low'), patchAvailable = countif(patchable=='true'), CVEcount =countif(cve!='[]') by ResourceGroup, Resource\\r\\n | order by sevH desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[RA-5] Vulnerability Scanning >> Select Asset for Details Below\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"exportFieldName\":\"Resource\",\"exportParameterName\":\"selectedServer\",\"exportDefaultValue\":\"All\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"$gen_group\",\"formatter\":13,\"formatOptions\":{\"linkColumn\":\"Resource\",\"linkTarget\":\"Resource\",\"showIcon\":true,\"customColumnWidthSetting\":\"30ch\"}},{\"columnMatch\":\"ResourceGroup\",\"formatter\":5},{\"columnMatch\":\"Resource\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"Total\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10ch\"}},{\"columnMatch\":\"sevH\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"12ch\"}},{\"columnMatch\":\"sevM\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\",\"customColumnWidthSetting\":\"13ch\"}},{\"columnMatch\":\"sevL\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blueDark\",\"customColumnWidthSetting\":\"10ch\"}},{\"columnMatch\":\"patchAvailable\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\"},\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"CVEcount\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"10ch\"}}],\"rowLimit\":1000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ResourceGroup\"],\"expandTopLevel\":true,\"finalBy\":\"Resource\"},\"labelSettings\":[{\"columnId\":\"ResourceGroup\",\"label\":\"Resource group\"},{\"columnId\":\"sevH\",\"label\":\"High\"},{\"columnId\":\"sevM\",\"label\":\"Medium\"},{\"columnId\":\"sevL\",\"label\":\"Low\"},{\"columnId\":\"patchAvailable\",\"label\":\"Available patches\"},{\"columnId\":\"CVEcount\",\"label\":\"CVEs\"}]}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"securityresources\\r\\n| where type == \\\"microsoft.security/assessments/subassessments\\\"\\r\\n| extend assessmentKey = extract(\\\".*assessments/(.+?)/.*\\\",1,  id)\\r\\n| where assessmentKey == \\\"1195afff-c881-495e-9bc5-1486211ae03f\\\"\\r\\n| project Resource = tolower(extract(\\\"([\\\\\\\\s\\\\\\\\S]*?)(/providers/Microsoft.Security.*)\\\",1,id)), ResourceGroup = trim_end(\\\"/\\\",extract(\\\".*resourceGroups/(.+?)/\\\",0,id)), ResourceType = tolower(split(id,\\\"/\\\").[6]), subscriptionId, Severity = tostring(parse_json(properties).status.severity), Status = tostring(parse_json(properties).status.code), VulnId = tostring(parse_json(properties).id), Description = tostring(parse_json(properties).displayName), Patchable = parse_json(properties.additionalData).patchable, CVE = properties.additionalData.cve, Category = tostring(properties.category), TimeGenerated = tostring(properties.timeGenerated), Remediation = tostring(properties.remediation), Impact = tostring(properties.impact), Threat = tostring(properties.additionalData.threat)\\r\\n| where Status == 'Unhealthy'\\r\\n| where '{selectedServer}' == 'All' or Resource == '{selectedServer}'\\r\\n| project Severity, VulnId, Description, tostring(Patchable), Category, Resource, ResourceGroup, CVE, TimeGenerated, Remediation, Impact, Threat\\r\\n| mv-expand CveExpand = split (CVE, \\\"},\\\") to typeof(string)\\r\\n| parse CveExpand with * '\\\"title\\\":\\\"' singleCve '\\\"' *\\r\\n| summarize CVEs = tostring(make_list(singleCve)) by Severity, VulnId, Description, tostring(Patchable), Category, Resource, ResourceGroup, TimeGenerated, Threat, Impact, Remediation\",\"size\":0,\"showAnalytics\":true,\"title\":\"[RA-5] Vulnerability Details >> Select Asset Above\",\"noDataMessage\":\"Select Asset in Vulnerability Scanning Panel Above\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{selectedServer}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":5},{\"columnMatch\":\"VulnId\",\"formatter\":5},{\"columnMatch\":\"Resource\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"Remediation\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}}],\"rowLimit\":1000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Severity\"],\"expandTopLevel\":true,\"finalBy\":\"VulnId\"},\"labelSettings\":[{\"columnId\":\"ResourceGroup\",\"label\":\"Resource group\"},{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"}]}},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"RA.5\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[RA-5] Vulnerability Scan -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isRA5Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"RA-5\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isRAVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Risk Assessment Family\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [System & Communications Protection](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/controls?version=5.1&family=SC)\\r\\n---\\r\\nSystem & Communications Protection includes network security for administrative and management functions.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Denial of Service Protection [SC-5]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-5\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Resource Availability [SC-6]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-6\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Boundary Protection [SC-7]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-7\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Transmission Confidentiality & Integrity [SC-8]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-8\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Cryptographic Key Management [SC-12]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-12\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Cryptographic Protection [SC-13]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-13\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC5Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-5\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"97ff7e32-a037-40b7-9e80-1c7b07d067f2\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC6Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-6\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"1a9b38e0-add0-4eb8-aaaf-497e0247b0a1\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC7Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-7\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"ffbdb17a-8192-4a95-9b3b-3e41c9698d1e\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC8Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-8\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"961c000c-366c-4339-9251-c6655930668e\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC12Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-12\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"85a22349-ab5d-4975-b11b-dfaccc5e5584\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC13Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-13\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"18d9df7f-9120-4488-94d2-9d7073ce547b\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Public Key Infrastructure Certificates [SC-17]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-17\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Mobile Code [SC-18]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-18\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Secure Name Resolution Service [SC-21]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-21\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Session Authenticity [SC-23]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-23\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Honeypots [SC-26]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-26\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Protection of Information at Rest [SC-28]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SC-28\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC17Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-17\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"5ae74048-1da8-455e-9c0c-822f94893764\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC18Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-18\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"80fda944-16cd-48b9-89c2-9e15ced4b404\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC21Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-21\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"90732ff4-83e8-4c30-9fe1-4dcce44a3cfa\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC23Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-23\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"27d42082-d14c-4dc1-b351-bbcbfe55e154\"},{\"id\":\"76836fe0-0947-4aef-a0b7-272830c2d546\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC26Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-26\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSC28Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SC-28\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"13b89fee-4689-4484-90a9-db92db8f0f3d\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Denial of Service Protection (SC-5)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#denial-of-service-protection)\\r\\n\\r\\n\\ta. [Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; and\\r\\n\\tb. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure DDoS Protection]( https://azure.microsoft.com/services/ddos-protection/) <br>\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>   \\r\\n\\r\\n### Implementation\\r\\n💡 [Azure DDoS Protection Standard overview](https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview)<br>\\r\\n💡 [Quickstart: Create and configure Azure DDoS Protection Standard](https://docs.microsoft.com/azure/ddos-protection/manage-ddos-protection)<br>\\r\\n💡 [Microsoft denial-of-service defense strategy](https://docs.microsoft.com/compliance/assurance/assurance-microsoft-dos-defense-strategy)<br>\\r\\n💡 [Components of a DDoS response strategy](https://docs.microsoft.com/azure/ddos-protection/ddos-response-strategy)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [DDoS protection plans](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FddosProtectionPlans)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-5](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-5)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n   | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed,  recommendationName\\r\\n    | where RecommendationName contains \\\"dos\\\"\\r\\n    | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-5] Denial of Service Protection -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"dos\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-5] Denial of Service Protection -- DDoS Protection Plans\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"dos\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * 'https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-5] Denial of Service Protection -- DDoS Security Incidents\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"IPAddress\",\"parameterName\":\"IPAddress\",\"parameterType\":1},{\"fieldName\":\"ResourceId\",\"parameterName\":\"ResourceId\",\"parameterType\":1,\"defaultValue\":\"ResourceId\"},{\"fieldName\":\"Resource\",\"parameterName\":\"AttackReport\",\"parameterType\":1,\"defaultValue\":\"/\"}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"IPAddress\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"subtitleContent\":{\"columnMatch\":\"TopAttackVector\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Resource\"},\"rightContent\":{\"columnMatch\":\"TimeGenerated\"},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC5Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC-5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Resource Availability (SC-6)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#resource-availability)\\r\\n\\r\\nProtect the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more): priority; quota; [Assignment: organization-defined controls]].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Virtual Machine Scale Sets]( https://azure.microsoft.com/services/virtual-machine-scale-sets/) ✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) ✳️ [Application Gateway]( https://azure.microsoft.com/services/application-gateway/) ✳️ [Azure Front Door](https://azure.microsoft.com/services/frontdoor/) ✳️ [Traffic Manager](https://azure.microsoft.com/services/traffic-manager/) <br>\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Quickstart: Create a public load balancer to load balance VMs using the Azure portal](https://docs.microsoft.com/azure/load-balancer/quickstart-load-balancer-standard-public-portal)<br>\\r\\n💡 [Quickstart: Create a Traffic Manager profile using the Azure portal](https://docs.microsoft.com/azure/traffic-manager/quickstart-create-traffic-manager-profile)<br>\\r\\n💡 [Quickstart: Direct web traffic with Azure Application Gateway - Azure portal](https://docs.microsoft.com/azure/application-gateway/quick-create-portal)<br>\\r\\n💡 [Quickstart: Create a Front Door for a highly available global web application](https://docs.microsoft.com/azure/frontdoor/quickstart-create-front-door)<br>\\r\\n💡 [Quickstart: Create a virtual machine scale set in the Azure portal](https://docs.microsoft.com/azure/virtual-machine-scale-sets/quick-create-portal)<br>\\r\\n💡 [SQL Databases: Horizontal & Vertical Scaling](https://docs.microsoft.com/azure/azure-sql/database/elastic-scale-introduction#horizontal-and-vertical-scaling)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Load Balancers]()<br>\\r\\n🔀 [Traffic Manager]()<br>\\r\\n🔀 [Front Door]()<br>\\r\\n🔀 [Application Gateway]()<br>\\r\\n🔀 [Virtual Machine Scale Sets]()<br>\\r\\n🔀 [SQL Datbases]()<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-6](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-6)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"applicationgateway\\\" or type contains \\\"frontdoor\\\" or type contains \\\"load\\\" or type contains \\\"scale\\\" or type contains \\\"traffic\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-6] Resource Availability -- Load Balancers, Traffic Managers, Scale Sets, Front Door, Application Security Groups\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | distinct RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | where RecommendationName contains \\\"avail\\\" or RecommendationName contains \\\"load\\\" or RecommendationName contains \\\"scale\\\" or RecommendationName contains \\\"front\\\" or RecommendationName contains \\\"application gateway\\\" or RecommendationName contains \\\"traffic\\\"\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-6] Resource Availability -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC6Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC-6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Boundary Protection (SC-7)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#boundary-protection)\\r\\n\\r\\n\\ta. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;\\r\\n\\tb. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and\\r\\n\\tc. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)  ✳️ [Application Gateway](https://azure.microsoft.com/services/application-gateway/) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) ✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) ✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) ✳️ [VPN Gateway]( https://azure.microsoft.com/services/vpn-gateway/) <br>\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Tutorial: Deploy and configure Azure Firewall and policy using the Azure portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal-policy)<br>\\r\\n💡 [Azure Firewall: Intrustion Prevention Detection System / TLS Inspection](https://docs.microsoft.com/azure/firewall/premium-features)<br>\\r\\n💡 [Quickstart: Create a virtual network using the Azure portal](https://docs.microsoft.com/azure/virtual-network/quick-create-portal)<br>\\r\\n💡 [Tutorial: Create and manage a VPN gateway using Azure portal](https://docs.microsoft.com/azure/vpn-gateway/tutorial-create-gateway-portal)<br>\\r\\n💡 [Create an Azure Network Watcher instance](https://docs.microsoft.com/azure/network-watcher/network-watcher-create)<br>\\r\\n💡 [Network security groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview)<br>\\r\\n💡 [Application security groups](https://docs.microsoft.com/azure/virtual-network/application-security-groups)<br>\\r\\n💡 [What is Azure Web Application Firewall on Azure Application Gateway?](https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview)<br>\\r\\n💡 [Quickstart: Create and modify an ExpressRoute circuit](https://docs.microsoft.com/azure/expressroute/expressroute-howto-circuit-portal-resource-manager)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks)<br>\\r\\n🔀 [Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworkGateways)<br>\\r\\n🔀 [ExpressRoute](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits)<br>\\r\\n🔀 [Azure Firewall](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview)<br>\\r\\n🔀 [Azure Web Application Firewall](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies)<br>\\r\\n🔀 [Application Gateway](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/applicationgateways)<br>\\r\\n🔀 [Network Watcher](https://portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/overview)<br>\\r\\n🔀 [Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-7](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-7)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"SC.7\\\" and complianceControlId !contains \\\"*\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-7] Boundary Protection -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"network\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-7] Boundary Protection -- Network Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC7Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC-7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Transmission Confidentiality & Integrity (SC-8)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#transmission-confidentiality-and-integrity)\\r\\n\\r\\nProtect the [Selection (one or more): confidentiality; integrity] of transmitted information.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Azure encryption overview](https://docs.microsoft.com/azure/security/fundamentals/encryption-overview)<br>\\r\\n💡 [Device Compliance settings for Windows 10/11 in Intune](https://docs.microsoft.com/mem/intune/protect/compliance-policy-create-windows)<br>\\r\\n💡 [Conditional Access: Require approved client apps or app protection policy](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection)<br>\\r\\n💡 [How to create and assign app protection policies](https://docs.microsoft.com/mem/intune/apps/app-protection-policies)<br>\\r\\n💡 [Android app protection policy settings in Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/app-protection-policy-settings-android)<br>\\r\\n💡 [iOS app protection policy settings](https://docs.microsoft.com/mem/intune/apps/app-protection-policy-settings-ios)<br>\\r\\n💡 [Network access control (NAC) integration with Intune](https://docs.microsoft.com/mem/intune/protect/network-access-control-integrate)<br>\\r\\n💡 [What are common ways to use Conditional Access with Intune?](https://docs.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use)<br>\\r\\n💡 [What is Azure ExpressRoute?](https://docs.microsoft.com/azure/expressroute/expressroute-introduction)<br>\\r\\n💡 [Remote Desktop Protocol](https://docs.microsoft.com/windows/win32/termserv/remote-desktop-protocol)<br>\\r\\n💡 [How to use SSH keys with Windows on Azure](https://docs.microsoft.com/azure/virtual-machines/linux/ssh-from-windows)<br>\\r\\n💡 [About Azure Key Vault](https://docs.microsoft.com/azure/key-vault/general/overview)<br>\\r\\n💡 [About VPN Gateway configuration settings](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [ Microsoft Entra ID : Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)<br>\\r\\n🔀 [Key Vault](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)<br>\\r\\n🔀 [Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworkGateways)<br>\\r\\n🔀 [ExpressRoute](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-8](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-8)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"SC.8\\\" and complianceControlId !contains \\\"*\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-8] Transmission Confidentiality & Integrity -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC8Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC-8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Cryptographic Key Establishment & Management (SC-12)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#cryptographic-key-establishment-and-management)\\r\\n\\r\\nEstablish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [What is Azure Dedicated HSM?](https://docs.microsoft.com/azure/dedicated-hsm/overview)<br>\\r\\n💡 [Thales Luna HSMs](https://cpl.thalesgroup.com/encryption/hardware-security-modules/network-hsms)<br>\\r\\n💡 [Quickstart: Set and retrieve a secret from Azure Key Vault using the Azure portal](https://docs.microsoft.com/azure/key-vault/secrets/quick-create-portal)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Key Vault](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-12](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-12)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"SC.12\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-12] Cryptographic Key Establishment & Management -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC12Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC-12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Cryptographic Protection (SC-13)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#cryptographic-protection-3)\\r\\n\\r\\n\\ta. Determine the [Assignment: organization-defined cryptographic uses]; and\\r\\n\\tb. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [FIPS 140-2 Validation](https://docs.microsoft.com/windows/security/threat-protection/fips-140-validation)<br>\\r\\n💡 [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing)<br>\\r\\n💡 [Key Vault Keys](https://docs.microsoft.com/azure/key-vault/keys/about-keys)<br>\\r\\n💡 [Federal Information Processing Standard (FIPS) 140](https://docs.microsoft.com/azure/compliance/offerings/offering-fips-140-2)<br>\\r\\n💡 [Cryptographic controls used by Azure RMS: Algorithms and key lengths](https://docs.microsoft.com/azure/information-protection/how-does-it-work#cryptographic-controls-used-by-azure-rms-algorithms-and-key-lengths)<br>\\r\\n💡 [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Key Vault](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-13](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-13)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n   | distinct RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink\\r\\n    | where RecommendationName contains \\\"crypt\\\"\\r\\n    | sort by Total, Passed desc\\r\\n    | limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-13] Cryptographic Protection -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC13Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC-13\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Public Key Infrastructure Certificates (SC-17)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#public-key-infrastructure-certificates)\\r\\n\\r\\n\\ta. Issue public key certificates under an [Assignment: organization-defined certificate policy] or obtain public key certificates from an approved service provider; and\\r\\n\\tb. Include only approved trust anchors in trust stores or certificate stores managed by the organization.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Get started with Key Vault certificates](https://docs.microsoft.com/azure/key-vault/certificates/certificate-scenarios)<br>\\r\\n💡 [Certificate authorities used by Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/certificate-authorities)<br>\\r\\n💡 [PKI design considerations using Active Directory Certificate Services (AD CS)](https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/pki-design-considerations)<br>\\r\\n💡 [Validate and Configure Public Key Infrastructure - Key Trust](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki)<br>\\r\\n💡 [PKI certificate requirements for Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/network/pki-certificate-requirements#supported-certificate-types)<br>\\r\\n💡 [Configure and use PKCS certificates with Intune](https://docs.microsoft.com/mem/intune/protect/certificates-pfx-configure)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Key Vault](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)<br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-17](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-17)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n   | distinct RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink\\r\\n    | where RecommendationName contains \\\"cert\\\"\\r\\n    | sort by Total, Passed desc\\r\\n    | limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-17] Public Key Infrastructure Certificates -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC17Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC-17\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Mobile Code (SC-18)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#mobile-code)\\r\\n\\r\\n\\ta. Define acceptable and unacceptable mobile code and mobile code technologies; and\\r\\n\\tb. Authorize, monitor, and control the use of mobile code within the system.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [DeviceFileEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/devicefileevents) ✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br> \\r\\n🔷 [OfficeActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/officeactivity) ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/security/business/threat-protection/office-365-defender)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Administer Group Policy in an Microsoft Entra ID Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy)<br>\\r\\n💡 [Enable and configure Microsoft Antimalware for Azure Resource Manager VMs](https://docs.microsoft.com/azure/security/fundamentals/antimalware-code-samples)<br>\\r\\n💡 [Microsoft Antimalware for Azure Cloud Services and Virtual Machines](https://docs.microsoft.com/azure/security/fundamentals/antimalware)<br>\\r\\n💡 [Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection)<br>\\r\\n💡 [Customize Web Application Firewall rules using the Azure portal](https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-customize-waf-rules-portal)<br>\\r\\n💡 [Block syncing of specific file types](https://docs.microsoft.com/onedrive/block-file-types)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/homepage)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-18](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-18)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let M365Files = OfficeActivity\\r\\n| where SourceFileName contains \\\".vbx\\\" or SourceFileName contains \\\".js \\\" or SourceFileName contains \\\".dcr\\\" or SourceFileName contains \\\".fla\\\" or SourceFileName contains \\\".flv\\\" or SourceFileName contains \\\".swr\\\"\\r\\n| extend FileName=SourceFileName, FileLocations=OfficeObjectId\\r\\n| summarize count() by FileName, FileLocations;\\r\\nlet FilePathList = DeviceFileEvents\\r\\n//Update file types and mobile code indicators as required\\r\\n| where FileName contains \\\".vbx\\\" or FileName contains \\\".js \\\" or FileName contains \\\".dcr\\\" or FileName contains \\\".fla\\\" or FileName contains \\\".flv\\\" or FileName contains \\\".swr\\\"\\r\\n| extend FileLocations = strcat(\\\"DEVICENAME: \\\",DeviceName,\\\" \\\",\\\"ACCOUNT: \\\",InitiatingProcessAccountName,\\\" \\\",\\\"PATH: \\\",\\\" \\\",FolderPath)\\r\\n| summarize FileLocations = makelist(FileLocations) by FileName\\r\\n| extend FileLocations = tostring(FileLocations);\\r\\nDeviceFileEvents\\r\\n//Update file types and mobile code indicators as required\\r\\n| where FileName contains \\\".vbx\\\" or FileName contains \\\".js \\\" or FileName contains \\\".dcr\\\" or FileName contains \\\".fla\\\" or FileName contains \\\".flv\\\" or FileName contains \\\".swr\\\"\\r\\n| summarize count() by FileName\\r\\n| join (FilePathList) on FileName\\r\\n| project FileName, count_, FileLocations\\r\\n| union M365Files\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-18] Mobile Code -- Control/Monitor Mobile Code\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FileName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"File\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"FileLocations\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Folder\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC18Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"group - 22\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Secure Name / Address Resolution Service (SC-21)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#secure-name--address-resolution-service-recursive-or-caching-resolver)\\r\\n\\r\\nRequest and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Introduction to Microsoft Defender for DNS](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-dns-introduction)<br>\\r\\n💡 [Respond to Microsoft Defender for DNS alerts](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-dns-introduction#respond-to-microsoft-defender-for-dns-alerts)<br>\\r\\n💡 [Set-DnsServerRecursion](https://docs.microsoft.com/powershell/module/dnsserver/set-dnsserverrecursion?view=windowsserver2022-ps)<br>\\r\\n💡 [DNS Server vulnerability to DNS Server Cache snooping attacks](https://docs.microsoft.com/troubleshoot/windows-server/networking/dns-server-cache-snooping-attacks)<br>\\r\\n💡 [Reviewing DNS Concepts](https://docs.microsoft.com/windows-server/identity/ad-ds/plan/reviewing-dns-concepts)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Workload Protections](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/26)<br>\\r\\n🔀 [DNS zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-21](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-21)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n   | distinct RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink\\r\\n    | where RecommendationName contains \\\"DNS\\\" or RecommendationName contains \\\"domain\\\"\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-21] Secure Name / Address Resolution Service -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC21Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC-21\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Session Authenticity (SC-23)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#session-authenticity)\\r\\n\\r\\nProtect the authenticity of communications sessions.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Configure authentication session management with Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime)<br>\\r\\n💡 [Onboard Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-get-started)<br>\\r\\n💡 [Review your security recommendations](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [ Microsoft Entra ID : Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-23](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-23)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n   | distinct RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink\\r\\n    | where RecommendationName contains \\\"TLS\\\" or RecommendationName contains \\\"SSL\\\" or RecommendationName contains \\\"private\\\" or RecommendationName contains \\\"session\\\" or RecommendationName contains \\\"auth\\\" or RecommendationName contains \\\"accounts\\\" and RecommendationName !contains \\\"storage\\\"\\r\\n    | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-23] Session Authenticity -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC23Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC-23\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Honeypots (SC-26)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#network-disconnect)\\r\\n\\r\\nInclude components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Deploy and monitor Azure Key Vault honeytokens with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/monitor-key-vault-honeytokens?tabs=deploy-at-scale)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Key Vault](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-26](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-26)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where id contains \\\"deception\\\" or id contains \\\"honey\\\" or id contains \\\"HTDK\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-26] Honeypots -- Microsoft Sentinel: Deception Solution Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC26Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC-26\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Protection of Information at Rest (SC-28)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#protection-of-information-at-rest)\\r\\n\\r\\nProtect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Quickstart: Create a key vault using the Azure portal](https://docs.microsoft.com/azure/key-vault/general/quick-create-portal)<br>\\r\\n💡 [Configure encryption with customer-managed keys](https://docs.microsoft.com/azure/storage/common/customer-managed-keys-configure-key-vault?tabs=portal#configure-encryption-with-customer-managed-keys)<br>\\r\\n💡 [Encryption in Microsoft 365](https://docs.microsoft.com/microsoft-365/compliance/encryption)<br>\\r\\n💡 [Data encryption models](https://docs.microsoft.com/azure/security/fundamentals/encryption-models)<br>\\r\\n💡 [Azure Disk Encryption for virtual machines and virtual machine scale sets](https://docs.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss)<br>\\r\\n💡 [Manage BitLocker policy for Windows devices with Intune](https://docs.microsoft.com/mem/intune/protect/encrypt-devices)<br>\\r\\n💡 [Transparent data encryption (TDE)](https://docs.microsoft.com/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center: Configuration Profiles](https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesMenu/configurationProfiles)<br>\\r\\n🔀 [Key Vault](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)<br>\\r\\n🔀 [SQL Databases](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Sql%2Fservers%2Fdatabases)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SC-28](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-28)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId == \\\"SC.28.*\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SC-28] Protection of Information at Rest -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSC28Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SC-28\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isSCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"System & Communications Protection Family\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [System & Information Integrity](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/controls?version=5.1&family=SI)\\r\\n---\\r\\nSystem & Information Integrity includes controls to identify system flaws, combat malware, and identify anomalies.\"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"40\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Flaw Remediation [SI-2]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SI-2\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Malicious Code Protection [SI-3]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SI-3\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Information System Monitoring [SI-4]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SI-4\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Alerts, Advisories, & Directives [SI-5]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SI-5\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSI2Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SI-2\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b553471a-7ce6-42bf-935a-47279ebe6fc8\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSI3Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SI-3\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"f01adcc0-1423-4d51-a8ba-edc328ae2c58\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSI4Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SI-4\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"c9d8d03d-8d6f-404d-9100-2261389a6e5b\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSI5Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SI-5\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"2cf136e9-8f36-4b9c-ad94-403aa2b4c6e7\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Software, Firmware, & Information Integrity [SI-7]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SI-7\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Spam Protection [SI-8]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SI-8\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Information Handling & Retention [SI-12]\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SI-12\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e73461c8-699d-4698-bbbc-82ce5096800d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSI7Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SI-7\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSI8Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SI-8\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"24733b22-cc4d-4322-a53b-6dce1ad815dc\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSI12Visible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SI-12\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a5f05f8c-6393-4898-966c-04a53c7a4d8c\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Flaw Remediation (SI-2)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#flaw-remediation)\\r\\n\\r\\n\\ta. Identify, report, and correct system flaws;\\r\\n\\tb. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;\\r\\n\\tc. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and\\r\\n\\td. Incorporate flaw remediation into the organizational configuration management process.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Risk-based threat and vulnerability management](https://www.microsoft.com/security/business/threat-protection/threat-vulnerability-management)<br>\\r\\n💡 [How to monitor Endpoint Protection status](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/monitor-endpoint-protection)<br>\\r\\n💡 [Configure Alerts for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-configure-alerts)<br>\\r\\n💡 [Microsoft Antimalware for Azure Cloud Services and Virtual Machines](https://docs.microsoft.com/azure/security/fundamentals/antimalware)<br>\\r\\n💡 [Use Intune to remediate vulnerabilities identified by Microsoft Defender for Endpoint](https://docs.microsoft.com/mem/intune/protect/atp-manage-vulnerabilities)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n🔀 [Microsoft 365 Defender: Threat & Vulnerability Management](https://security.microsoft.com/tvm_dashboard)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SI-2](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SI-2)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"SI.2\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SI-2] Flaw Remediation -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSI2Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI-2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Malicious Code Protection (SI-3)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#malicious-code-protection)\\r\\n\\r\\n\\ta. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;\\r\\n\\tb. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;\\r\\n\\tc. Configure malicious code protection mechanisms to:\\r\\n\\t\\t1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and\\r\\n\\t\\t2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and\\r\\n\\td. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Microsoft Antimalware for Azure Cloud Services and Virtual Machines](https://docs.microsoft.com/azure/security/fundamentals/antimalware)<br>\\r\\n💡 [Malware and ransomware protection in Microsoft 365](https://docs.microsoft.com/compliance/assurance/assurance-malware-and-ransomware-protection)<br>\\r\\n💡 [Enable and configure always-on protection in Group Policy](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus#enable-and-configure-always-on-protection-in-group-policy)<br>\\r\\n💡 [Enable and configure Microsoft Antimalware for Azure Resource Manager VMs](https://docs.microsoft.com/azure/security/fundamentals/antimalware-code-samples)<br>\\r\\n💡 [Windows 10 (and newer) device settings to allow or restrict features using Intune](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10)<br>\\r\\n\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft Defender for Cloud: Security Alerts](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/7)<br>\\r\\n🔀 [Microsoft 365 Defender: Alerts](https://security.microsoft.com/alerts)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SI-3](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SI-3)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"SI.3\\\" and complianceControlId !contains \\\"*\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SI-3] Malicious Code Protection -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"ware\\\" or Title contains \\\"mining\\\" or Title contains \\\"backdoor\\\" or Title contains \\\"exploit\\\" or Title contains \\\"tool\\\" or Title contains \\\"file\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * 'https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| sort by FirstActivityTime desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SI-3] Malicious Code Protection -- Security Incidents\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSI3Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI-3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Information System Monitoring (SI-4)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#information-system-monitoring)\\r\\n\\r\\n\\ta. Monitor the system to detect:\\r\\n\\t\\t1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and\\r\\n\\t\\t2. Unauthorized local, network, and remote connections;\\r\\n\\tb. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods];\\r\\n\\tc. Invoke internal monitoring capabilities or deploy monitoring devices:\\r\\n\\t\\t1. Strategically within the system to collect organization-determined essential information; and\\r\\n\\t\\t2. At ad hoc locations within the system to track specific types of transactions of interest to the organization;\\r\\n\\td. Analyze detected events and anomalies;\\r\\n\\te. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;\\r\\n\\tf. Obtain legal opinion regarding system monitoring activities; and\\r\\n\\tg. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) 🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident)✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/microsoft-sentinel/) <br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Automatically create incidents from Microsoft security alerts](https://docs.microsoft.com/azure/sentinel/create-incidents-from-alerts)<br>\\r\\n💡 [Connect Microsoft Defender for Cloud alerts to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-defender-for-cloud)<br>\\r\\n💡 [Connect data from Microsoft 365 Defender to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft Defender for Cloud: Regulatory Compliance](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SI-4](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SI-4)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n\\t| where complianceControlId startswith \\\"SI.4\\\"\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n    | sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SI-4] Information System Monitoring -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_2\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SecurityProducts = datatable(ProviderName:string, Product:string, Portal:string)\\r\\n[\\r\\n    \\\"ASI Scheduled Alerts\\\", \\\"Microsoft Sentinel\\\", \\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n    \\\"MCAS\\\", \\\"Microsoft Defender for Cloud Apps\\\", \\\"https://portal.cloudappsecurity.com/\\\",\\r\\n    \\\"MDATP\\\", \\\"Microsoft Defender for Endpoint\\\", \\\"https://security.microsoft.com/homepage\\\",\\r\\n    \\\"Azure Security Center\\\", \\\"Microsoft Defender for Cloud\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0\\\",\\r\\n    \\\"Detection-WarmPathV2\\\", \\\"Microsoft Defender for Cloud\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0\\\",\\r\\n    \\\"MicrosoftThreatProtection\\\", \\\"Microsoft 365 Defender\\\", \\\"https://security.microsoft.com/homepage\\\",\\r\\n    \\\"IPC\\\", \\\"Azure Active Directory Identity Protection\\\", \\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/IdentityProtectionMenuBlade/Overview\\\",\\r\\n   \\\"Detection-Fusion\\\", \\\"Machine Learning Fusion Alert\\\", \\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n    \\\"Sentinel Fusion\\\", \\\"Machine Learning Fusion Alert\\\", \\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n    \\\"Azure Advanced Threat Protection\\\", \\\"Microsoft Defender for Identity\\\", \\\"https://security.microsoft.com/settings/identities\\\",\\r\\n    \\\"Threat Intelligence Alerts\\\", \\\"Threat Intelligence\\\", \\\"https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel\\\",\\r\\n    \\\"IoTSecurity\\\", \\\"Microsoft Defender for IoT\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started\\\",\\r\\n    \\\"MSTIC\\\", \\\"Microsoft Intelligent Security Graph\\\", \\\"https://portal.azure.com/#blade/HubsExtension/ArgQueryBlade\\\",\\r\\n    \\\"AntimalwarePublisher\\\", \\\"Microsoft Anti-Malware\\\", \\\"https://security.microsoft.com/homepage\\\",\\r\\n    \\\"OATP\\\", \\\"Microsoft Defender for Office 365\\\", \\\"https://security.microsoft.com/homepage\\\",\\r\\n    \\\"AdaptiveNetworkHardenings\\\", \\\"Microsoft Defender for Cloud\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0\\\",\\r\\n    \\\"StorageThreatDetection\\\", \\\"Azure Defender for Storage\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0\\\",\\r\\n    \\\"CloudNetworkSecurity\\\", \\\"Azure Network Security\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/overview\\\",\\r\\n    \\\"SQLThreatDetection\\\", \\\"Azure Defender for SQL\\\", \\\"https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0\\\"\\r\\n];\\r\\nSecurityAlert\\r\\n| join kind=inner SecurityProducts on ProviderName\\r\\n| summarize count() by Product, Portal\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SI-4] Information System Monitoring -- Security Alerts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Product\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Portal\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Portal >>\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * 'https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SI-4] Information System Monitoring -- Security Incidents\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSI4Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI-4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Alerts, Advisories, & Directives (SI-5)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#security-alerts-advisories-and-directives)\\r\\n\\r\\n\\ta. Receive system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;\\r\\n\\tb. Generate internal security alerts, advisories, and directives as deemed necessary;\\r\\n\\tc. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and\\r\\n\\td. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRegulatoryCompliance](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityregulatorycompliance) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) 🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)<br> \\r\\n\\r\\n### Resources\\r\\n✴️ [US-CERT: Alerts](https://www.cisa.gov/uscert/ncas/alerts)<br>\\r\\n✴️ [US-CERT: Bulletins](https://www.cisa.gov/uscert/ncas/bulletins)<br>\\r\\n✴️ [US-CERT: Current Activity](https://www.cisa.gov/uscert/ncas/current-activity)<br>\\r\\n✴️ [US-CERT: Analysis Reports](https://www.cisa.gov/uscert/ncas/analysis-reports)<br>\\r\\n✴️ [Microsoft Technical Security Notifications](https://www.microsoft.com/msrc/technical-security-notifications)<br>\\r\\n✴️ [Microsoft Security Response Center](https://www.microsoft.com/msrc)<br>\\r\\n✴️ [Microsoft Security Intelligence](https://www.microsoft.com/security/blog/microsoft-security-intelligence/)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft Sentinel: Automation](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SI-5](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SI-5)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\\r\\n    | where failedResources + passedResources + skippedResources > 0\\r\\n    | join kind = leftouter(\\r\\n    securityresources\\r\\n    | where type == \\\"microsoft.security/assessments\\\") on subscriptionId, name\\r\\n    | extend complianceState = properties.state\\r\\n    | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\\r\\n    | extend recommendationId = id1\\r\\n    | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\\r\\n                                                        resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\\r\\n                                                        resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\\r\\n                                                        extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\\r\\n    | extend regexResourceId = extract_all(@\\\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\\\", resourceId)[0]\\r\\n    | extend resourceType = iff(regexResourceId[1] != \\\"\\\", regexResourceId[1], iff(regexResourceId[0] != \\\"\\\", regexResourceId[0], \\\"subscriptions\\\"))\\r\\n    | extend resourceName = regexResourceId[2]\\r\\n    | extend recommendationName = name\\r\\n    | extend RecommendationName = properties1.displayName\\r\\n    | extend description = properties1.metadata.description\\r\\n    | extend remediationSteps = properties1.metadata.remediationDescription\\r\\n    | extend severity = properties1.metadata.severity\\r\\n    | extend state = properties1.status.code\\r\\n    | extend notApplicableReason = properties1.status.cause\\r\\n    | extend RecommendationLink = properties1.links.azurePortal\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | extend complianceControlId = extract(@\\\"/regulatoryComplianceControls/([^/]*)\\\", 1, id)\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId == \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend  controlName = tostring(properties.description)\\r\\n    | project controlId = name, controlName\\r\\n    | distinct  *) on $right.controlId == $left.complianceControlId\\r\\n    | summarize Failed = countif(state == \\\"Unhealthy\\\"), Passed = countif(state == \\\"Healthy\\\"), Total = countif(state == \\\"Unhealthy\\\" or state == \\\"Healthy\\\") by tostring(RecommendationName), ControlID = controlId, recommendationName\\r\\n    | extend PassedControls = (Passed/todouble(Total))*100\\r\\n    | join kind = leftouter (securityresources\\r\\n    | where type == \\\"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\\\"\\r\\n    | extend complianceStandardId = replace( \\\"-\\\", \\\" \\\", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\\r\\n    | where complianceStandardId ==  \\\"NIST SP 800 53 R4\\\"\\r\\n    | extend RecommendationName = tostring(properties.description)\\r\\n    | extend RecommendationLink = tostring(properties.assessmentDetailsLink)\\r\\n    | project RecommendationName, RecommendationLink) on RecommendationName  \\r\\n    | distinct ControlID, RecommendationName, Total, RecommendationLink, PassedControls, Passed, Failed, recommendationName\\r\\n   | distinct RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink\\r\\n    | where RecommendationName contains \\\"alert\\\"\\r\\n    | sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SI-5] Security Alerts, Advisories, and Directives -- Security Policy Recommendations\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initative for NIST SP 800-53 R4 is enabled. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"recommendationName1\"}]}}},{\"columnMatch\":\"recommendationName1\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type == \\\"microsoft.logic/workflows\\\"\\r\\n| extend PlaybookName = id\\r\\n| where PlaybookName contains \\\"notify\\\" or PlaybookName contains \\\"email\\\" or PlaybookName contains \\\"teams\\\" or PlaybookName contains \\\"ticket\\\" or PlaybookName contains \\\"post\\\"\\r\\n| project PlaybookName, type, resourceGroup\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SI-5] Security Alerts, Advisories, and Directives -- SOAR Notification Playbooks\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions                                                                                                                                               •    Confirm Licensing, Availability, and Health of Respective Offerings                                                                                                                                                •    Confirm Log Source is Onboarded to Microsoft Sentinel Workspace                                                                                                                                                     •    Adjust the Time Paramenter for a Larger Data-Set                                                                                                                                                                          •    Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations                                                                                                                                   •    Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| where OperationNameValue startswith \\\"Microsoft.Logic\\\"\\r\\n| where ActivityStatusValue == \\\"Success\\\" or ActivityStatusValue == \\\"Succeeded\\\"\\r\\n| extend scope_ = tostring(Authorization_d.scope)\\r\\n| parse-where scope_ with * 'workflows/' PlaybookName '/' *\\r\\n| where PlaybookName contains \\\"notify\\\" or PlaybookName contains \\\"email\\\" or PlaybookName contains \\\"teams\\\" or PlaybookName contains \\\"ticket\\\" or PlaybookName contains \\\"post\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by PlaybookName\\r\\n| render timechart \",\"size\":0,\"showAnnotations\":true,\"showAnalytics\":true,\"title\":\"[SI-5] Security Alerts, Advisories, and Directives --Notification SOAR Playbooks Triggered\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSI5Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI-5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Software, Firmware, & Information Integrity (SI-7)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#software-firmware-and-information-integrity)\\r\\n\\r\\n\\ta. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]; and\\r\\n\\tb. Take the following actions when unauthorized changes to the software, firmware, and information are detected: [Assignment: organization-defined actions].\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>  \\r\\n\\r\\n### Implementation\\r\\n💡 [Firmware security](https://docs.microsoft.com/azure/security/fundamentals/firmware)<br>\\r\\n💡 [Platform code integrity](https://docs.microsoft.com/azure/security/fundamentals/code-integrity)<br>\\r\\n💡 [Secure Boot](https://docs.microsoft.com/azure/security/fundamentals/secure-boot)<br>\\r\\n💡 [What is Azure role-based access control (Azure RBAC)?](https://docs.microsoft.com/azure/role-based-access-control/overview)<br>\\r\\n💡 [File integrity monitoring in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/defender-for-cloud/file-integrity-monitoring-overview)<br>\\r\\n💡 [Change Tracking and Inventory overview](https://docs.microsoft.com/azure/automation/change-tracking/overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft Entra ID: Roles & Admins](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators)<br>\\r\\n🔀 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SI-7](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SI-7)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"firmware\\\" or Description contains \\\"kernel\\\" or Description contains \\\"OS \\\" or Description contains \\\"BIOS\\\" or Description contains \\\"integrity\\\" or Description contains \\\"software\\\" or Description contains \\\"operating system\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"firmware\\\" or Description contains \\\"kernel\\\" or Description contains \\\"OS \\\" or Description contains \\\"BIOS\\\" or Description contains \\\"integrity\\\" or Description contains \\\"software\\\" or Description contains \\\"operating system\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"firmware\\\" or Description contains \\\"kernel\\\" or Description contains \\\"OS \\\" or Description contains \\\"BIOS\\\" or Description contains \\\"integrity\\\" or Description contains \\\"software\\\" or Description contains \\\"operating system\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SI-7] Software, Firmware & Information Integrity -- Configure Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.   \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSI7Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI-7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Spam Protection (SI-8)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#spam-protection)\\r\\n\\r\\n\\ta. Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and\\r\\n\\tb. Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents)  ✳️ [Microsoft Defender for Office 365](https://learn.microsoft.com/defender-office-365/mdo-about)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Anti-spam protection in cloud organizations](https://learn.microsoft.com/defender-office-365/anti-spam-protection-about)<br>\\r\\n💡 [Configure anti-spam policies for cloud mailboxes](https://learn.microsoft.com/defender-office-365/anti-spam-policies-configure)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Office 365 Security & Compliance Center](https://protection.office.com/) \\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SI-8](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SI-8)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MatchingSenderEmails=EmailEvents\\r\\n| extend Spam = tostring(parse_json(ConfidenceLevel).Spam)\\r\\n| where Spam == \\\"Normal\\\" or Spam == \\\"Moderate\\\" or Spam == \\\"High\\\"\\r\\n| where SenderFromAddress <> \\\"\\\"\\r\\n| summarize count() by SenderFromAddress\\r\\n| project SenderFromAddress, EmailsFromSender=count_;\\r\\nlet MatchingSpamEmails_=EmailEvents\\r\\n| extend Spam = tostring(parse_json(ConfidenceLevel).Spam)\\r\\n| where Spam == \\\"Normal\\\" or Spam == \\\"Moderate\\\" or Spam == \\\"High\\\"\\r\\n| where Subject <> \\\"\\\"\\r\\n| summarize count() by Subject\\r\\n| project Subject, EmailsMatchingSubject=count_;\\r\\nEmailEvents\\r\\n| extend Spam = tostring(parse_json(ConfidenceLevel).Spam)\\r\\n| where Spam == \\\"Normal\\\" or Spam == \\\"Moderate\\\" or Spam == \\\"High\\\"\\r\\n| where Subject <> \\\"\\\"\\r\\n| join kind=fullouter(MatchingSenderEmails) on SenderFromAddress\\r\\n| join kind=fullouter(MatchingSpamEmails_) on Subject\\r\\n| where SenderFromAddress <> \\\"\\\"\\r\\n| project Spam, RecipientEmailAddress, SenderFromAddress, DeliveryAction, EmailDirection, ConfidenceLevel, DetectionMethods, EmailAction, EmailActionPolicy, Subject, InternetMessageId, EmailsMatchingSubject, EmailsFromSender, TimeGenerated\\r\\n| sort by EmailsMatchingSubject desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"[SI-8] Spam Protection -- Anti-Spam Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions                                                                                                                                               •    Confirm Licensing, Availability, and Health of Respective Offerings                                                                                                                                                •    Confirm Log Source is Onboarded to Microsoft Sentinel Workspace                                                                                                                                                     •    Adjust the Time Paramenter for a Larger Data-Set                                                                                                                                                                          •    Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations                                                                                                                                   •    Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SenderFromAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"PersonWithFriend\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DeliveryAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Delivered\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Blocked\",\"representation\":\"4\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Junked\",\"representation\":\"1\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EmailDirection\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Inbound\",\"representation\":\"left\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Outbound\",\"representation\":\"right\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Intra-org\",\"representation\":\"pending\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EmailsMatchingSubject\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"EmailsFromSender\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isSI8Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI-8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Information Handling & Retention (SI-12)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#information-handling-and-retention)\\r\\n\\r\\nManage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/microsoft-sentinel/)\\r\\n\\r\\n### Implementation\\r\\n💡 [Change the data retention period](https://docs.microsoft.com/azure/azure-monitor/logs/manage-cost-storage#change-the-data-retention-period)<br>\\r\\n💡 [Integrate Azure Data Explorer for long-term log retention](https://docs.microsoft.com/azure/sentinel/store-logs-in-azure-data-explorer)<br>\\r\\n💡 [Plan and manage costs for Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/billing)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Azure Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview)<br>\\r\\n\\r\\n### NIST SP 800-53 Guidance\\r\\n[SI-12](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SI-12)<br>\\r\\n\\r\\n### Assessment\\r\\n\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces' \\r\\n| extend state = trim(' ', tostring(properties.provisioningState))\\r\\n\\t\\t,sku   = trim(' ', tostring(properties.sku.name))\\r\\n        ,skuUpdate = trim(' ', tostring(properties.sku.lastSkuUpdate))\\r\\n\\t\\t,retentionDays = trim(' ', tostring(properties.retentionInDays))\\r\\n\\t\\t,dailyquotaGB  = trim(' ', tostring(properties.workspaceCapping.dailyQuotaGb))\\r\\n| extend dailyquotaGB = iif(dailyquotaGB !=-1.0, dailyquotaGB,\\\"Not set\\\")\\r\\n| extend skuUpdate    = iif(strlen(skuUpdate) > 0, skuUpdate,\\\"Unknown\\\")\\r\\n| extend sentinel     = iif(toint(retentionDays) < 90,\\\"If you have Sentinel, you can change your retention to 90days (free)?\\\",\\\"\\\")\\r\\n| project LogAnalyticsWorkspace=id, ['Resource Group']=resourceGroup, \\t\\r\\nLogRetention_Days=retentionDays\\r\\n\",\"size\":2,\"showAnalytics\":true,\"title\":\"[SI-12] Information Handling & Retention -- Log Retention Settings\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogRetention_Days\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"is Empty\",\"representation\":\"4\",\"text\":\"{0}{1}\"},{\"operator\":\"<=\",\"thresholdValue\":\"363\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"364\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Data Retention(days)\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orangeBlue\"}},{\"columnMatch\":\"Computer\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_LogRetention_Days_2\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_LogRetention_Days_2\",\"sortOrder\":2}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"type\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isSI12Visible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"SI-12\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isSIVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"System & Information Integrity Family\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Recommended Data Connectors](https://docs.microsoft.com/azure/sentinel/connect-data-sources)\\r\\n---\\r\\n\\r\\nAfter onboarding Microsoft Sentinel into your workspace, connect data sources to start ingesting your data into Microsoft Sentinel. Microsoft Sentinel comes with many connectors for Microsoft products, available out of the box and providing real-time integration. For example, service-to-service connectors include Microsoft 365 Defender connectors and Microsoft 365 sources, such as Office 365, Microsoft Entra ID, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. Check out these references if you're new to Microsoft Sentinel.\"},\"customWidth\":\"40\",\"name\":\"NS Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"b1cd1f8a-e807-4deb-93f4-7812e5ed014a\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Data Connectors >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorsBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\"}}]},\"customWidth\":\"20\",\"name\":\"EL0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/best-practices\",\"linkTarget\":\"Url\",\"linkLabel\":\"Best Practices\",\"style\":\"link\"},{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-all-in-one-accelerator/ba-p/1807933\",\"linkTarget\":\"Url\",\"linkLabel\":\"Microsoft Sentinel All-In-One Accelerator\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://docs.microsoft.com/learn/browse/?wt.mc_id=resilience_skilling_webpage_gdc&terms=sentinel\",\"linkTarget\":\"Url\",\"linkLabel\":\"Microsoft Sentinel Training\",\"style\":\"link\"}]},\"customWidth\":\"40\",\"name\":\"links - 29\"}],\"exportParameters\":true},\"name\":\"group - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Foundational Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Activity Connector](https://docs.microsoft.com/azure/azure-monitor/essentials/activity-log)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"909d0019-23cb-43ad-8285-9f1dca1cd1be\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureActivity\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureActivity\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"58cc25ab-a9af-4516-99e1-fa22e0637a76\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActivity\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"33\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Entra ID Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"23ba579d-c894-43be-9fe1-d1b04bc34d7a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SignInLogs\",\"label\":\"Status\",\"type\":1,\"query\":\"SigninLogs\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Active Directory\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"7c97e893-29f3-4d4c-a379-f220bb82518c\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActiveDirectory\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Active Directory (AAD) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Office 365 Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-365-formerly-office-365)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"68bd12c8-e473-45d1-8bbc-2dd9f326ea69\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"OfficeActivity\",\"label\":\"Status\",\"type\":1,\"query\":\"OfficeActivity\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"6a86eb8d-5487-4aad-ae7b-b526e68a249f\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Office365\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Office 365 Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for Cloud Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#tenant-based-microsoft-defender-for-cloud)\\r\\n\\r\\n\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"1673e4cf-354f-4a42-bed2-2374be47779e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MDfC\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"Azure Security Center\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"56600b70-0e55-433a-be86-b7c561bced8b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureSecurityCenter\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft Defender for Cloud Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Network Security Groups (NSG) Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#network-security-groups)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"b17ce357-e8d5-4c7c-a4f0-765598462a1c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NSG\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"NetworkSecurityGroupEvent\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"935bb630-1fce-4021-b7b4-c010b9e05973\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureNSG\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Network Security Groups (NSG) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Windows Security Events (AMA) Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-windows-microsoft-services?tabs=SA%2CAMA#windows-agent-based-connections)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"d9af27d9-8c90-4c85-a57f-f329257d9956\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AMA\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityEvent\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d002eb41-c632-429b-8504-846b69314620\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WindowsSecurityEvents\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Windows Security Events (AMA) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Security Events via Legacy Agent Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-windows-microsoft-services?tabs=SA%2CLAA#windows-agent-based-connections)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"b2737fbc-c0e2-4584-9fba-ee7d057d7db0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecurityEvent\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityEvent\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"9a8b0649-e79b-4a30-be25-4a5486f302ee\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"SecurityEvents\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Security Events via Legacy Agent Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [DNS Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#dns)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"8b7ac3ca-b46c-43e0-ae8c-e2b5189596bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DNS\",\"label\":\"Status\",\"type\":1,\"query\":\"DnsEvents\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"2d8731f5-c225-4a39-9914-6391b2c89ecb\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"DNS\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"DNS Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Storage Accounts Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-storage-account)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"4f291c03-8d98-47b6-ba82-1282322bb7a5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"StorageLogs\",\"label\":\"Status\",\"type\":1,\"query\":\"StorageBlobLogs\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"6d9cd26b-3fcd-4556-b2eb-3dcb711c4de4\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureStorageAccount\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Storage Logs Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Common Event Format (CEF) Connector](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"4fcf795c-75b8-4010-bd24-1d66511ff6e8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CommonSecurityLog\",\"label\":\"Status\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"452e02e1-b0c4-4b9b-8a54-bc9295db22b9\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"CEF\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Common Event Format (CEF) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Syslog Connector](https://docs.microsoft.com/azure/sentinel/connect-syslog)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"fa63a08f-dd08-4e11-bcb6-c075a6d6c15c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Syslog\",\"label\":\"Status\",\"type\":1,\"query\":\"Syslog\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"021644a3-bd51-4b09-8117-017a89c71d58\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Syslog\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Syslog Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Amazon Web Services (AWS) Connector](https://docs.microsoft.com/azure/sentinel/connect-aws?tabs=s3)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"18ed59f0-c497-44b1-94b7-8700051cf189\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AWS\",\"label\":\"Status\",\"type\":1,\"query\":\"AWSCloudTrail\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"393c465e-4398-428b-8da2-87ac07d8a987\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AWS\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Amazon Web Services (AWS) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Amazon Web Services (AWS) S3 Connector](https://docs.microsoft.com/azure/sentinel/connect-aws?tabs=s3)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AWSS3\",\"label\":\"Status\",\"type\":1,\"query\":\"AWSVPCFlow\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AwsS3\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Amazon Web Services (AWS) S3 Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Google Cloud Platform IAM Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#google-cloud-platform-iam-via-codeless-connector-framework)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"GCP\",\"label\":\"Status\",\"type\":1,\"query\":\"GCP_IAM_CL\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"1f2ba663-dd7a-49b6-87ba-0b8adf6d2d34\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Amazon Web Services (AWS) S3 Connector - Copy\",\"styleSettings\":{\"showBorder\":true}}],\"exportParameters\":true},\"name\":\"group - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Basic Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft 365 Defender Connector](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender?tabs=MDE)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"M365Defender\",\"label\":\"Status\",\"type\":1,\"query\":\"AlertEvidence\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"MicrosoftThreatProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft 365 Defender Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for Endpoint Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-endpoint)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MDE\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"MDATP\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"MicrosoftDefenderAdvancedThreatProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft 365 Defender Connector - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-firewall)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureFirewall\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureFirewall\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Firewall Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Windows Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#windows-firewall)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WindowsFirewall\",\"label\":\"Status\",\"type\":1,\"query\":\"WindowsFirewall\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WindowsFirewall\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Windows Firewall Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Web Application Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-web-application-firewall-waf)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureWAF\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where ResourceType in (\\\"APPLICATIONGATEWAYS\\\", \\\"FRONTDOORS\\\", \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\", \\\"PROFILES\\\")\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WAF\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Web Application Firewall Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure SQL Databases Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-sql-databases)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"8b7ac3ca-b46c-43e0-ae8c-e2b5189596bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SQL\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where Category contains \\\"SQL\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"2d8731f5-c225-4a39-9914-6391b2c89ecb\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureSql\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"SQL Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Key Vault Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-key-vault)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureKeyVault\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where ResourceProvider == \\\"MICROSOFT.KEYVAULT\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureKeyVault\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Key Vault Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure DDoS Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-ddos-protection)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DDoS\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where ResourceType == \\\"PUBLICIPADDRESSES\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"DDOS\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure DDoS Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [VMware Carbon Black Cloud via AWS S3](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#vmware-carbon-black-cloud-via-aws-s3)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"VMwareCarbon\",\"label\":\"Status\",\"type\":1,\"query\":\"CarbonBlack_Alerts_CL\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"VMwareESXi\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"VMware ESXi Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for Cloud: Continuous Export](https://docs.microsoft.com/azure/defender-for-cloud/continuous-export?tabs=azure-portal)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecurityRecommendation\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityRecommendation\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Feature\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Continuous Export Connector\",\"styleSettings\":{\"showBorder\":true}}],\"exportParameters\":true},\"name\":\"group - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Intermediate Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Purview Information Protection](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-purview-information-protection)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MicrosoftPurviewInformationProtection\",\"type\":1,\"query\":\"MicrosoftPurviewInformationProtection​​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"Status\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureInformationProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Information Protection Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Dynamics 365 Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#dynamics365)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Dynamics365Activity\",\"label\":\"Status\",\"type\":1,\"query\":\"Dynamics365Activity\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Dynamics365\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Dynamics 365 Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Kubernetes Service (AKS) Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-kubernetes-service-aks)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AKS\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"kube-audit\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureKubernetes\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Kubernetes Service (AKS) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Qualys Vulnerability Management Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#qualys-vulnerability-management-via-codeless-connector-framework)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Qualys\",\"label\":\"Status\",\"type\":1,\"query\":\"QualysHostDetectionV3_CL\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"QualysVulnerabilityManagement\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Qualys Vulnerability Management Connector\",\"styleSettings\":{\"showBorder\":true}}],\"exportParameters\":true},\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Advanced Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Entity Behavior (UEBA)](https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"BehaviorAnalytics\",\"label\":\"Status\",\"type\":1,\"query\":\"BehaviorAnalytics​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Feature\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"EntitySearchBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\"}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Entity Behavior (UEBA) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Entra ID Protection Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-entra-id-protection)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AADIP\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert | where ProductName == \\\"Azure Active Directory Identity Protection\\\"​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActiveDirectoryIdentityProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Active Directory Identity Protection Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Threat Intelligence TAXII Connector](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence-taxii)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TAXII\",\"label\":\"Status\",\"type\":1,\"query\":\"ThreatIntelligenceIndicator | where SourceSystem !in (\\\"SecurityGraph\\\", \\\"Azure Sentinel\\\", \\\"Microsoft Sentinel\\\") ​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"ThreatIntelligenceTaxii\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Threat Intelligence TAXII Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Threat Intelligence Platform Connector](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence-tip)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatIntelligence\",\"label\":\"Status\",\"type\":1,\"query\":\"ThreatIntelligenceIndicator | where SourceSystem in (\\\"SecurityGraph\\\", \\\"Azure Sentinel\\\", \\\"Microsoft Sentinel\\\") ​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"ThreatIntelligence\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Threat Intelligence Platform Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for IoT Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-iot)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MD4IOT\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert | where ProductName == \\\"Azure Security Center for IoT\\\"​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"IoT\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft Defender for IoT Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Purview: Insider Risk Management Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-purview-information-protection)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IRM\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert\\r\\n| where ProductName == \\\"Microsoft 365 Insider Risk Management\\\"​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"OfficeIRM\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft Purview: Insider Risk Management Connector\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 6\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"isDCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Recommended Data Connectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Recommended Content](https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog)\\r\\n---\\r\\n\\r\\nThe following content packages provide utility for regulated industries use cases.\"},\"name\":\"NS Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/sentinel-solutions\",\"linkTarget\":\"Url\",\"linkLabel\":\"About Microsoft Sentinel Content & Solutions\",\"style\":\"link\"},{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog\",\"linkTarget\":\"Url\",\"linkLabel\":\"Content Hub Catalog\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"40\",\"name\":\"group - 4\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"76c7831e-386d-4289-8145-486f52cba8ec\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Content Hub >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"ContentHub.ReactView\",\"extensionName\":\"Microsoft_Azure_SentinelUS\"}}]},\"customWidth\":\"40\",\"name\":\"EL0\"}]},\"name\":\"group - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Threat Analysis & Response Solution](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ThreatAnalysis%26Response)\\r\\n---\\r\\n\\r\\nThis solution enables SecOps Analysts, Threat Intelligence Professional, and Threat Hunters to gain situational awareness for threats in cloud environment. The Solution includes (2) Workbooks designed to enable threat hunting programs. Threat analysis provides an understanding of where the attacker is in the cycle which often drives both a historic lens of where the threat may have progressed, but also predictive analytics on the threat’s objectives. This approach is adversarial as understanding of the threat’s attack cycle drives defense actions in a red versus blue model. The Threat Analysis & Response Solution augments the customer burden of building threat hunting programs.\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FThreatAnalysis%26Response%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FThreatAnalysis%26Response%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ThreatAnalysis%26Response\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ThreatAnalysis%26Response/Workbooks/Images/ThreatAnalysis%26ResponseWhite1.png?raw=true)\"},\"customWidth\":\" 100\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [NIST SP 800-53 Solution](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\\r\\n\\r\\n---\\r\\nThis solution is designed to augment staffing through automation, machine learning, query/alerting generation, and visualizations. This workbook leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with NIST SP 800-53 control requirements. This offering telemetry from 25+ Microsoft Security products (1P/3P/Multi-Cloud/Hybrid/On-Premises). Each NIST SP 800-53 control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads.<br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNISTSP80053%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNISTSP80053%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-nist-sp-800-53-solution/ba-p/3381485\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/ju9hxtYnj7s\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NISTSP80053\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NISTSP80053/Workbooks/Images/NISTSP80053Black.png?raw=true)\"},\"customWidth\":\"90\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Zero Trust (TIC 3.0) Solution](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\\r\\n\\r\\n---\\r\\nThe Microsoft Sentinel Zero Trust (TIC 3.0) Solution provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft and partner ecosystem. This solution enables governance and compliance teams to design, build, monitor, and respond to Zero Trust (TIC 3.0) requirements across cloud, multi-cloud, 1st/3rd party workloads. The solution includes the new Zero Trust (TIC 3.0) Workbook, (1) Analytics Rule, and (3) Playbooks. While only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, the solution is enhanced with numerous Microsoft offerings.<br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroTrust(TIC3.0)%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroTrust(TIC3.0)%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/next-evolution-of-the-microsoft-sentinel-zero-trust-tic-3-0/ba-p/3278097\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/CxLzTRPuw-4\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ZeroTrust(TIC3.0)\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"Zero Trust Solution\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Cybersecurity Maturity Model Certification (CMMC) 2.0](https://dodcio.defense.gov/CMMC/)\\r\\n---\\r\\n\\r\\nThis solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This solution includes (1) Workbook for build/design/assessment/reporting, (2) Analytics rules for monitoring and (3) Playbooks for response/remediation. CMMC 2.0 is the next iteration of the Department’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity – Foundational, Advanced and Expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.<br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersecurityMaturityModelCertification(CMMC)2.0%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersecurityMaturityModelCertification(CMMC)2.0%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-cybersecurity-maturity-model/ba-p/3295095\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/-_a5HxJgriE\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Azure Security Benchmark v3](https://docs.microsoft.com/security/benchmark/azure/)\\r\\n---\\r\\n\\r\\nEnables Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to gain situational awareness for cloud security posture and hardening. Benchmark recommendations provide a starting point for selecting specific security configuration settings and facilitate risk reduction. The Azure Security Benchmark includes a collection of high-impact security recommendations for improving posture. This workbook provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Security-Center%2Fmain%2FWorkbooks%2FAzure%20Security%20Benchmark%20v3%2FarmTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Security-Center%2Fmain%2FWorkbooks%2FAzure%20Security%20Benchmark%20v3%2FarmTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/azure-security-benchmark-v3-workbook/ba-p/3257673\",\"linkTarget\":\"Url\",\"linkLabel\":\"Announce Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/v57gWjvcY4o\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"cc5f4830-f090-4f5e-afb2-47adba6be532\",\"cellValue\":\"https://youtu.be/qVJjwOipHDA\",\"linkTarget\":\"Url\",\"linkLabel\":\"ASC in the Field\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Workbooks/Azure%20Security%20Benchmark%20v3\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Microsoft Insider Risk Management Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-microsoft-insider-risk/ba-p/2955786)\\r\\n---\\r\\n\\r\\nInsider risk management helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Insider risk policies allow you to define the types of risks to identify and detect in your organization, including acting on cases and escalating cases to Microsoft Advanced eDiscovery. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards. Insider risks come in various forms including both witting (intentional) and unwitting (unintentional). This workbook provides an automated visualization of Insider risk behavior cross walked to Microsoft security offerings. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMicrosoftPurviewInsiderRiskManagement%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMicrosoftPurviewInsiderRiskManagement%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-microsoft-insider-risk/ba-p/2955786\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MicrosoftPurviewInsiderRiskManagement\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [IT/OT Threat Monitoring Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/defending-critical-infrastructure-with-the-microsoft-sentinel-it/ba-p/3061184)\\r\\n---\\r\\n\\r\\nThis solution provides the foundation for building a SOC for monitoring IoT/ OT and includes (1) workbook for visibility/reporting, (14) analytics rules for monitoring, and (4) playbooks for response. The workbook leverages Microsoft Sentinel telemetry to create visualization to understand, analyze, and respond to IoT/OT threats. Understanding alerts over time provides unprecedented insights into security posture and where teams need to focus to harden against threats. Deep links directly to Microsoft Defender for IoT alerts empower analysts to focus on remediating threats rather than pivoting between tools. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FIoTOTThreatMonitoringwithDefenderforIoT%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FIoTOTThreatMonitoringwithDefenderforIoT%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/defending-critical-infrastructure-with-the-microsoft-sentinel-it/ba-p/3061184\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"8f7dce97-a41c-42b3-b62f-a21fbf5a1420\",\"cellValue\":\"https://youtu.be/hZS2aplJoy8\",\"linkTarget\":\"Url\",\"linkLabel\":\"YouTube Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/readme.md\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Maturity Model for Event Log Management Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/modernize-log-management-with-the-maturity-model-for-event-log/ba-p/3072842)\\r\\n---\\r\\n\\r\\nThis solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to increase visibility before, during, and after a cybersecurity incident.\\\"Executive Order 14028, Improving the Nation's Cybersecurity, directs decisive action to improve the Federal Government’s investigative and remediation capabilities. This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency.\\\" For more information, see 💡[OMB's M-21-31 Memorandum](https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMaturityModelForEventLogManagementM2131%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMaturityModelForEventLogManagementM2131%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/modernize-log-management-with-the-maturity-model-for-event-log/ba-p/3072842\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/quV_80ts__k\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MaturityModelForEventLogManagementM2131\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Threat Intelligence Workbook](https://docs.microsoft.com/security/benchmark/azure/)\\r\\n---\\r\\n\\r\\nThe most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. <br>\\r\\n\\r\\n---\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-azure-sentinel-threat-intelligence-workbook/ba-p/2858265\",\"linkTarget\":\"Url\",\"linkLabel\":\"Workbook Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/SjEG7iVVBbI\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/ThreatIntelligence.json\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"Zero Trust Solution - Copy - Copy - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isGCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Recommended Content\"}],\"fromTemplateId\":\"sentinel-NISTSP80053\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
diff --git a/Solutions/NISTSP80053/Workbooks/NISTSP80053.json b/Solutions/NISTSP80053/Workbooks/NISTSP80053.json
index 2a3e627dc6f..83be13607a4 100644
--- a/Solutions/NISTSP80053/Workbooks/NISTSP80053.json
+++ b/Solutions/NISTSP80053/Workbooks/NISTSP80053.json
@@ -25481,7 +25481,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Spam Protection (SI-8)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#spam-protection)\r\n\r\n\ta. Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and\r\n\tb. Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.\r\n\r\n### Recommended Logs\r\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents)  ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\r\n\r\n### Implementation\r\n💡 [Anti-Spam protection in Exchange Online Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/anti-spam-protection)<br>\r\n💡 [Configure Anti-Spam Policies in Exchange Online Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-your-spam-filter-policies)<br>\r\n\r\n### Microsoft Portals\r\n🔀 [Office 365 Security & Compliance Center](https://protection.office.com/) \r\n\r\n### NIST SP 800-53 Guidance\r\n[SI-8](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SI-8)<br>\r\n\r\n### Assessment\r\n"
+                          "json": "# [Spam Protection (SI-8)](https://docs.microsoft.com/azure/governance/policy/samples/nist-sp-800-53-r4?WT.mc_id=Portal-fx#spam-protection)\r\n\r\n\ta. Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and\r\n\tb. Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.\r\n\r\n### Recommended Logs\r\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents)  ✳️ [Microsoft Defender for Office 365](https://learn.microsoft.com/defender-office-365/mdo-about)<br>\r\n\r\n### Implementation\r\n💡 [Anti-spam protection in cloud organizations](https://learn.microsoft.com/defender-office-365/anti-spam-protection-about)<br>\r\n💡 [Configure anti-spam policies for cloud mailboxes](https://learn.microsoft.com/defender-office-365/anti-spam-policies-configure)<br>\r\n\r\n### Microsoft Portals\r\n🔀 [Office 365 Security & Compliance Center](https://protection.office.com/) \r\n\r\n### NIST SP 800-53 Guidance\r\n[SI-8](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SI-8)<br>\r\n\r\n### Assessment\r\n"
                         },
                         "name": "text - 2"
                       },
diff --git a/Solutions/ZeroTrust(TIC3.0)/Package/mainTemplate.json b/Solutions/ZeroTrust(TIC3.0)/Package/mainTemplate.json
index bf9e511703e..ee2f0309d9b 100644
--- a/Solutions/ZeroTrust(TIC3.0)/Package/mainTemplate.json
+++ b/Solutions/ZeroTrust(TIC3.0)/Package/mainTemplate.json
@@ -112,7 +112,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook1-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\",\"value\":\"No\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2592000000}],\"allowCustom\":true},\"id\":\"6539479a-3e0d-42c6-bcbe-2d1f11bb9896\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"<svg viewBox=\\\"0 0 19 19\\\" width=\\\"20\\\" class=\\\"fxt-escapeShadow\\\" role=\\\"presentation\\\" focusable=\\\"false\\\" xmlns:svg=\\\"http://www.w3.org/2000/svg\\\" xmlns:xlink=\\\"http://www.w3.org/1999/xlink\\\" aria-hidden=\\\"true\\\"><g><path fill=\\\"#1b93eb\\\" d=\\\"M16.82 8.886c0 4.81-5.752 8.574-7.006 9.411a.477.477 0 01-.523 0C8.036 17.565 2.18 13.7 2.18 8.886V3.135a.451.451 0 01.42-.419C7.2 2.612 6.154.625 9.5.625s2.3 1.987 6.8 2.091a.479.479 0 01.523.419z\\\"></path><path fill=\\\"url(#0024423711759027356)\\\" d=\\\"M16.192 8.99c0 4.392-5.333 7.947-6.483 8.575a.319.319 0 01-.418 0c-1.15-.732-6.483-4.183-6.483-8.575V3.762a.575.575 0 01.313-.523C7.2 3.135 6.258 1.357 9.4 1.357s2.2 1.882 6.274 1.882a.45.45 0 01.419.418z\\\"></path><path d=\\\"M9.219 5.378a.313.313 0 01.562 0l.875 1.772a.314.314 0 00.236.172l1.957.284a.314.314 0 01.174.535l-1.416 1.38a.312.312 0 00-.09.278l.334 1.949a.313.313 0 01-.455.33l-1.75-.92a.314.314 0 00-.292 0l-1.75.92a.313.313 0 01-.455-.33L7.483 9.8a.312.312 0 00-.09-.278L5.977 8.141a.314.314 0 01.174-.535l1.957-.284a.314.314 0 00.236-.172z\\\" class=\\\"msportalfx-svg-c01\\\"></path></g></svg>&nbsp;<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> Please take time to answer a quick survey,\\r\\n</span>[<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> click here. </span>](https://forms.office.com/r/0xxx6arkaS)\"},\"name\":\"Survey\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Getting Started\\r\\nThis solution is designed to augment staffing through automation, machine learning, query/alerting generation, and visualizations. This workbook leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with Zero Trust (TIC 3.0) control requirements. A filter set is available for custom reporting by guides, subscriptions, workspaces, time-filtering, control family, and controls. This offering telemetry from 25+ Microsoft Security and partner offerings, while only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, each offering provides additional enrichment for aligning with control requirements. Each control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads. \\r\\n\\r\\n### [Recommended Microsoft Sentinel Roles](https://docs.microsoft.com/azure/sentinel/roles) / [Recommended Microsoft Defender for Cloud Roles](https://docs.microsoft.com/azure/defender-for-cloud/permissions#roles-and-allowed-actions)\\r\\n| <strong> Roles </strong> | <strong> Rights </strong> | \\r\\n|:--|:--|\\r\\n|Security Reader | View Workbooks, Analytics, Hunting, Security Recommendations |\\r\\n|Security Contributor| Deploy/Modify Workbooks, Analytics, Hunting Queries, Apply Security Recommendations |\\r\\n|Automation Contributor| Deploy/Modify Playbooks & Automation Rules |\\r\\n\\r\\n### Onboarding Prerequisites \\r\\n1️⃣ [Access Microsoft 365 Compliance Manager: Assessments](https://compliance.microsoft.com/compliancemanager?viewid=Assessments)<br>\\r\\n2️⃣  [Onboard Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)<br>\\r\\n3️⃣  [Onboard Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-get-started)<br>\\r\\n4️⃣ [Continuously Export Security Center Data to Log Analytics Workspace](https://docs.microsoft.com/azure/security-center/continuous-export)<br>\\r\\n5️⃣ [Extend Microsoft Sentinel Across Workspaces and Tenants](https://docs.microsoft.com/azure/sentinel/extend-sentinel-across-workspaces-tenants)<br>\\r\\n6️⃣ [Implement CLAW Aggregator](https://github.com/Azure/trusted-internet-connection)<br>\\r\\n7️⃣ [Configure Auto Provisioning of Microsoft Defender for Cloud Agents](https://docs.microsoft.com/azure/defender-for-cloud/enable-data-collection)<br>\\r\\n8️⃣ [Review Microsoft Service Trust Portal Documentation/Audit/Resources](https://servicetrust.microsoft.com/)<br>\\r\\n\\r\\n### Recommended Enrichments\\r\\n✳️[Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n✳️[Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n✳️[Azure Firewall Premium](https://azure.microsoft.com/services/azure-firewall)<br>\\r\\n✳️[Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br>\\r\\n✳️[Azure Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/)<br>\\r\\n✳️[Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)<br>\\r\\n✳️[Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n✳️[Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender)<br>\\r\\n✳️[Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security)<br>\\r\\n✳️[Key Vault](https://azure.microsoft.com/services/key-vault/)<br>\\r\\n✳️[Azure DDoS Protection](https://azure.microsoft.com/services/ddos-protection/)<br>\\r\\n✳️[Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender)<br>\\r\\n\\r\\n### Print/Export Report\\r\\n1️⃣ Set Background Theme: Settings > Appearance > Theme: Azure > Apply<br>\\r\\n2️⃣ Print/Export Report: More Content Actions (...) > Print Content<br>\\r\\n3️⃣ Settings: Layout (Landscape), Pages (All), Print (One Sided), Scale (60), Pages Per Sheet (1), Quality (1,200 DPI), Margins (None) > Print<br>\\r\\n\\r\\n### Important\\r\\nThis solution provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective requirements. Each control is associated with one or more 💡[Azure Policy](https://docs.microsoft.com/azure/governance/policy/overview) definitions. These policies may help you 💡[assess compliance](https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data) with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. \",\"style\":\"info\"},\"name\":\"Help\"},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Microsoft Zero Trust Deployment Center](https://docs.microsoft.com/security/zero-trust)\\r\\n![Image Name](https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4KvMM?ver=13f6&q=0&m=6&h=600&w=1600&b=%23FFFFFFFF&u=t&l=f&f=jpg&o=t&aim=true  \\\"Security Policy Enforcement\\\")\\r\\n\\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Zero Trust Model\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 109\"},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Trusted Internet Connections 3.0](https://www.cisa.gov/trusted-internet-connections)\\r\\n\\r\\n| <em> Security Objectives </em> |\\r\\n| : | : | \\r\\n| <strong> Manage Traffic </strong>| Observe, validate, and filter data connections to align with authorized activities; least privilege and default deny |\\r\\n| <strong> Protect Traffic Confidentiality </strong>| Ensure only authorized parties can discern the contents of data in transit; sender and receiver identification and enforcement |\\r\\n| <strong> Protect Traffic Integrity </strong>| Prevent alteration of data in transit; detect altered data in transit |\\r\\n| <strong> Ensure Service Resiliency </strong>| Promote resilient application and security services for continuous operation as the technology and threat landscape evolve |\\r\\n| <strong> Ensure Effective Response </strong>| Promote timely reaction and adapt future response to discovered threats; policies defined and implemented; simplified adoption of new countermeasures |\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Trusted Internet Connections 3.0\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Zero Trust (TIC 3.0) Solution](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\\n---\\nThe Microsoft Sentinel Zero Trust (TIC 3.0) Solution provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft and partner ecosystem. This solution enables governance and compliance teams to design, build, monitor, and respond to Zero Trust (TIC 3.0) requirements across cloud, multi-cloud, 1st/3rd party workloads. The solution includes the new Zero Trust (TIC 3.0) Workbook, (1) Analytics Rule, and (3) Playbooks. While only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, the solution is enhanced with numerous Microsoft offerings. This Solution enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud, multi-cloud, hybrid, and on-premise workloads. For more information, see 💡[Microsoft Zero Trust Model](https://www.microsoft.com/security/business/zero-trust) 💡[Trusted Internet Connections](https://www.cisa.gov/trusted-internet-connections)\"},\"name\":\"Workbook Overview\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/next-evolution-of-the-microsoft-sentinel-zero-trust-tic-3-0/ba-p/3278097\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/CxLzTRPuw-4\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ZeroTrust(TIC3.0)\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"79\",\"name\":\"group - 22\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"customWidth\":\"21\",\"name\":\"Microsoft Sentinel Logo\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Executive Summary\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Assessment\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Controls Crosswalk\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Recommended Data Connectors\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Recommended Content\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"GC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Azure Lighthouse\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AL\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Universal Security Capabilities\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Universal Security Capabilities\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Files\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Files\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Email\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Email\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 107\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cec6c07e-2856-4c77-8b48-98935f2c1218\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAssessmentVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Assessment\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isControlsCrosswalkVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"20f1daf6-59a0-4673-b1bf-cc388d52debf\"},{\"id\":\"2919b971-fb14-440c-ab42-50304df3ceab\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isGCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"GC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"fa7b0ee3-8d6e-4ff7-bb64-cf2241f30f98\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAzureLighthouseVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AL\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9944cda7-77aa-4189-8061-afc260130b84\"},{\"id\":\"eab3e5a8-66c3-4304-8c2b-43264e858ba8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isUniversalSecurityCapabilitiesVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Universal Security Capabilities\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isFilesVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Files\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"67de7a24-1840-4fc5-94d5-a6b5d7520a7c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEmailVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Email\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"ec480379-6561-4a30-b005-7533da78ed14\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"isVisible Navigation\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Web\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Web\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Networking\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Networking\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Resiliency\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Resiliency\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"DNS\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DNS\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Intrusion Detection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Intrusion Detection\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Enterprise\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Enterprise\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Unified Communications & Collaboration\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Unified Communications & Collaboration\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Data Protection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data Protection\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 109\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"740b611b-8155-4e96-bbcc-bbdba0541143\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isWebVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Web\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"62d67234-8fb2-43e6-b5d2-945692493431\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isNetworkingVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Networking\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isResiliencyVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Resiliency\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4f04758a-2908-474e-bfe0-13d072241fd2\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDNSVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DNS\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9cb339a8-c8b4-43ad-b2e5-76f61b87d8c1\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIntrusionDetectionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Intrusion Detection\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4b799471-726e-432c-b577-2f45474d883c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEnterpriseVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Enterprise\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"584fbe21-b31b-49cb-bd65-62ef850a8310\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isUnifiedCommunicationsCollaborationVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Unified Communications & Collaboration\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"78d61c25-823a-4232-8a32-1a7e7018e596\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataProtectionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data Protection\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4da988d5-15f9-4ea8-bbd5-2153bfcae0a0\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"isVisible Navigation - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Executive Summary](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)\\r\\n---\\r\\nThis section provides a mechanism to find, fix, and resolve Zero Trust (TIC 3.0) recommendations. A selector provides capability to filter by all, specific, or groups of TIC 3.0 control families. Upon selection, subordinate panels will summarize recommendations by control family, status over time, recommendations, and resources identified. These panels are helpful for identifying the controls of interest, status over time, and impacted resources. The recommendation details pane provides a mechanism to identify specific recommendation details with deep-links to pivot to Microsoft Defender for Cloud for remediation. \"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 7\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"99a47f97-1aa4-4840-91ee-119aad6d6217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ControlFamily\",\"label\":\"Control Family\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Universal Security Capabilities\\\", \\\"label\\\": \\\"Universal Security Capabilities\\\"},\\r\\n    {\\\"value\\\": \\\"Files\\\", \\\"label\\\": \\\"Files\\\"},\\r\\n    {\\\"value\\\": \\\"Email\\\", \\\"label\\\": \\\"Email\\\"},\\r\\n    {\\\"value\\\": \\\"Web\\\", \\\"label\\\": \\\"Web\\\"},\\r\\n    {\\\"value\\\": \\\"Networking\\\", \\\"label\\\": \\\"Networking\\\"},\\r\\n    {\\\"value\\\": \\\"Resiliency\\\", \\\"label\\\": \\\"Resiliency\\\"},\\r\\n    {\\\"value\\\": \\\"DNS\\\", \\\"label\\\": \\\"DNS\\\"},\\r\\n    {\\\"value\\\": \\\"Intrusion Detection\\\", \\\"label\\\": \\\"Intrusion Detection\\\"},\\r\\n    {\\\"value\\\": \\\"Enterprise\\\", \\\"label\\\": \\\"Enterprise\\\"},\\r\\n    {\\\"value\\\": \\\"Unified Communications & Collaboration\\\", \\\"label\\\": \\\"Unified Communications & Collaboration\\\"},\\r\\n    {\\\"value\\\": \\\"Data Protection\\\", \\\"label\\\": \\\"Data Protection\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"40\",\"name\":\"parameters - 26\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend ControlFamily=iff(RecommendationDisplayName has_any(\\\"email\\\"), \\\"Email\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"apps\\\", \\\"teams\\\", \\\"meeting\\\", \\\"call\\\"), \\\"Unified Communications & Collaboration\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"dns\\\", \\\"domain\\\"), \\\"DNS\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"endpoint protection\\\", \\\"malware\\\", \\\"file\\\", \\\"files\\\",\\\"IaaSAntimalware\\\"), \\\"Files\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"Security Center\\\",\\\"defender\\\", \\\"adaptive\\\", \\\"HoneyTokens\\\", \\\"honey\\\", \\\"deception\\\", \\\"intrusion\\\", \\\"incident\\\", \\\"incidents\\\"), \\\"Intrusion Detection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"firewall\\\", \\\"watcher\\\", \\\"proxy\\\", \\\"certificate\\\", \\\"url\\\", \\\"web\\\"), \\\"Web\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\", \\\"segment\\\", \\\"network security groups\\\", \\\"subnet\\\", \\\"application gateway\\\", \\\"security groups\\\", \\\"IP forwarding\\\", \\\"port\\\", \\\"ports\\\", \\\"networks\\\"), \\\"Networking\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"backup\\\",\\\"denial\\\", \\\"DDoS\\\", \\\"load\\\", \\\"scale\\\", \\\"front\\\", \\\"traffic manager\\\", \\\"pool\\\", \\\"disaster\\\", \\\"region\\\", \\\"redundant\\\", \\\"geo\\\"), \\\"Resiliency\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"rest\\\", \\\"transit\\\", \\\"data\\\", \\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\"), \\\"Data Protection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"private\\\", \\\"vpn\\\", \\\"automation\\\", \\\"playbook\\\", \\\"logic\\\", \\\"notification\\\", \\\"authorized\\\", \\\"safe\\\", \\\"network gateway\\\", \\\"express\\\", \\\"VPC\\\"), \\\"Enterprise\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"recover\\\", \\\"log\\\", \\\"configured\\\", \\\"configuration\\\", \\\"identity\\\", \\\"privilege\\\", \\\"admin\\\", \\\"authentication\\\", \\\"JIT\\\", \\\"just\\\", \\\"password\\\", \\\"time\\\", \\\"sync\\\", \\\"vulnerability\\\", \\\"Vulnerabilities\\\", \\\"updates\\\", \\\"update\\\", \\\"upgrade\\\", \\\"audit\\\", \\\"account\\\",  \\\"guest\\\", \\\"shared\\\", \\\"access\\\", \\\"machines\\\", \\\"rights\\\", \\\"VM\\\", \\\"key\\\", \\\"keys\\\", \\\"IAM\\\", \\\"EC2\\\", \\\"GuardDuty\\\", \\\"logs\\\", \\\"CloudTrail\\\", \\\"MFA\\\", \\\"External accounts\\\", \\\"accounts\\\", \\\"config\\\", \\\"credentials\\\", \\\"privileged\\\", \\\"owner\\\", \\\"owners\\\", \\\"login\\\", \\\"logon\\\", \\\"virtual machine\\\", \\\"container\\\", \\\"containers\\\", \\\"Kubernetes\\\"), \\\"Universal Security Capabilities\\\", \\\"Other\\\")))))))))))\\r\\n| where ControlFamily in ({ControlFamily})\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by ControlFamily\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| project ControlFamily, Total, PassedControls, Passed, Failed\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations by Control Family\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_1\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_1\",\"sortOrder\":2}]},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationDisplayName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend ControlFamily=iff(RecommendationDisplayName has_any(\\\"email\\\"), \\\"Email\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"apps\\\", \\\"teams\\\", \\\"meeting\\\", \\\"call\\\"), \\\"Unified Communications & Collaboration\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"dns\\\", \\\"domain\\\"), \\\"DNS\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"endpoint protection\\\", \\\"malware\\\", \\\"file\\\", \\\"files\\\",\\\"IaaSAntimalware\\\"), \\\"Files\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"Security Center\\\",\\\"defender\\\", \\\"adaptive\\\", \\\"HoneyTokens\\\", \\\"honey\\\", \\\"deception\\\", \\\"intrusion\\\", \\\"incident\\\", \\\"incidents\\\"), \\\"Intrusion Detection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"firewall\\\", \\\"watcher\\\", \\\"proxy\\\", \\\"certificate\\\", \\\"url\\\", \\\"web\\\"), \\\"Web\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\", \\\"segment\\\", \\\"network security groups\\\", \\\"subnet\\\", \\\"application gateway\\\", \\\"security groups\\\", \\\"IP forwarding\\\", \\\"port\\\", \\\"ports\\\", \\\"networks\\\"), \\\"Networking\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"backup\\\",\\\"denial\\\", \\\"DDoS\\\", \\\"load\\\", \\\"scale\\\", \\\"front\\\", \\\"traffic manager\\\", \\\"pool\\\", \\\"disaster\\\", \\\"region\\\", \\\"redundant\\\", \\\"geo\\\"), \\\"Resiliency\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"rest\\\", \\\"transit\\\", \\\"data\\\", \\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\"), \\\"Data Protection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"private\\\", \\\"vpn\\\", \\\"automation\\\", \\\"playbook\\\", \\\"logic\\\", \\\"notification\\\", \\\"authorized\\\", \\\"safe\\\", \\\"network gateway\\\", \\\"express\\\", \\\"VPC\\\"), \\\"Enterprise\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"recover\\\", \\\"log\\\", \\\"configured\\\", \\\"configuration\\\", \\\"identity\\\", \\\"privilege\\\", \\\"admin\\\", \\\"authentication\\\", \\\"JIT\\\", \\\"just\\\", \\\"password\\\", \\\"time\\\", \\\"sync\\\", \\\"vulnerability\\\", \\\"Vulnerabilities\\\", \\\"updates\\\", \\\"update\\\", \\\"upgrade\\\", \\\"audit\\\", \\\"account\\\",  \\\"guest\\\", \\\"shared\\\", \\\"access\\\", \\\"machines\\\", \\\"rights\\\", \\\"VM\\\", \\\"key\\\", \\\"keys\\\", \\\"IAM\\\", \\\"EC2\\\", \\\"GuardDuty\\\", \\\"logs\\\", \\\"CloudTrail\\\", \\\"MFA\\\", \\\"External accounts\\\", \\\"accounts\\\", \\\"config\\\", \\\"credentials\\\", \\\"privileged\\\", \\\"owner\\\", \\\"owners\\\", \\\"login\\\", \\\"logon\\\", \\\"virtual machine\\\", \\\"container\\\", \\\"containers\\\", \\\"Kubernetes\\\"), \\\"Universal Security Capabilities\\\", \\\"Other\\\")))))))))))\\r\\n| where ControlFamily in ({ControlFamily})\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationDisplayName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationDisplayName\\r\\n| project RecommendationDisplayName, Total, RecommendationLink, PassedControls, Passed, Failed, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"rowLimit\":2500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_1\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_1\",\"sortOrder\":2}]},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend ControlFamily=iff(RecommendationDisplayName has_any(\\\"email\\\"), \\\"Email\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"apps\\\", \\\"teams\\\", \\\"meeting\\\", \\\"call\\\"), \\\"Unified Communications & Collaboration\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"dns\\\", \\\"domain\\\"), \\\"DNS\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"endpoint protection\\\", \\\"malware\\\", \\\"file\\\", \\\"files\\\",\\\"IaaSAntimalware\\\"), \\\"Files\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"Security Center\\\",\\\"defender\\\", \\\"adaptive\\\", \\\"HoneyTokens\\\", \\\"honey\\\", \\\"deception\\\", \\\"intrusion\\\", \\\"incident\\\", \\\"incidents\\\"), \\\"Intrusion Detection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"firewall\\\", \\\"watcher\\\", \\\"proxy\\\", \\\"certificate\\\", \\\"url\\\", \\\"web\\\"), \\\"Web\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\", \\\"segment\\\", \\\"network security groups\\\", \\\"subnet\\\", \\\"application gateway\\\", \\\"security groups\\\", \\\"IP forwarding\\\", \\\"port\\\", \\\"ports\\\", \\\"networks\\\"), \\\"Networking\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"backup\\\",\\\"denial\\\", \\\"DDoS\\\", \\\"load\\\", \\\"scale\\\", \\\"front\\\", \\\"traffic manager\\\", \\\"pool\\\", \\\"disaster\\\", \\\"region\\\", \\\"redundant\\\", \\\"geo\\\"), \\\"Resiliency\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"rest\\\", \\\"transit\\\", \\\"data\\\", \\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\"), \\\"Data Protection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"private\\\", \\\"vpn\\\", \\\"automation\\\", \\\"playbook\\\", \\\"logic\\\", \\\"notification\\\", \\\"authorized\\\", \\\"safe\\\", \\\"network gateway\\\", \\\"express\\\", \\\"VPC\\\"), \\\"Enterprise\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"recover\\\", \\\"log\\\", \\\"configured\\\", \\\"configuration\\\", \\\"identity\\\", \\\"privilege\\\", \\\"admin\\\", \\\"authentication\\\", \\\"JIT\\\", \\\"just\\\", \\\"password\\\", \\\"time\\\", \\\"sync\\\", \\\"vulnerability\\\", \\\"Vulnerabilities\\\", \\\"updates\\\", \\\"update\\\", \\\"upgrade\\\", \\\"audit\\\", \\\"account\\\",  \\\"guest\\\", \\\"shared\\\", \\\"access\\\", \\\"machines\\\", \\\"rights\\\", \\\"VM\\\", \\\"key\\\", \\\"keys\\\", \\\"IAM\\\", \\\"EC2\\\", \\\"GuardDuty\\\", \\\"logs\\\", \\\"CloudTrail\\\", \\\"MFA\\\", \\\"External accounts\\\", \\\"accounts\\\", \\\"config\\\", \\\"credentials\\\", \\\"privileged\\\", \\\"owner\\\", \\\"owners\\\", \\\"login\\\", \\\"logon\\\", \\\"virtual machine\\\", \\\"container\\\", \\\"containers\\\", \\\"Kubernetes\\\"), \\\"Universal Security Capabilities\\\", \\\"Other\\\")))))))))))\\r\\n| where ControlFamily in ({ControlFamily})\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by AssessedResourceId\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| project AssessedResourceId, Total, PassedControls, Passed, Failed\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations by Asset\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AssessedResourceId\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend ControlFamily=iff(RecommendationDisplayName has_any(\\\"email\\\"), \\\"Email\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"apps\\\", \\\"teams\\\", \\\"meeting\\\", \\\"call\\\"), \\\"Unified Communications & Collaboration\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"dns\\\", \\\"domain\\\"), \\\"DNS\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"endpoint protection\\\", \\\"malware\\\", \\\"file\\\", \\\"files\\\",\\\"IaaSAntimalware\\\"), \\\"Files\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"Security Center\\\",\\\"defender\\\", \\\"adaptive\\\", \\\"HoneyTokens\\\", \\\"honey\\\", \\\"deception\\\", \\\"intrusion\\\", \\\"incident\\\", \\\"incidents\\\"), \\\"Intrusion Detection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"firewall\\\", \\\"watcher\\\", \\\"proxy\\\", \\\"certificate\\\", \\\"url\\\", \\\"web\\\"), \\\"Web\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\", \\\"segment\\\", \\\"network security groups\\\", \\\"subnet\\\", \\\"application gateway\\\", \\\"security groups\\\", \\\"IP forwarding\\\", \\\"port\\\", \\\"ports\\\", \\\"networks\\\"), \\\"Networking\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"backup\\\",\\\"denial\\\", \\\"DDoS\\\", \\\"load\\\", \\\"scale\\\", \\\"front\\\", \\\"traffic manager\\\", \\\"pool\\\", \\\"disaster\\\", \\\"region\\\", \\\"redundant\\\", \\\"geo\\\"), \\\"Resiliency\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"rest\\\", \\\"transit\\\", \\\"data\\\", \\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\"), \\\"Data Protection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"private\\\", \\\"vpn\\\", \\\"automation\\\", \\\"playbook\\\", \\\"logic\\\", \\\"notification\\\", \\\"authorized\\\", \\\"safe\\\", \\\"network gateway\\\", \\\"express\\\", \\\"VPC\\\"), \\\"Enterprise\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"recover\\\", \\\"log\\\", \\\"configured\\\", \\\"configuration\\\", \\\"identity\\\", \\\"privilege\\\", \\\"admin\\\", \\\"authentication\\\", \\\"JIT\\\", \\\"just\\\", \\\"password\\\", \\\"time\\\", \\\"sync\\\", \\\"vulnerability\\\", \\\"Vulnerabilities\\\", \\\"updates\\\", \\\"update\\\", \\\"upgrade\\\", \\\"audit\\\", \\\"account\\\",  \\\"guest\\\", \\\"shared\\\", \\\"access\\\", \\\"machines\\\", \\\"rights\\\", \\\"VM\\\", \\\"key\\\", \\\"keys\\\", \\\"IAM\\\", \\\"EC2\\\", \\\"GuardDuty\\\", \\\"logs\\\", \\\"CloudTrail\\\", \\\"MFA\\\", \\\"External accounts\\\", \\\"accounts\\\", \\\"config\\\", \\\"credentials\\\", \\\"privileged\\\", \\\"owner\\\", \\\"owners\\\", \\\"login\\\", \\\"logon\\\", \\\"virtual machine\\\", \\\"container\\\", \\\"containers\\\", \\\"Kubernetes\\\"), \\\"Universal Security Capabilities\\\", \\\"Other\\\")))))))))))\\r\\n| where ControlFamily in ({ControlFamily})\\r\\n| where RecommendationState == \\\"Unhealthy\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by ControlFamily\\r\\n| render timechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations over Time\",\"noDataMessage\":\"No Current Zero Trust(TIC 3.0) Recommendations in this Area. Confirm the CMMC Level 3 Assessment is Enabled in Microsoft Defender for Cloud: Regulatory Compliance Blade.\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"greenRed\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend ControlFamily=iff(RecommendationDisplayName has_any(\\\"email\\\"), \\\"Email\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"apps\\\", \\\"teams\\\", \\\"meeting\\\", \\\"call\\\"), \\\"Unified Communications & Collaboration\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"dns\\\", \\\"domain\\\"), \\\"DNS\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"endpoint protection\\\", \\\"malware\\\", \\\"file\\\", \\\"files\\\",\\\"IaaSAntimalware\\\"), \\\"Files\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"Security Center\\\",\\\"defender\\\", \\\"adaptive\\\", \\\"HoneyTokens\\\", \\\"honey\\\", \\\"deception\\\", \\\"intrusion\\\", \\\"incident\\\", \\\"incidents\\\"), \\\"Intrusion Detection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"firewall\\\", \\\"watcher\\\", \\\"proxy\\\", \\\"certificate\\\", \\\"url\\\", \\\"web\\\"), \\\"Web\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\", \\\"segment\\\", \\\"network security groups\\\", \\\"subnet\\\", \\\"application gateway\\\", \\\"security groups\\\", \\\"IP forwarding\\\", \\\"port\\\", \\\"ports\\\", \\\"networks\\\"), \\\"Networking\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"backup\\\",\\\"denial\\\", \\\"DDoS\\\", \\\"load\\\", \\\"scale\\\", \\\"front\\\", \\\"traffic manager\\\", \\\"pool\\\", \\\"disaster\\\", \\\"region\\\", \\\"redundant\\\", \\\"geo\\\"), \\\"Resiliency\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"rest\\\", \\\"transit\\\", \\\"data\\\", \\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\"), \\\"Data Protection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"private\\\", \\\"vpn\\\", \\\"automation\\\", \\\"playbook\\\", \\\"logic\\\", \\\"notification\\\", \\\"authorized\\\", \\\"safe\\\", \\\"network gateway\\\", \\\"express\\\", \\\"VPC\\\"), \\\"Enterprise\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"recover\\\", \\\"log\\\", \\\"configured\\\", \\\"configuration\\\", \\\"identity\\\", \\\"privilege\\\", \\\"admin\\\", \\\"authentication\\\", \\\"JIT\\\", \\\"just\\\", \\\"password\\\", \\\"time\\\", \\\"sync\\\", \\\"vulnerability\\\", \\\"Vulnerabilities\\\", \\\"updates\\\", \\\"update\\\", \\\"upgrade\\\", \\\"audit\\\", \\\"account\\\",  \\\"guest\\\", \\\"shared\\\", \\\"access\\\", \\\"machines\\\", \\\"rights\\\", \\\"VM\\\", \\\"key\\\", \\\"keys\\\", \\\"IAM\\\", \\\"EC2\\\", \\\"GuardDuty\\\", \\\"logs\\\", \\\"CloudTrail\\\", \\\"MFA\\\", \\\"External accounts\\\", \\\"accounts\\\", \\\"config\\\", \\\"credentials\\\", \\\"privileged\\\", \\\"owner\\\", \\\"owners\\\", \\\"login\\\", \\\"logon\\\", \\\"virtual machine\\\", \\\"container\\\", \\\"containers\\\", \\\"Kubernetes\\\"), \\\"Universal Security Capabilities\\\", \\\"Other\\\")))))))))))\\r\\n| where ControlFamily in ({ControlFamily})\\r\\n| where RecommendationState == \\\"Unhealthy\\\"\\r\\n| parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *\\r\\n| project ResourceID=AssessedResourceId, RecommendationName=RecommendationDisplayName, ControlFamily, Severity=RecommendationSeverity, CurrentState=RecommendationState, RecommendationLink, DiscoveredTimeUTC, assessmentKey\\r\\n| extend Rank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, 0)))\\r\\n| sort by Rank desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendation Details\",\"noDataMessage\":\"No Current Zero Trust (TIC 3.0) Recommendations in this Area. Confirm the CMMC Level 3 Assessment is Enabled in Microsoft Defender for Cloud: Regulatory Compliance Blade.\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ResourceID\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Rank\",\"formatter\":5},{\"columnMatch\":\"RecommendationSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":2500,\"filter\":true}},\"name\":\"query - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAssessmentVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Controls Crosswalk](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\\r\\n---\\r\\nControls crosswalk provides a mapping of Zero Trust (TIC 3.0) controls across additional compliance frameworks. This provides free-text search capabilities mapping Zero Trust pillars, TIC 3.0 controls, Microsoft offering overlays, and the NIST Cybersecurity Framework.\"},\"customWidth\":\"40\",\"name\":\"Controls Mapping\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Crosswalk = datatable([\\\"Control Name\\\"]: string, [\\\"Zero Trust Pillars\\\"]: string, [\\\"TIC 3.0 Control Family\\\"]: string, [\\\"NIST Cybersecurity Framework\\\"]: string, [\\\"Microsoft Offerings\\\"]: string) [\\r\\n\\\"Backup & Recovery\\\", \\\"Data, Infrastructure\\\", \\\"Universal Security Capabilities\\\", \\\"ID.BE, PR.IP, PR.DS, RS.MI, RC.RP\\\", \\\"Backup Vaults, Recovery Services Vaults, Microsoft Defender for Cloud\\\",\\r\\n\\\"Central Log Management with Analysis\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, PR.PT, DE.AE, RS.AN\\\", \\\"Microsoft Defender for Cloud, Azure Monitor, Azure Lighthouse\\\",\\r\\n\\\"Configuration Management\\\", \\\"Endpoints, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.BE, PR.DS, PR.IP, PR.MA\\\", \\\"Automation Accounts, Azure Active Directory, Microsoft Defender for Cloud\\\",\\r\\n\\\"Incident Response Plan & Incident Handling\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.GV, ID.RA, PR.IP, DE.DP, DE.AE, RS.RP, RS.CO, RS.AN, RS.MI\\\", \\\"Microsoft Sentinel\\\",\\r\\n\\\"Inventory\\\", \\\"Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, PR.AC, PR.DS, PR.IP\\\", \\\"Azure Resource Graph Explorer, Azure Active Directory, Microsoft Defender for Cloud, Microsoft 365 Defender\\\",\\r\\n\\\"Least Privilege\\\", \\\"Identities\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, PR.AC, PR.IP, PR.PT, DE.CM\\\", \\\"Azure Active Directory, Microsoft Sentinel, Microsoft Defender for Cloud\\\",\\r\\n\\\"Secure Administration\\\", \\\"Identities\\\", \\\"Universal Security Capabilities\\\", \\\"PR.MA\\\", \\\"Azure Active Directory, Privileged Identity Management, Microsoft Defender for Cloud\\\",\\r\\n\\\"Strong Authentication\\\", \\\"Identities\\\", \\\"Universal Security Capabilities\\\", \\\"PR.AC\\\", \\\"Azure Active Directory, Microsoft Defender for Cloud, Microsoft Sentinel, Key Vault\\\",\\r\\n\\\"Time Synchronization\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"PR.IP\\\", \\\"Azure Portal, Virtual Machines, Microsoft Defender for Cloud\\\",\\r\\n\\\"Vulnerability Management\\\", \\\"Endpoints, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.RA, PR.IP, DE.AE, DE.CM, DE.DP\\\", \\\"Microsoft Defender for Cloud, Microsoft 365 Defender\\\",\\r\\n\\\"Patch Management\\\", \\\"Endpoints, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, PR.IP, PR.MA\\\", \\\"Automation Accounts, Microsoft Defender for Cloud\\\",\\r\\n\\\"Auditing & Accounting\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.SC, PR.AC, PR.PT\\\", \\\"Azure Active Directory, Microsoft Defender for Cloud, Microsoft Sentinel\\\",\\r\\n\\\"Resilience\\\", \\\"Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.BE, PR.PT\\\", \\\"DDoS Protection Plans, Availability Sets, Load Balancing, Virtual Machine Scale Sets\\\",\\r\\n\\\"Enterprise Threat Intelligence\\\", \\\"Visibility & Analytics\\\", \\\"Universal Security Capabilities\\\", \\\"ID.RA, DE.AE, DE.CM, DE.DP\\\", \\\"Microsoft Sentinel, Microsoft Defender Security Intelligence Portal, MSTICpy\\\",\\r\\n\\\"Situational Awareness\\\", \\\"Visibility & Analytics\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, ID.RA, PR.DS, PR.IP, DE.AE, DE.CM, DE.DP, RS.CO\\\", \\\"Microsoft Sentinel\\\",\\r\\n\\\"Dynamic Threat Discovery\\\", \\\"Visibility & Analytics\\\", \\\"Universal Security Capabilities\\\", \\\"ID.RA, DE.AE, DE.CM, DE.DP\\\", \\\"Microsoft Sentinel, Microsoft Defender for Cloud\\\",\\r\\n\\\"Policy Enforcement Parity\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"PR.DS, PR.IP, PR.MA\\\", \\\"Azure Policy, Microsoft Defender for Cloud\\\",\\r\\n\\\"Effective Use of Shared Services\\\", \\\"Data, Apps\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, ID.GV, ID.RM, ID.SC, PR.AT, RS.CO\\\", \\\"Azure Lighthouse, Customer Lockbox, Azure Active Directory\\\",\\r\\n\\\"Integrated Desktop, Mobile, & Remote Policies\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, PR.AC, PR.DS, PR.IP, PR.MA\\\", \\\"Azure Active Directory, Microsoft Endpoint Manager\\\",\\r\\n\\\"Anti-Malware\\\", \\\"Endpoints, Apps, Infrastructure, Network\\\", \\\"Files\\\", \\\"PR.DS, PR.PT, DE.CM, DE.DP, RS.MI\\\", \\\"Microsoft Sentinel, Microsoft Defender for Cloud, Microsoft Defender for Identity, Microsoft 365 Defender, Microsoft Defender for Cloud Apps\\\",\\r\\n\\\"Content Disarm & Reconstruction\\\", \\\"Data, Apps\\\", \\\"Files\\\", \\\"PR.PT, DE.CM, DE.DP\\\", \\\"Microsoft 365 Defender, Microsoft Endpoint Manager Admin Center, Microsoft Sentinel\\\",\\r\\n\\\"Detonation Chamber\\\", \\\"Endpoints, Apps, Infrastructure, Network\\\", \\\"Files\\\", \\\"DE.CM, DE.DP, RS.AN, RS.MI\\\", \\\"Microsoft 365 Defender, Microsoft Endpoint Manager, Microsoft Sentinel\\\",\\r\\n\\\"Data Loss Prevention\\\", \\\"Data\\\", \\\"Files\\\", \\\"PR.DS\\\", \\\"Azure Information Protection, Microsoft Sentinel, Office 365 Security & Compliance Center\\\",\\r\\n\\\"Anti-Phishing Protections\\\", \\\"Identity, Endpoints, Data\\\", \\\"Email\\\", \\\"PR.AT, PR.PT, DE.CM\\\", \\\"Microsoft 365 Defender\\\",\\r\\n\\\"Anti-SPAM Protections\\\", \\\"Identity, Endpoints, Data\\\", \\\"Email\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft 365 Defender\\\",\\r\\n\\\"Authenticated Received Chain\\\", \\\"Authenticated Received Chain\\\", \\\"Email\\\", \\\"PR.AC\\\", \\\"Microsoft 365 Defender, Microsoft 365 Admin Center\\\",\\r\\n\\\"Data Loss Prevention\\\", \\\"Data\\\", \\\"Email\\\", \\\"PR.DS\\\", \\\"Azure Information Protection, Microsoft 365 Defender\\\",\\r\\n\\\"DMARC for Incoming Email\\\", \\\"Identities, Data\\\", \\\"Email\\\", \\\"PR.PT, PR.IP\\\", \\\"Microsoft 365 Defender, Microsoft 365 Admin Center\\\",\\r\\n\\\"DMARC for Outgoing Email\\\", \\\"Identities, Data\\\", \\\"Email\\\", \\\"PR.PT, PR.IP\\\", \\\"Microsoft 365 Defender, Microsoft 365 Admin Center\\\",\\r\\n\\\"Encryption for Email Transmission\\\", \\\"Data\\\", \\\"Email\\\", \\\"PR.PT, PR.DS\\\", \\\"Microsoft 365 Admin Center, Microsoft 365 Defender, Microsoft Defender for Cloud\\\",\\r\\n\\\"Malicious URL Protections\\\", \\\"Network\\\", \\\"Email\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft 365 Defender, Microsoft Sentinel\\\",\\r\\n\\\"URL Click-Through Protection\\\", \\\"Network\\\", \\\"Email\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft 365 Defender, Microsoft Sentinel\\\",\\r\\n\\\"Break & Inspect\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT, DE.CM\\\", \\\"Firewall Policies, Network Watcher\\\",\\r\\n\\\"Active Content Mitigation\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT, DE.CM\\\", \\\"Web Application Firewall Policies, Microsoft 365 Defender, Microsoft Defender for Cloud\\\",\\r\\n\\\"Certificate Denylisting\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft Defender for Cloud, Firewall Policies, Key Vault\\\",\\r\\n\\\"Content Filtering\\\", \\\"Endpoints, Network\\\", \\\"Web\\\", \\\"PR.PT, DE.CM, DE.DP\\\", \\\"Firewalls, Firewall Policies, Microsoft 365 Defender\\\",\\r\\n\\\"Authenticated Proxy\\\", \\\"Identities, Network\\\", \\\"Web\\\", \\\"PR.AC\\\", \\\"Azure Active Directory, Microsoft Defender for Cloud Apps\\\",\\r\\n\\\"Data Loss Prevention\\\", \\\"Data\\\", \\\"Web\\\", \\\"PR.DS\\\", \\\"Microsoft Sentinel, Microsoft Defender for Cloud, Microsoft Defender for Identity Portal, Microsoft 365 Defender, Microsoft Defender for Cloud Apps, Office 365 Security & Compliance Center, Azure Information Protection\\\",\\r\\n\\\"DNS-over-HTTPS Filtering\\\", \\\"Endpoints, Network\\\", \\\"Web\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft Defender for Cloud, Azure Firewall, Microsoft 365 Defender\\\",\\r\\n\\\"RFC Compliance Enforcement\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT\\\", \\\"Web Application Firewall, Azure Firewall\\\",\\r\\n\\\"Domain Category Filtering\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.AC, PR.IP\\\", \\\"Azure Firewall\\\",\\r\\n\\\"Domain Reputation Filter\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT\\\", \\\"Azure Firewall, Microsoft Sentinel\\\",\\r\\n\\\"Bandwidth Control\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT\\\", \\\"Azure Firewall\\\",\\r\\n\\\"Malicious Content Filtering\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.DS, PR.PT, PR.CM\\\", \\\"Microsoft Defender for Cloud, Microsoft Sentinel, Azure Firewall, Web Application Firewall\\\",\\r\\n\\\"Access Control\\\", \\\"Identities, Network\\\", \\\"Web\\\", \\\"PR.AC\\\", \\\"Microsoft Defender for Cloud, Privileged Identity Management\\\",\\r\\n\\\"Access Control\\\", \\\"Infrastructure, Network\\\", \\\"Networking\\\", \\\"PR.AC, PR.IP, DE.CM\\\", \\\"Microsoft Defender for Cloud, Network Security Groups, Azure Firewall, Web Application Firewall, Virtual Network Gateways, ExpressRoute Circuits\\\",\\r\\n\\\"IP Denylisting\\\", \\\"Infrastructure, Network\\\", \\\"Networking\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft Sentinel, Azure Firewall\\\",\\r\\n\\\"Host Containment\\\", \\\"Endpoints, Infrastructure, Network\\\", \\\"Networking\\\", \\\"PR.AC, PR.IP, PR.PT\\\", \\\"Microsoft Sentinel, Microsoft Defender for Cloud, Microsoft 365 Defender\\\",\\r\\n\\\"Network Segmentation\\\", \\\"Infrastructure, Network\\\", \\\"Networking\\\", \\\"PR.AC\\\", \\\"Virtual Networks, Microsoft Defender for Cloud\\\",\\r\\n\\\"Microsegmentation\\\", \\\"Infrastructure, Network\\\", \\\"Networking\\\", \\\"PR.AC, PR.DS, PR.IP, PR.PT\\\", \\\"Application Security Groups, Network Security Groups, Microsoft Defender for Cloud\\\",\\r\\n\\\"DDoS Protections\\\", \\\"Data, Apps, Infrastructure, Network\\\", \\\"Resiliency\\\", \\\"PR.PT\\\", \\\"DDoS Protection Plans, Microsoft Sentinel\\\",\\r\\n\\\"Elastic Expansion\\\", \\\"Infrastructure\\\", \\\"Resiliency\\\", \\\"ID.AM, PR.DS\\\", \\\"Virtual Machine Scale Sets, Azure SQL, Load Balancer, Traffic Manager Profiles, Microsoft Defender for Cloud\\\",\\r\\n\\\"Regional Delivery\\\", \\\"Infrastructure\\\", \\\"Resiliency\\\", \\\"ID.AM, PR.AC, PR.DS\\\", \\\"Availability Sets, Azure Active Directory, Microsoft Defender for Cloud\\\",\\r\\n\\\"DNS Sinkholing\\\", \\\"Network\\\", \\\"DNS\\\", \\\"PR.PT\\\", \\\"DNS Zones, Azure Firewall, Microsoft Defender for Cloud, Microsoft Sentinel\\\",\\r\\n\\\"DNSSEC for Agency Clients\\\", \\\"Network\\\", \\\"DNS\\\", \\\"PR.PT\\\", \\\"DNS Zones, Azure Firewall, Microsoft Defender for Cloud, Microsoft Sentinel\\\",\\r\\n\\\"DNSSEC for Agency Domains\\\", \\\"Network\\\", \\\"DNS\\\", \\\"PR.PT\\\", \\\"DNS Zones, Microsoft Defender for Cloud, Microsoft 365 Defender\\\",\\r\\n\\\"Endpoint Detection & Response\\\", \\\"Endpoints, Infrastructure\\\", \\\"Intrusion Detection\\\", \\\"DE.AE, DE.CM, RS.AN\\\", \\\"Microsoft 365 Defender, Microsoft Defender for Cloud\\\",\\r\\n\\\"Intrusion Protection Systems (IPS)\\\", \\\"Network\\\", \\\"Intrusion Detection\\\", \\\"DE.AE, DE.CM, DE.DP, RS.AN\\\", \\\"Azure Firewall, Microsoft Sentinel\\\",\\r\\n\\\"Adaptive Access Control\\\", \\\"Identities\\\", \\\"Intrusion Detection\\\", \\\"PR.AC, DE.CM\\\", \\\"Microsoft Defender for Cloud, Azure Active Directory\\\",\\r\\n\\\"Deception Platforms\\\", \\\"Identities\\\", \\\"Intrusion Detection\\\", \\\"PR.PT, DE.AE, RS.AN\\\", \\\"Microsoft Sentinel, Microsoft Defender for Identity\\\",\\r\\n\\\"Certificate Transparency Log Monitoring\\\", \\\"Infrastructure, Apps\\\", \\\"Intrusion Detection\\\", \\\"DE.CM\\\", \\\"Key Vault, Microsoft Sentinel, Microsoft Defender for Cloud\\\",\\r\\n\\\"Security Orchestration, Automation, & Response (SOAR)\\\", \\\"Visibility & Automation\\\", \\\"Enterprise\\\", \\\"DE.AE, DE.CM, DE.DP, RS.CO, RS.AN, RC.RP\\\", \\\"Microsoft Sentinel\\\",\\r\\n\\\"Shadow IT Detection\\\", \\\"Endpoints, Infrastructure, Apps\\\", \\\"Enterprise\\\", \\\"PR.IP, PR.MA, DE.CM\\\", \\\"Microsoft Defender for Cloud Apps, Microsoft Defender for Cloud, Microsoft Sentinel, Microsoft 365 Defender, Microsoft Defender for IoT\\\",\\r\\n\\\"Virtual Private Network (VPN)\\\", \\\"Network\\\", \\\"Enterprise\\\", \\\"PR.AC, PR.DS, PR.IP, PR.MA, PR.PT\\\", \\\"Virtual Network Gateways, Microsoft Defender for Cloud\\\",\\r\\n\\\"UCC Identity Verification\\\", \\\"Identities\\\", \\\"Unified Communications & Collaboration\\\", \\\"PR.AC\\\", \\\"Microsoft 365 Admin Center, Azure Active Directory\\\",\\r\\n\\\"UCC Encrypted Communication\\\", \\\"Data\\\", \\\"Unified Communications & Collaboration\\\", \\\"PR.PT, PR.DS\\\", \\\"Microsoft 365 Admin Center\\\",\\r\\n\\\"UCC Connection Termination\\\", \\\"Identities\\\", \\\"Unified Communications & Collaboration\\\", \\\"PR.AC, PR.IP, PR.AT\\\", \\\"Microsoft Teams\\\",\\r\\n\\\"UCC Data Loss Prevention\\\", \\\"Data\\\", \\\"Unified Communications & Collaboration\\\", \\\"PR.DS\\\", \\\"Microsoft 365 Defender, Microsoft 365 Compliance Center\\\",\\r\\n\\\"Access Control\\\", \\\"Identities\\\", \\\"Data Protection\\\", \\\"PR.AC, PR.IP, DE.CM\\\", \\\"Azure Active Directory\\\",\\r\\n\\\"Protections for Data at Rest\\\", \\\"Data\\\", \\\"Data Protection\\\", \\\"PR.DS\\\", \\\"Microsoft Defender for Cloud, Key Vault\\\",\\r\\n\\\"Protections for Data in Transit\\\", \\\"Data\\\", \\\"Data Protection\\\", \\\"PR.DS\\\", \\\"Microsoft Defender for Cloud, Key Vault\\\",\\r\\n\\\"Data Loss Prevention\\\", \\\"Data\\\", \\\"Data Protection\\\", \\\"PR.DS\\\", \\\"Azure Information Protection, Microsoft Sentinel, Office 365 Security & Compliance Center\\\",\\r\\n\\\"Data Access & Use Telemetry\\\", \\\"Data\\\", \\\"Data Protection\\\", \\\"ID.AM, PR.AC, PR.DS, PR.PT, DE.AE, DE.CM\\\", \\\"Azure Active Directory, Azure Information Protection, Microsoft 365 Compliance Center\\\"\\r\\n];\\r\\nCrosswalk\\r\\n| project [\\\"Control Name\\\"],[\\\"Zero Trust Pillars\\\"],[\\\"TIC 3.0 Control Family\\\"],[\\\"NIST Cybersecurity Framework\\\"],[\\\"Microsoft Offerings\\\"]\",\"size\":0,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Control Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"TIC 3.0 Control Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Microsoft Offerings\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isControlsCrosswalkVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Controls Mapping\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Recommended Data Connectors](https://docs.microsoft.com/azure/sentinel/connect-data-sources)\\r\\n---\\r\\n\\r\\nAfter onboarding Microsoft Sentinel into your workspace, connect data sources to start ingesting your data into Microsoft Sentinel. Microsoft Sentinel comes with many connectors for Microsoft products, available out of the box and providing real-time integration. For example, service-to-service connectors include Microsoft 365 Defender connectors and Microsoft 365 sources, such as Office 365, Microsoft Entra ID, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. Check out these references if you're new to Microsoft Sentinel.\"},\"customWidth\":\"40\",\"name\":\"NS Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"b1cd1f8a-e807-4deb-93f4-7812e5ed014a\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Data Connectors >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorsBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\"}}]},\"customWidth\":\"20\",\"name\":\"EL0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/best-practices\",\"linkTarget\":\"Url\",\"linkLabel\":\"Best Practices\",\"style\":\"link\"},{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-all-in-one-accelerator/ba-p/1807933\",\"linkTarget\":\"Url\",\"linkLabel\":\"Microsoft Sentinel All-In-One Accelerator\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://docs.microsoft.com/learn/browse/?wt.mc_id=resilience_skilling_webpage_gdc&terms=sentinel\",\"linkTarget\":\"Url\",\"linkLabel\":\"Microsoft Sentinel Training\",\"style\":\"link\"}]},\"customWidth\":\"40\",\"name\":\"links - 29\"}],\"exportParameters\":true},\"name\":\"group - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Foundational Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Activity Connector](https://docs.microsoft.com/azure/azure-monitor/essentials/activity-log)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"909d0019-23cb-43ad-8285-9f1dca1cd1be\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureActivity\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureActivity\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"58cc25ab-a9af-4516-99e1-fa22e0637a76\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActivity\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"33\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Entra ID Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"23ba579d-c894-43be-9fe1-d1b04bc34d7a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SignInLogs\",\"label\":\"Status\",\"type\":1,\"query\":\"SigninLogs\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Active Directory\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"7c97e893-29f3-4d4c-a379-f220bb82518c\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActiveDirectory\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Active Directory (AAD) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Office 365 Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-office-365)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"68bd12c8-e473-45d1-8bbc-2dd9f326ea69\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"OfficeActivity\",\"label\":\"Status\",\"type\":1,\"query\":\"OfficeActivity\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"6a86eb8d-5487-4aad-ae7b-b526e68a249f\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Office365\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Office 365 Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for Cloud Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-cloud)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"1673e4cf-354f-4a42-bed2-2374be47779e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MDfC\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"Azure Security Center\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"56600b70-0e55-433a-be86-b7c561bced8b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureSecurityCenter\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft Defender for Cloud Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Network Security Groups (NSG) Connector](https://docs.microsoft.com/azure/virtual-network/virtual-network-nsg-manage-log)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"b17ce357-e8d5-4c7c-a4f0-765598462a1c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NSG\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"NetworkSecurityGroupEvent\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"935bb630-1fce-4021-b7b4-c010b9e05973\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureNSG\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Network Security Groups (NSG) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Windows Security Events (AMA) Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-windows-microsoft-services?tabs=SA%2CAMA#windows-agent-based-connections)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"d9af27d9-8c90-4c85-a57f-f329257d9956\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AMA\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityEvent\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d002eb41-c632-429b-8504-846b69314620\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WindowsSecurityEvents\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Windows Security Events (AMA) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Security Events via Legacy Agent Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-windows-microsoft-services?tabs=SA%2CLAA#windows-agent-based-connections)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"b2737fbc-c0e2-4584-9fba-ee7d057d7db0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecurityEvent\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityEvent\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"9a8b0649-e79b-4a30-be25-4a5486f302ee\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"SecurityEvents\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Security Events via Legacy Agent Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [DNS Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#windows-dns-server-preview)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"8b7ac3ca-b46c-43e0-ae8c-e2b5189596bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DNS\",\"label\":\"Status\",\"type\":1,\"query\":\"DnsEvents\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"2d8731f5-c225-4a39-9914-6391b2c89ecb\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"DNS\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"DNS Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Storage Accounts Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-storage-account)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"4f291c03-8d98-47b6-ba82-1282322bb7a5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"StorageTableLogs\",\"label\":\"Status\",\"type\":1,\"query\":\"StorageTableLogs\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"6d9cd26b-3fcd-4556-b2eb-3dcb711c4de4\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureStorageAccount\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Storage Logs Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Common Event Format (CEF) Connector](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"4fcf795c-75b8-4010-bd24-1d66511ff6e8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CommonSecurityLog\",\"label\":\"Status\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"452e02e1-b0c4-4b9b-8a54-bc9295db22b9\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"CEF\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Common Event Format (CEF) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Syslog Connector](https://docs.microsoft.com/azure/sentinel/connect-syslog)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"fa63a08f-dd08-4e11-bcb6-c075a6d6c15c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Syslog\",\"label\":\"Status\",\"type\":1,\"query\":\"Syslog\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"021644a3-bd51-4b09-8117-017a89c71d58\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Syslog\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Syslog Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Amazon Web Services (AWS) Connector](https://docs.microsoft.com/azure/sentinel/connect-aws?tabs=s3)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"18ed59f0-c497-44b1-94b7-8700051cf189\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AWS\",\"label\":\"Status\",\"type\":1,\"query\":\"AWSCloudTrail\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"393c465e-4398-428b-8da2-87ac07d8a987\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AWS\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Amazon Web Services (AWS) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Amazon Web Services (AWS) S3 Connector](https://docs.microsoft.com/azure/sentinel/connect-aws?tabs=s3)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AWSS3\",\"label\":\"Status\",\"type\":1,\"query\":\"AWSVPCFlow\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AwsS3\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Amazon Web Services (AWS) S3 Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Google Cloud Platform IAM Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#google-workspace-g-suite-preview)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"GCP\",\"label\":\"Status\",\"type\":1,\"query\":\"GCP_IAM_CL\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"1f2ba663-dd7a-49b6-87ba-0b8adf6d2d34\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Amazon Web Services (AWS) S3 Connector - Copy\",\"styleSettings\":{\"showBorder\":true}}],\"exportParameters\":true},\"name\":\"group - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Basic Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft 365 Defender Connector](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender?tabs=MDE)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"M365Defender\",\"label\":\"Status\",\"type\":1,\"query\":\"AlertEvidence\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"MicrosoftThreatProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft 365 Defender Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for Endpoint Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-endpoint)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MDE\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"MDATP\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"MicrosoftDefenderAdvancedThreatProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft 365 Defender Connector - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-firewall)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureFirewall\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureFirewall\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Firewall Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Windows Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#windows-firewall)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WindowsFirewall\",\"label\":\"Status\",\"type\":1,\"query\":\"WindowsFirewall\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WindowsFirewall\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Windows Firewall Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Web Application Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-web-application-firewall-waf)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureWAF\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where ResourceType in (\\\"APPLICATIONGATEWAYS\\\", \\\"FRONTDOORS\\\", \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\", \\\"PROFILES\\\")\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WAF\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Web Application Firewall Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure SQL Databases Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-sql-databases)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"8b7ac3ca-b46c-43e0-ae8c-e2b5189596bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SQL\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where Category contains \\\"SQL\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"2d8731f5-c225-4a39-9914-6391b2c89ecb\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureSql\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"SQL Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Key Vault Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-key-vault)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureKeyVault\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where ResourceProvider == \\\"MICROSOFT.KEYVAULT\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureKeyVault\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Key Vault Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure DDoS Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-ddos-protection)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DDoS\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where ResourceType == \\\"PUBLICIPADDRESSES\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"DDOS\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure DDoS Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [VMware Carbon Black Cloud via AWS S3](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#vmware-esxi-preview)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"VMwareCarbon\",\"label\":\"Status\",\"type\":1,\"query\":\"CarbonBlack_Alerts_CL\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"VMwareESXi\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"VMware ESXi Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for Cloud: Continuous Export](https://docs.microsoft.com/azure/defender-for-cloud/continuous-export?tabs=azure-portal)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecurityRecommendation\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityRecommendation\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Feature\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Continuous Export Connector\",\"styleSettings\":{\"showBorder\":true}}],\"exportParameters\":true},\"name\":\"group - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Intermediate Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Purview Information Protection](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#Microsoft-Purview-Information-Protection)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MicrosoftPurviewInformationProtection\",\"type\":1,\"query\":\"MicrosoftPurviewInformationProtection​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"Status\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureInformationProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Information Protection Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Dynamics 365 Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#dynamics-365)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Dynamics365Activity\",\"label\":\"Status\",\"type\":1,\"query\":\"Dynamics365Activity\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Dynamics365\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Dynamics 365 Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Kubernetes Service (AKS) Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-kubernetes-service-aks)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AKS\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"kube-audit\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureKubernetes\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Kubernetes Service (AKS) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Qualys Vulnerability Management Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#qualys-vulnerability-management-vm-preview)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"QualysHostDetectionV3_CL\",\"label\":\"Status\",\"type\":1,\"query\":\"QualysHostDetectionV3_CL\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"QualysVulnerabilityManagement\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Qualys Vulnerability Management Connector\",\"styleSettings\":{\"showBorder\":true}}],\"exportParameters\":true},\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Advanced Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Entity Behavior (UEBA)](https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"BehaviorAnalytics\",\"label\":\"Status\",\"type\":1,\"query\":\"BehaviorAnalytics​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Feature\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"EntitySearchBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\"}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Entity Behavior (UEBA) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Entra ID Protection Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-active-directory-identity-protection)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AADIP\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert | where ProductName == \\\"Azure Active Directory Identity Protection\\\"​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActiveDirectoryIdentityProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Active Directory Identity Protection Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Threat Intelligence TAXII Connector](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence-taxii)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TAXII\",\"label\":\"Status\",\"type\":1,\"query\":\"ThreatIntelligenceIndicator | where SourceSystem !in (\\\"SecurityGraph\\\", \\\"Azure Sentinel\\\", \\\"Microsoft Sentinel\\\") ​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"ThreatIntelligenceTaxii\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Threat Intelligence TAXII Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Threat Intelligence Platform Connector](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence-tip)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatIntelligence\",\"label\":\"Status\",\"type\":1,\"query\":\"ThreatIntelligenceIndicator | where SourceSystem in (\\\"SecurityGraph\\\", \\\"Azure Sentinel\\\", \\\"Microsoft Sentinel\\\") ​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"ThreatIntelligence\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Threat Intelligence Platform Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for IoT Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-iot)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MD4IOT\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert | where ProductName == \\\"Azure Security Center for IoT\\\"​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"IoT\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft Defender for IoT Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Purview: Insider Risk Management Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-purview-insider-risk-management-irm-preview)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IRM\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert\\r\\n| where ProductName == \\\"Microsoft 365 Insider Risk Management\\\"​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"OfficeIRM\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft Purview: Insider Risk Management Connector\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 6\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"isDCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Recommended Data Connectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Recommended Content](https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog)\\r\\n---\\r\\n\\r\\nThe following content packages provide utility for regulated industries use cases.\"},\"name\":\"NS Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/sentinel-solutions\",\"linkTarget\":\"Url\",\"linkLabel\":\"About Microsoft Sentinel Content & Solutions\",\"style\":\"link\"},{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog\",\"linkTarget\":\"Url\",\"linkLabel\":\"Content Hub Catalog\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"40\",\"name\":\"group - 4\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"76c7831e-386d-4289-8145-486f52cba8ec\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Content Hub >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"ContentHub.ReactView\",\"extensionName\":\"Microsoft_Azure_SentinelUS\"}}]},\"customWidth\":\"40\",\"name\":\"EL0\"}]},\"name\":\"group - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [NIST SP 800-53 Solution](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\\r\\n\\r\\n---\\r\\nThis solution is designed to augment staffing through automation, machine learning, query/alerting generation, and visualizations. This workbook leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with NIST SP 800-53 control requirements. This offering telemetry from 25+ Microsoft Security products (1P/3P/Multi-Cloud/Hybrid/On-Premises). Each NIST SP 800-53 control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads.<br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNISTSP80053%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNISTSP80053%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-nist-sp-800-53-solution/ba-p/3381485\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/ju9hxtYnj7s\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NISTSP80053\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NISTSP80053/Workbooks/Images/NISTSP80053Black.png?raw=true)\"},\"customWidth\":\"90\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Threat Analysis & Response Solution](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ThreatAnalysis%26Response)\\r\\n---\\r\\n\\r\\nThis solution enables SecOps Analysts, Threat Intelligence Professional, and Threat Hunters to gain situational awareness for threats in cloud environment. The Solution includes (2) Workbooks designed to enable threat hunting programs. Threat analysis provides an understanding of where the attacker is in the cycle which often drives both a historic lens of where the threat may have progressed, but also predictive analytics on the threat’s objectives. This approach is adversarial as understanding of the threat’s attack cycle drives defense actions in a red versus blue model. The Threat Analysis & Response Solution augments the customer burden of building threat hunting programs.\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FThreatAnalysis%26Response%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FThreatAnalysis%26Response%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ThreatAnalysis%26Response\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ThreatAnalysis%26Response/Workbooks/Images/ThreatAnalysis%26ResponseWhite1.png?raw=true)\"},\"customWidth\":\" 100\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Azure Security Benchmark v3](https://docs.microsoft.com/security/benchmark/azure/)\\r\\n---\\r\\n\\r\\nEnables Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to gain situational awareness for cloud security posture and hardening. Benchmark recommendations provide a starting point for selecting specific security configuration settings and facilitate risk reduction. The Azure Security Benchmark includes a collection of high-impact security recommendations for improving posture. This workbook provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Security-Center%2Fmain%2FWorkbooks%2FAzure%20Security%20Benchmark%20v3%2FarmTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Security-Center%2Fmain%2FWorkbooks%2FAzure%20Security%20Benchmark%20v3%2FarmTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/azure-security-benchmark-v3-workbook/ba-p/3257673\",\"linkTarget\":\"Url\",\"linkLabel\":\"Announce Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/v57gWjvcY4o\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"cc5f4830-f090-4f5e-afb2-47adba6be532\",\"cellValue\":\"https://youtu.be/qVJjwOipHDA\",\"linkTarget\":\"Url\",\"linkLabel\":\"ASC in the Field\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Workbooks/Azure%20Security%20Benchmark%20v3\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Cybersecurity Maturity Model Certification (CMMC) 2.0](https://dodcio.defense.gov/CMMC/)\\r\\n---\\r\\n\\r\\nThis solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This solution includes (1) Workbook for build/design/assessment/reporting, (2) Analytics rules for monitoring and (3) Playbooks for response/remediation. CMMC 2.0 is the next iteration of the Department’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity – Foundational, Advanced and Expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.<br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersecurityMaturityModelCertification(CMMC)2.0%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersecurityMaturityModelCertification(CMMC)2.0%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-cybersecurity-maturity-model/ba-p/3295095\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/-_a5HxJgriE\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Microsoft Insider Risk Management Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-microsoft-insider-risk/ba-p/2955786)\\r\\n---\\r\\n\\r\\nInsider risk management helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Insider risk policies allow you to define the types of risks to identify and detect in your organization, including acting on cases and escalating cases to Microsoft Advanced eDiscovery. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards. Insider risks come in various forms including both witting (intentional) and unwitting (unintentional). This workbook provides an automated visualization of Insider risk behavior cross walked to Microsoft security offerings. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMicrosoftPurviewInsiderRiskManagement%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMicrosoftPurviewInsiderRiskManagement%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-microsoft-insider-risk/ba-p/2955786\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MicrosoftPurviewInsiderRiskManagement\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [IT/OT Threat Monitoring Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/defending-critical-infrastructure-with-the-microsoft-sentinel-it/ba-p/3061184)\\r\\n---\\r\\n\\r\\nThis solution provides the foundation for building a SOC for monitoring IoT/ OT and includes (1) workbook for visibility/reporting, (14) analytics rules for monitoring, and (4) playbooks for response. The workbook leverages Microsoft Sentinel telemetry to create visualization to understand, analyze, and respond to IoT/OT threats. Understanding alerts over time provides unprecedented insights into security posture and where teams need to focus to harden against threats. Deep links directly to Microsoft Defender for IoT alerts empower analysts to focus on remediating threats rather than pivoting between tools. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FIoTOTThreatMonitoringwithDefenderforIoT%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FIoTOTThreatMonitoringwithDefenderforIoT%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/defending-critical-infrastructure-with-the-microsoft-sentinel-it/ba-p/3061184\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"8f7dce97-a41c-42b3-b62f-a21fbf5a1420\",\"cellValue\":\"https://youtu.be/hZS2aplJoy8\",\"linkTarget\":\"Url\",\"linkLabel\":\"YouTube Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/readme.md\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Maturity Model for Event Log Management Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/modernize-log-management-with-the-maturity-model-for-event-log/ba-p/3072842)\\r\\n---\\r\\n\\r\\nThis solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to increase visibility before, during, and after a cybersecurity incident.\\\"Executive Order 14028, Improving the Nation's Cybersecurity, directs decisive action to improve the Federal Government’s investigative and remediation capabilities. This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency.\\\" For more information, see 💡[OMB's M-21-31 Memorandum](https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMaturityModelForEventLogManagementM2131%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMaturityModelForEventLogManagementM2131%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/modernize-log-management-with-the-maturity-model-for-event-log/ba-p/3072842\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/quV_80ts__k\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MaturityModelForEventLogManagementM2131\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Threat Intelligence Workbook](https://docs.microsoft.com/security/benchmark/azure/)\\r\\n---\\r\\n\\r\\nThe most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. <br>\\r\\n\\r\\n---\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-azure-sentinel-threat-intelligence-workbook/ba-p/2858265\",\"linkTarget\":\"Url\",\"linkLabel\":\"Workbook Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/SjEG7iVVBbI\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/ThreatIntelligence.json\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"Zero Trust Solution - Copy - Copy - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isGCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Recommended Content\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/)\\r\\n---\\r\\nAzure Lighthouse helps service providers simplify customer engagement and onboarding experiences, while managing delegated resources at scale with agility and precision. Authorized users, groups, and service principals can work directly in the context of a customer subscription without having an account in that customer's Microsoft Entra ID tenant or being a co-owner of the customer's tenant. The mechanism used to support this access is called Azure delegated resource management. \"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"1cf637a7-121d-4722-b511-b0c460625e31\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Access Azure Lighthouse\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"LighthouseBlade\",\"extensionName\":\"Microsoft_Azure_CustomerHub\"}}]},\"customWidth\":\"50\",\"name\":\"links - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"managedservicesresources\\r\\n| where type == \\\"microsoft.managedservices/registrationassignments\\\"\\r\\n| where properties.provisioningState == \\\"Succeeded\\\"\\r\\n| extend ManageeTenantName = properties.registrationDefinition.properties.manageeTenantName\\r\\n| extend ManagedByTenantName = properties.registrationDefinition.properties.managedByTenantName\\r\\n| extend ManagedByTenantId = properties.registrationDefinition.properties.managedByTenantId\\r\\n| extend ManageeTenantId = tostring(properties.registrationDefinition.properties.manageeTenantId)\\r\\n| extend PermanentAccess = properties.registrationDefinition.properties.authorizations\\r\\n| extend JITAccess = properties.registrationDefinition.properties.eligibleAuthorizations\\r\\n| extend AddedDate = properties.registrationDefinition.systemData.createdAt\\r\\n| extend CreatedBy = systemData.createdBy\\r\\n| project ManageeTenantName, ManageeTenantId, ManagedByTenantName, ManagedByTenantId, AddedDate, CreatedBy\",\"size\":1,\"showAnalytics\":true,\"title\":\"Azure Lighthouse Delegations\",\"noDataMessage\":\"No Azure Lighthouse Delegations/Customers Detected\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ManageeTenantName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Download\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ManageeTenantId\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"ManagedByTenantName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Upload\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ManagedByTenantId\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"AddedDate\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Clock\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"CreatedBy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"PermanentAccess\",\"formatter\":1},{\"columnMatch\":\"JITAccess\",\"formatter\":1}],\"filter\":true}},\"name\":\"query - 21 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAzureLighthouseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"group - 21\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Universal Security Capabilities](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\n---\\r\\nUniversal capabilities are enterprise-level capabilities that outline guiding principles for TIC use cases. Universal capabilities are selected to be broadly applicable; the same list of capabilities apply to every use case. However, certain use cases may provide unique guidance on specific capabilities where necessary. Agencies have significant discretion regarding how to meet the individual security capability requirements and address their particular needs. Agencies are free to determine the level of rigor necessary for applying universal capabilities based on federal guidelines and risk tolerance. While it is expected that agencies may often be able to employ a common solution to fulfill multiple roles or serve multiple purposes, the selection of an appropriate set of solutions is left to each agency.\"},\"customWidth\":\"40\",\"name\":\"text - 105\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 105\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Backup and Recovery\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Backup\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Central Log Management with Analysis\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Central\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Configuration Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Configuration\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Incident Response Plan and Incident Handling\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Incident\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Inventory\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Inventory\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Least Privilege\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Least\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Secure Administration\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Secure\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Strong Authentication\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Strong\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Time Synchronization\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Time\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Vulnerability Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Vulnerability\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"2adea420-fa6e-4073-8a78-1aeada742e2c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isBackupVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Backup\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCentralVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Central\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"04e846bb-6bca-4981-863b-76f4e8ea5667\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isConfigurationVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Configuration\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"7498b0e3-e4dd-44c9-868d-d5baef71ba17\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIncidentVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Incident\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"7010b3e9-27e4-40b0-8d4b-fdd05f940d92\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isInventoryVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Inventory\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"c9285caf-952f-458a-ac89-3fdb2871151f\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isLeastVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Least\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"356132e1-e5e8-4fd4-8a56-95bd91bc9470\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSecureVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Secure\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"8d5eb913-9e91-4f61-930b-26335aaad1cf\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isStrongVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Strong\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"232d115f-5a82-4a70-aa2d-12fb00993230\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isTimeVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Time\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"da3d19be-b7ed-4449-83ea-c9a001f54315\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isVulnerabilityVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Vulnerability\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"5e32dd42-2359-4ed6-a5e9-303873a50442\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Patch Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Patch\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Auditing and Accounting\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Auditing\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Resilience\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Resilience\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Enterprise Threat Intelligence\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Enterprise\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Situational Awareness\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Situational\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Dynamic Threat Discovery\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Dynamic\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Policy Enforcement Parity\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Policy\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Effective Use of Shared Services\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Effective\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Integrated Desktop, Mobile, and Remote Policies\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Integrated\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"2dc83cdc-c5e9-4ea7-a986-0294effc2e8e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPatchVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Patch\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAuditingVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Auditing\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"be23e804-75f9-486d-8478-8af0ed3b0b6d\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isResilienceVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Resilience\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"41d2063e-0f2b-47dc-9c7c-2cdcdafb80ec\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEnterpriseVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Enterprise\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b2752897-08eb-4f06-adae-d7e0b278acef\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSituationalVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Situational\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"0531d0e3-8eb9-4c7f-bedb-d29aed642c1b\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDynamicVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Dynamic\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"ee837eb2-25bb-4a51-bdd7-5d58640fb780\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPolicyVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Policy\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"683d9906-de4f-400f-b92e-8f6d5f346db7\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEffectiveVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Effective\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"6e5570df-f9fa-4ce9-b79c-74068100c9c6\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIntegratedVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Integrated\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e7db70e6-eafa-4cb0-ac08-58719fad7c33\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Backup and Recovery](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nKeeping copies of configuration and data, as needed, to allow for the quick restoration of service in the event of malicious incidents, system failures, or corruption.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> 🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Backup](https://azure.microsoft.com/services/backup/)\\r\\n\\r\\n### Implementation \\r\\n💡 [What is the Azure Backup Service?](https://docs.microsoft.com/azure/backup/backup-overview)<br>\\r\\n💡 [Review Your Security Recommendations](https://docs.microsoft.com/azure/security-center/security-center-recommendations)<br>\\r\\n💡 [Configure Recovery Service Vaults](https://docs.microsoft.com/azure/backup/backup-azure-recovery-services-vault-overview)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Backup Vaults](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade/Overview) <br>\\r\\n🔀 [Recovery Services Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.RecoveryServices%2Fvaults) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.BE, PR.IP, PR.DS, RS.MI, RC.RP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"back\\\" or RecommendationDisplayName contains \\\"recover\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"recover\\\" or type contains \\\"restore\\\" or type contains \\\"back\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Backup & Recovery Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"back\\\" or Description contains \\\"restore\\\" or Description contains \\\"recover\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"back\\\" or Description contains \\\"restore\\\" or Description contains \\\"recover\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"back\\\" or Description contains \\\"restore\\\" or Description contains \\\"recover\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isBackupVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Backup and Recovery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Central Log Management & Analysis](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCollecting, storing, and analyzing telemetry, where the collection and storage are designed to facilitate data fusion and the security analysis aids in discovery and response to malicious activity.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> 🔷 [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) 🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/)\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [Create Diagnostic Settings to Send Platform Logs and Metrics to Different Destinations](https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings)<br>\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n💡 [What is Azure Lighthouse?](https://docs.microsoft.com/azure/lighthouse/overview)<br>\\r\\n\\t\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n🔀 [Azure Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview) <br>\\r\\n🔀 [Azure Lighthouse](https://portal.azure.com/#blade/Microsoft_Azure_CustomerHub/LighthouseBlade)<br> \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.PT, DE.AE, RS.AN](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"log\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type == \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Logging Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union withsource=_TableName *\\r\\n| summarize Entries = count(), Size = sum(_BilledSize), last_log = datetime_diff(\\\"second\\\",now(), max(TimeGenerated)), estimate  = sumif(_BilledSize, _IsBillable==true)  by _TableName, _IsBillable\\r\\n| project ['Table Name'] = _TableName, ['Table Size'] = Size, ['Table Entries'] = Entries,\\r\\n          ['Size per Entry'] = 1.0 * Size / Entries, ['IsBillable'] = _IsBillable\\r\\n| order by ['Table Size']  desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Log Table Management\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Table Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Table Size\",\"formatter\":8,\"formatOptions\":{\"palette\":\"purple\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"Table Entries\",\"formatter\":8,\"formatOptions\":{\"palette\":\"turquoise\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"Size per Entry\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"IsBillable\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"True\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"False\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Important\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_IsBillable_4\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_IsBillable_4\",\"sortOrder\":2}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 5\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isCentralVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Central Log Management with Analysis\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Configuration Management](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nImplementing a formal plan for documenting, managing changes to the environment, and monitoring for deviations, preferably automated.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Enable Change Tracking and Inventory From an Automation Account](https://docs.microsoft.com/azure/automation/change-tracking/enable-from-automation-account)<br>\\r\\n💡 [Ensure Your Endpoints Are Configured Properly](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines)<br>\\r\\n💡 [Secure Score in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/secure-score-security-controls)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts) <br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.BE, PR.DS, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"config\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"config\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"config\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"config\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| summarize count() by OperationName\\r\\n| where OperationName <> \\\"Other\\\"\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Audit Logs\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isConfigurationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Configuration Management\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Incident Response Plan and Incident Handling](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDocumenting and implementing a set of instructions, procedures, or technical capabilities to sense and detect, respond to, limit consequences of malicious cyber attacks, and restore the integrity of the network and associated systems.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Quickstart: Tutorial: Investigate incidents with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/tutorial-investigate-cases)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.GV, ID.RA, PR.IP, DE.DP, DE.AE, RS.RP, RS.CO, RS.AN, RS.MI](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Security Incidents\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where Severity == \\\"High\\\"\\n| summarize count()\\n\\n\\n\\n\",\"size\":4,\"title\":\"High\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where Severity == \\\"Medium\\\"\\n| summarize count()\\n\\n\\n\\n\",\"size\":4,\"title\":\"Medium \",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"orange\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where Severity == \\\"Low\\\"\\n| summarize count()\\n\\n\\n\\n\",\"size\":4,\"title\":\"Low\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"yellow\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where dayofyear(TimeGenerated) == dayofyear(now())\\n| summarize count()\\n\\n\\n\",\"size\":4,\"title\":\"New Today\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"blueDark\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10\"}]},\"customWidth\":\"50\",\"name\":\"Incidents\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber\\r\\n| where Status == \\\"Closed\\\"\\r\\n| extend TimeToRespond =  (CreatedTime - FirstActivityTime)/1h \\r\\n| extend TimeToResolve =  (ClosedTime - CreatedTime)/1h\\r\\n| extend AssignedAnalyst = tostring(Owner.assignedTo)\\r\\n| extend [\\\"MITRE ATT&CK Tactics\\\"] = tostring(parse_json(tostring(AdditionalData.tactics))[0])\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| project IncidentName=Title, IncidentNumber, Severity, IncidentUrl, [\\\"MITRE ATT&CK Tactics\\\"], AssignedAnalyst, Classification, ClassificationComment, ClassificationReason, Description, TimeToRespond, TimeToResolve, IncidentStartTime=CreatedTime, IncidentClosedTime=ClosedTime, IncidentBlade\\r\\n| sort by IncidentClosedTime desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Closure Reports\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"TimeToRespond\",\"formatter\":0,\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"TimeToResolve\",\"formatter\":0,\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"name\":\"query - 9 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIncidentVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Incident Response Plan and Incident Handling\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Inventory](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDeveloping, documenting, and maintaining a current inventory of all systems, networks, and components so that only authorized endpoints are given access, and unauthorized and un-managed endpoints are found and prevented from gaining access.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/)<br>\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n🔷 [DeviceRegistryEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceregistryevents) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Explore and Manage Your Resources With Asset Inventory](https://docs.microsoft.com/azure/security-center/asset-inventory) <br>\\r\\n💡 [View Installed Software](https://docs.microsoft.com/azure/automation/automation-tutorial-installed-software#view-installed-software)<br>\\r\\n💡 [What is Azure Resource Graph?](https://docs.microsoft.com/azure/governance/resource-graph/overview)<br> \\r\\n\\t\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Resource Graph Explorer](https://portal.azure.com/#blade/HubsExtension/ArgQueryBlade) <br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS, PR.IP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"Implemented\"},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"04JUL76\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"Asset Inventory Implemented, Plan of Action & Milestones Documented, System Security Plan (SSP) Updated\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| extend Azure_Inventory=location\\r\\n| extend M365_Inventory=strcat(\\\"https://security.microsoft.com/machines\\\")\\r\\n| project AssetID=id,AssetType=type, Azure_Inventory, M365_Inventory\\r\\n| sort by AssetType desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Asset Inventory\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Azure_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Inventory >>\",\"bladeOpenContext\":{\"bladeName\":\"InventoryBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"\",\"source\":\"static\",\"value\":\"25\"}]}}},{\"columnMatch\":\"M365_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"M365 Inventory >>\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"where  type contains \\\"microsoft\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| summarize count() by location\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets by Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"location\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Computer\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| project id,type,location,resourceGroup\\r\\n| summarize count() by type\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Asset Count by Type\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"type\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"ResourceFlat\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Computer\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 8\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| summarize count() by ResourceDisplayName\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Application Inventory & Access\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceRegistryEvents  \\r\\n| summarize arg_max(TimeGenerated, *) by InitiatingProcessFileName, DeviceName\\r\\n| summarize count() by InitiatingProcessFileName\\r\\n| where InitiatingProcessFileName <> \\\"\\\"\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Software Inventory by Initiating Process\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isInventoryVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Inventory\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Least Privilege](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDesigning the security architecture such that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Administrator roles by admin task in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/roles/delegate-by-task)<br>\\r\\n💡 [Overview of role-based access control in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/roles/custom-overview)<br>\\r\\n💡 [Microsoft Entra ID Sign-In Activity](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-all-sign-ins)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.IP, PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"identity\\\" or RecommendationDisplayName contains \\\"privilege\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| project UserPrincipalName, SignInCount=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Valid Accounts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"IdentityInfo\\r\\n| extend GroupMemberships = strcat(GroupMembership)\\r\\n| extend AssignedRoles_ = strcat(AssignedRoles)\\r\\n| extend UserPrincipalName = MailAddress\\r\\n| where MailAddress <> \\\"\\\"\\r\\n| distinct UserPrincipalName, GroupMemberships, AssignedRoles_\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Assigned Roles & Group Memberships\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Activities\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isLeastVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Least Privilege\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Secure Administration](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nPerforming administrative tasks in a secure manner, using secure protocols.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Delegate Administration in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/roles/concept-delegation)<br>\\r\\n💡 [Start Using Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started#)<br> \\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.MA](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"admin\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"admin\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"admin\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"admin\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| where OperationName contains \\\"PIM\\\"\\r\\n| extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\r\\n| distinct OperationName, Identity, AADOperationType, InitiatedBy, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Privileged Identity Management\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"OperationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Identity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InitiatedBy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"PersonWithFriend\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_InitiatedBy_3\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_InitiatedBy_3\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSecureVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Secure Administration\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Strong Authentication](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nVerifying the identity of users, endpoints, or other entities through rigorous means (e.g. multi-factor authentication) before granting access.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Plan an Azure AD Multi-Factor Authentication Deployment](https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-getstarted)<br>\\r\\n💡 [How it works: Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks)<br>\\r\\n💡 [Remediate recommendations in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-remediate-recommendations)<br>\\r\\n💡 [SecretManagement and Accessing Linux VMs in Azure](https://techcommunity.microsoft.com/t5/itops-talk-blog/secretmanagement-and-accessing-linux-vms-in-azure/ba-p/2278735)<br>\\r\\n💡 [Eliminate Password-Based Attacks on Azure Linux VMs](https://techcommunity.microsoft.com/t5/azure-security-center/eliminate-password-based-attacks-on-azure-linux-vms/ba-p/2271139)<br>\\r\\n💡 [Quickstart: Create a Key Vault Using the Azure Portal](https://techcommunity.microsoft.com/t5/itops-talk-blog/secretmanagement-and-accessing-linux-vms-in-azure/ba-p/2278735)<br>\\r\\n\\t\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"authentication\\\" or RecommendationDisplayName contains \\\"JIT\\\" or RecommendationDisplayName contains \\\"password\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"authentication\\\" or Description contains \\\"password\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"authentication\\\" or Description contains \\\"password\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"authentication\\\" or Description contains \\\"password\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Title contains \\\"auth\\\" or Title contains \\\"password\\\" or Title contains \\\"login\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Authentication Attacks\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isStrongVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\" Strong Authentication\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Time Synchronization](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCoordinating clocks on all systems (e.g. servers, workstations, network endpoints) to enable accurate comparison of timestamps between systems.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Time Sync for Windows VMs in Azure](https://docs.microsoft.com/azure/virtual-machines/windows/time-sync)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Portal](https://portal.azure.com/) <br>\\r\\n🔀 [Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.IP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Time Synchronization\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"time\\\" or Description contains \\\"sync\\\" or Description contains \\\"ntp\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"time\\\" or Description contains \\\"sync\\\" or Description contains \\\"ntp\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"time\\\" or Description contains \\\"sync\\\" or Description contains \\\"ntp\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| where Description !contains \\\"runtime\\\"\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isTimeVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Time Synchronization\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Vulnerability Management](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nProactively working to discover vulnerabilities, including the use of both active and passive means of discovery, and taking action to mitigate discovered vulnerabilities.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n💡 [Secure Score in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/secure-score-security-controls)<br>\\r\\n💡 [Microsoft Defender for Cloud's Integrated Vulnerability Assessment Solution for Azure and Hybrid Machine](https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment)<br>\\r\\n💡 [Threat and Vulnerability Management Walk-Through](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Microsoft 365 Defender: Threat & Vulnerability Management](https://security.microsoft.com/tvm_dashboard)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.RA, PR.IP, DE.AE, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"vuln\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityBaseline\\r\\n| where CceId <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by ResourceId, CceId\\r\\n|project CceId, RuleSeverity, Description, ResourceId\\r\\n|limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Vulnerability Management\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CceId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RuleSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Resource\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityBaseline\\r\\n| where CceId <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by Resource, CceId\\r\\n| summarize count() by ResourceId\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Vulnerability Count by Asset\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Resource\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"CceId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RuleSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isVulnerabilityVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Vulnerability Management\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Patch Management](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIdentifying, acquiring, installing, and verifying patches for products and systems.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Update Management Overview](https://docs.microsoft.com/azure/automation/update-management/overview)<br>\\r\\n💡 [Enable Update Management From the Azure Portal](https://docs.microsoft.com/azure/automation/update-management/enable-from-portal)<br>\\r\\n💡 [Handling Planned Maintenance Notifications Using the Azure Portal](https://docs.microsoft.com/azure/virtual-machines/maintenance-notifications-portal)<br>\\r\\n💡 [Managing Platform Updates with Maintenance Control](https://docs.microsoft.com/azure/virtual-machines/maintenance-control?toc=/azure/virtual-machines/linux/toc.json&bc=/azure/virtual-machines/linux/breadcrumb/toc.json)<br>\\r\\n💡 [Scheduling Maintenance Updates with Maintenance Control and Azure Functions](https://github.com/Azure/azure-docs-powershell-samples/tree/master/maintenance-auto-scheduler)<br>\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br> \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"update\\\" or RecommendationDisplayName contains \\\"upgrade\\\" or RecommendationDisplayName contains \\\"version\\\" or RecommendationDisplayName contains \\\"patch\\\" or RecommendationDisplayName contains \\\"java\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isPatchVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Patch Management\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Auditing and Accounting](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCapturing business records, including logs and other telemetry, and making them available for auditing and accounting as required. Design of the auditing system should take insider threat into consideration, including separation of duties violation tracking, such that insider abuse or misuse can be detected.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Create Diagnostic Settings to Send Platform Logs and Metrics to Different Destinations](https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings)<br>\\r\\n💡 [Tutorial: Grant a User Access to Azure Resources Using the Azure Portal](https://docs.microsoft.com/azure/role-based-access-control/quickstart-assign-role-user-portal)<br>\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n💡 [Auditing Microsoft Sentinel Activities](https://techcommunity.microsoft.com/t5/azure-sentinel/auditing-azure-sentinel-activities/ba-p/1718328)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br> \\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br> \\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br> \\r\\n\\r\\n### NIST CSF Mapping\\r\\n[ID.SC, PR.AC, PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"audit\\\" or RecommendationDisplayName contains \\\"account\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"audit\\\" or Description contains \\\"log\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"audit\\\" or Description contains \\\"log\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"audit\\\" or Description contains \\\"log\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Usage\\r\\n| summarize count() by DataType\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Log Events by Type\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"rowLimit\":100}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAuditingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Auditing and Accounting\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Resilience](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEnsuring that systems, services, and protections maintain acceptable performance under adverse conditions.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) 🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure DDoS Protection]( https://azure.microsoft.com/services/ddos-protection/) <br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [DDoS Protection Plans](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FddosProtectionPlans) <br>\\r\\n🔀 [Availability Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FavailabilitySets) <br>\\r\\n🔀 [Load Balancing](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)<br> \\r\\n🔀 [Virtual Machine Scale Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Compute%2FvirtualMachineScaleSets) <br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Azure DDoS Protection Standard Overview](https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview)<br>\\r\\n💡 [Building Solutions for High Availability Using Availability Zones](https://docs.microsoft.com/azure/architecture/high-availability/building-solutions-for-high-availability)<br> \\r\\n💡 [Azure Infrastructure Availability](https://docs.microsoft.com/azure/security/fundamentals/infrastructure-availability)<br> \\r\\n💡 [What is Azure Load Balancer?](https://docs.microsoft.com/azure/load-balancer/load-balancer-overview)<br>\\r\\n💡 [What are virtual machine scale sets?](https://docs.microsoft.com/azure/virtual-machine-scale-sets/overview)<br> \\r\\n\\r\\n### NIST CSF Mapping\\r\\n[ID.BE, PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"balance\\\" or RecommendationDisplayName contains \\\"denial\\\" or RecommendationDisplayName contains \\\"recover\\\" or RecommendationDisplayName contains \\\"back\\\" or RecommendationDisplayName contains \\\"scale\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"dos\\\"or type contains \\\"balance\\\" or type contains \\\"recover\\\" or type contains \\\"back\\\" or type contains \\\"scale\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Resilience Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"DDoSMitigationReports\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| extend TopAttackVector = tostring(parse_json(AttackVectors_s)[0]) \\r\\n| extend Total_packets_ = tostring(parse_json(TrafficOverview_s).Total_packets) \\r\\n| extend Total_packets_dropped_ = todouble(parse_json(TrafficOverview_s).Total_packets_dropped)\\r\\n| extend TotalPackets =todouble(Total_packets_)\\r\\n| where TotalPackets > 0\\r\\n| where TopAttackVector <> \\\"\\\"\\r\\n| project TopAttackVector, TotalPackets, TotalPacketsDropped = Total_packets_dropped_ , ResourceId , SourceIP=IPAddress, Resource, TimeGenerated\\r\\n| sort by TotalPacketsDropped desc\\r\\n| limit 100\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Denial of Service Attacks Observed\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"IPAddress\",\"parameterName\":\"IPAddress\",\"parameterType\":1},{\"fieldName\":\"ResourceId\",\"parameterName\":\"ResourceId\",\"parameterType\":1,\"defaultValue\":\"ResourceId\"},{\"fieldName\":\"Resource\",\"parameterName\":\"AttackReport\",\"parameterType\":1,\"defaultValue\":\"/\"}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TopAttackVector\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"TotalPackets\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"TotalPacketsDropped\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Resource\",\"formatter\":5},{\"columnMatch\":\"Total_packets_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Total_packets_dropped_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"IPAddress\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"subtitleContent\":{\"columnMatch\":\"TopAttackVector\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Resource\"},\"rightContent\":{\"columnMatch\":\"TimeGenerated\"},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"50\",\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isResilienceVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Resilience\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Enterprise Threat Intelligence](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nObtaining threat intelligence from private and government sources and implementing mitigation for the identified risks.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [ThreatIntelligenceIndicator](https://docs.microsoft.com/azure/azure-monitor/reference/tables/threatintelligenceindicator) 🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) 🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)\\r\\n\\r\\n### Implementation \\r\\n💡 [Connect Data from Threat Intelligence Providers](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence)<br>\\r\\n💡 [Microsoft Security Intelligence Portal](https://www.microsoft.com/wdsi)<br>\\r\\n💡 [Microsoft Graph Security tiIndicators API](https://docs.microsoft.com/graph/api/resources/tiindicator)<br>\\r\\n💡 [MSTIC Jupyter and Python Security Tools](https://github.com/Microsoft/msticpy)<br>\\r\\n💡 [Use Jupyter Notebook to Hunt for Security Threats](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence)<br>\\r\\n\\t\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender Security Intelligence Portal](https://microsoft.com/wdsi)<br>\\r\\n🔀 [MSTICpy](https://github.com/Microsoft/msticpy) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.RA, DE.AE, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Cyber Threat Intelligence Indicator Counts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"intel\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Threat Intelligence\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.  \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where Tactics <> \\\"\\\"\\r\\n| where Tactics <> \\\"Unknown\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n| summarize count() by Tactics\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Alerts by MITRE ATT&CK Tactics Observed\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.  \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Tactics\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Enterprise Threat Intelligence\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Situational Awareness](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMaintaining effective awareness, both current and historical, across all components.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Get Visibility Into Alerts](https://docs.microsoft.com/azure/sentinel/quickstart-get-visibility)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, ID.RA, PR.DS, PR.IP, DE.AE, DE.CM, DE.DP, RS.CO](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where isnotempty(ProviderName)\\r\\n| summarize count() by ProductName\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Alerts By Product\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where isnotempty(ProviderName)\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by ProductName\\r\\n| render timechart \\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Alerts Over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSituationalVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Situational Awareness\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Dynamic Threat Discovery](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nUsing dynamic approaches (e.g. heuristics, baselining, etc.) to discover new malicious activity\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [BehaviorAnalytics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/behavioranalytics) 🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Advanced Multistage Attack Detection in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/fusion)<br>\\r\\n💡 [Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)<br>\\r\\n💡 [Heuristic Detections in Microsoft Defender for Cloud](https://azure.microsoft.com/blog/heuristic-dns-detections-in-azure-security-center/)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.RA, DE.AE, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"defender\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AnomalousSigninActivity = BehaviorAnalytics\\r\\n    | where ActionType == \\\"Sign-in\\\"\\r\\n    | where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\\r\\n        ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\\r\\n        or ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\\r\\n    | join (\\r\\n        SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \\\"none\\\"\\r\\n        )\\r\\n        on $left.SourceRecordId == $right._ItemId\\r\\n    | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n    | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n        Tactic = \\\"Persistence\\\",\\r\\n        Technique = \\\"Valid Accounts\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indication from AAD\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3', 'c4e39bd9-1100-46d3-8c65-fb160da0071f', '158c047a-c907-4556-b7ef-446551a6b5f7', '62e90394-69f5-4237-9190-012177145e10', 'd29b2b05-8046-44ba-8758-1e26182fcf32', '729827e3-9c14-49f7-bb1b-9608f156bbb8', '966707d0-3269-4727-9be2-8c3a10f19b9d', '194ae4cb-b126-40b2-bd5b-6091b380977d', 'fe930be7-5e62-47db-91af-98c3a49a38b1']);\\r\\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c', '7495fdc4-34c4-4d15-a289-98788ce399fd', 'aaf43236-0c0d-4d5f-883a-6955382ac081', '3edaf663-341e-4475-9f94-5c398ef6c070', '7698a772-787b-4ac8-901f-60d6b08affd2', 'b1be1c3e-b65d-4f19-8427-f6fa0d97feb9', '9f06204d-73c1-4d4c-880a-6edb90606fd8', '29232cdf-9323-42fd-ade2-1d097af3e4de', 'be2f45a1-457d-42af-a067-6ec1fa63bc45', '7be44c8a-adaf-4e2a-84d6-ab2649e08a13', 'e8611ab8-c189-46e8-94e1-60213ab1f814']);//\\r\\nlet AnomalousRoleAssignment = AuditLogs\\r\\n    | where TimeGenerated > ago(28d)\\r\\n    | where OperationName == \\\"Add member to role\\\"\\r\\n    | mv-expand TargetResources\\r\\n    | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n    | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n    | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n    | where isnotempty(RoleName)\\r\\n    | extend TargetId = tostring(TargetResources.id)\\r\\n    | extend Target = tostring(TargetResources.userPrincipalName)\\r\\n    | join kind=inner (\\r\\n        BehaviorAnalytics\\r\\n        | where ActionType == \\\"Add member to role\\\"\\r\\n        | where UsersInsights.BlastRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n        )\\r\\n        on $left._ItemId == $right.SourceRecordId\\r\\n    | extend AnomalyName = \\\"Anomalous Role Assignment\\\",\\r\\n        Tactic = \\\"Persistence\\\",\\r\\n        Technique = \\\"Account Manipulation\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privileged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access.  The query below generates an output of all high Blast Radius users performing Add member to privileged role, or ones that add users for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let LogOns=materialize(\\r\\n    BehaviorAnalytics\\r\\n    | where ActivityType == \\\"LogOn\\\");\\r\\nlet AnomalousResourceAccess = LogOns\\r\\n    | where ActionType == \\\"ResourceAccess\\\"\\r\\n    | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n    | extend AnomalyName = \\\"Anomalous Resource Access\\\",\\r\\n        Tactic = \\\"Lateral Movement\\\",\\r\\n        Technique = \\\"\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousRDPActivity = LogOns\\r\\n    | where ActionType == \\\"RemoteInteractiveLogon\\\"\\r\\n    | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n    | extend AnomalyName = \\\"Anomalous RDP Activity\\\",\\r\\n        Tactic = \\\"Lateral Movement\\\",\\r\\n        Technique = \\\"\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousLogintoDevices = LogOns\\r\\n    | where ActionType == \\\"InteractiveLogon\\\"\\r\\n    | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n    | where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\\r\\n    | extend AnomalyName = \\\"Anomalous Login To Devices\\\",\\r\\n        Tactic = \\\"Privilege Escalation\\\",\\r\\n        Technique = \\\"Valid Accounts\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administrator users performing an interactive logon (4624:2) to a device for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousPasswordReset = BehaviorAnalytics\\r\\n    | where ActionType == \\\"Reset user password\\\"\\r\\n    | where ActivityInsights.FirstTimeUserPerformedAction == \\\"True\\\"\\r\\n    | join (\\r\\n        AuditLogs\\r\\n        | where OperationName == \\\"Reset user password\\\"\\r\\n        )\\r\\n        on $left.SourceRecordId == $right._ItemId\\r\\n    | mv-expand TargetResources\\r\\n    | extend Target =  iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n    | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n    | extend AnomalyName = \\\"Anomalous Password Reset\\\",\\r\\n        Tactic = \\\"Impact\\\",\\r\\n        Technique = \\\"Account Access Removal\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n    | sort by TimeGenerated desc;\\r\\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\\r\\n    | where ActionType == \\\"Sign-in\\\"\\r\\n    | where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\\r\\n    | join (\\r\\n        SigninLogs\\r\\n        )\\r\\n        on $left.SourceRecordId == $right._ItemId\\r\\n    | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n    | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n        Tactic = \\\"Initial Access\\\",\\r\\n        Technique = \\\"Valid Accounts\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousFailedLogon = BehaviorAnalytics\\r\\n    | where ActivityType == \\\"LogOn\\\"\\r\\n    | where UsersInsights.BlastRadius == \\\"High\\\"\\r\\n    | join (\\r\\n        SigninLogs  \\r\\n        | where Status.errorCode == 50126\\r\\n        )\\r\\n        on $left.SourceRecordId == $right._ItemId\\r\\n    | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n    | extend AnomalyName = \\\"Anomalous Failed Logon\\\",\\r\\n        Tactic = \\\"Credential Access\\\",\\r\\n        Technique = \\\"Brute Force\\\",\\r\\n        SubTechnique = \\\"Password Guessing\\\",\\r\\n        Description = \\\"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousAADAccountManipulation = AuditLogs\\r\\n    | where OperationName == \\\"Update user\\\"\\r\\n    | mv-expand AdditionalDetails\\r\\n    | where AdditionalDetails.key == \\\"UserPrincipalName\\\"\\r\\n    | mv-expand TargetResources\\r\\n    | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n    | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n    | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n    | where isnotempty(RoleName)\\r\\n    | extend TargetId = tostring(TargetResources.id)\\r\\n    | extend Target =  iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n    | join kind=inner ( \\r\\n        BehaviorAnalytics\\r\\n        | where ActionType == \\\"Update user\\\"\\r\\n        | where UsersInsights.BlastRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n        )\\r\\n        on $left._ItemId == $right.SourceRecordId\\r\\n    | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName) \\r\\n    | extend AnomalyName = \\\"Anomalous Account Manipulation\\\",\\r\\n        Tactic = \\\"Persistence\\\",\\r\\n        Technique = \\\"Account Manipulation\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privileged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to privileged role, or ones that changed users for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\\r\\n    | where ActionType == \\\"Add user\\\"\\r\\n    | where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\\r\\n    | join(\\r\\n        AuditLogs\\r\\n        | where OperationName == \\\"Add user\\\"\\r\\n        )\\r\\n        on $left.SourceRecordId == $right._ItemId\\r\\n    | mv-expand TargetResources\\r\\n    | extend Target =  iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n    | extend DisplayName = tostring(UsersInsights.AccountDisplayName),\\r\\n        UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n    | extend AnomalyName = \\\"Anomalous Account Creation\\\",\\r\\n        Tactic = \\\"Persistence\\\",\\r\\n        Technique = \\\"Create Account\\\",\\r\\n        SubTechnique = \\\"Cloud Account\\\",\\r\\n        Description = \\\"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\\\"\\t\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n    | sort by TimeGenerated desc;\\r\\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\\r\\nlet TopUsersByAnomalies = AnomalyTable\\r\\n    | summarize hint.strategy = shuffle AnomalyCount=count() by UserName, UserPrincipalName, tostring(UsersInsights.OnPremSid), tostring(UsersInsights.AccountObjectId)\\r\\n    | project Name=tolower(UserName), UPN=tolower(UserPrincipalName), AadUserId=UsersInsights_AccountObjectId, Sid=UsersInsights_OnPremSid, AnomalyCount\\r\\n    | sort by AnomalyCount desc;\\r\\nlet TopUsersByIncidents = SecurityIncident\\r\\n    | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\\r\\n    | where Status == \\\"New\\\" or Status == \\\"Active\\\"\\r\\n    | mv-expand AlertIds\\r\\n    | extend AlertId = tostring(AlertIds)\\r\\n    | join kind= innerunique ( \\r\\n        SecurityAlert \\r\\n        )\\r\\n        on $left.AlertId == $right.SystemAlertId\\r\\n    | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n    | mv-expand todynamic(Entities)\\r\\n    | where Entities[\\\"Type\\\"] =~ \\\"account\\\"\\r\\n    | extend Name = tostring(tolower(Entities[\\\"Name\\\"])), NTDomain = tostring(Entities[\\\"NTDomain\\\"]), UPNSuffix = tostring(Entities[\\\"UPNSuffix\\\"]), AadUserId = tostring(Entities[\\\"AadUserId\\\"]), AadTenantId = tostring(Entities[\\\"AadTenantId\\\"]), \\r\\n        Sid = tostring(Entities[\\\"Sid\\\"]), IsDomainJoined = tobool(Entities[\\\"IsDomainJoined\\\"]), Host = tostring(Entities[\\\"Host\\\"])\\r\\n    | extend UPN = iff(Name != \\\"\\\" and UPNSuffix != \\\"\\\", strcat(Name, \\\"@\\\", UPNSuffix), \\\"\\\")\\r\\n    | union TopUsersByAnomalies\\r\\n    | extend \\r\\n        AadPivot = iff(isempty(AadUserId), iff(isempty(Sid), Name, Sid), AadUserId),\\r\\n        SidPivot = iff(isempty(Sid), iff(isempty(AadUserId), Name, AadUserId), Sid),\\r\\n        UPNExists = iff(isempty(UPN), false, true),\\r\\n        NameExists = iff(isempty(Name), false, true),\\r\\n        SidExists = iff(isempty(Sid), false, true),\\r\\n        AADExists = iff(isempty(AadUserId), false, true)\\r\\n    | summarize hint.strategy = shuffle IncidentCount=dcount(IncidentNumber, 4), AlertCount=dcountif(AlertId, isnotempty(AlertId), 4), AnomalyCount=sum(AnomalyCount), any(Title, Severity, Status, StartTime, IncidentNumber, IncidentUrl, Owner), UPNAnchor=anyif(UPN, UPNExists == true), NameAnchor=anyif(Name, NameExists == true), AadAnchor=anyif(AadUserId, AADExists == true), SidAnchor=anyif(Sid, SidExists == true), any(SidPivot) by AadPivot\\r\\n    | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), NameAnchor=anyif(NameAnchor, isempty(NameAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_Title, any_Severity, any_StartTime, any_IncidentNumber, any_IncidentUrl) by any_SidPivot\\r\\n    | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_any_Title, any_any_Severity, any_any_StartTime, any_any_IncidentNumber, any_any_IncidentUrl) by NameAnchor\\r\\n    | project [\\\"UserName\\\"]=NameAnchor, IncidentCount, AlertCount, AnomalyCount, [\\\"AadUserId\\\"]=AadAnchor, [\\\"OnPremSid\\\"]=SidAnchor, [\\\"UserPrincipalName\\\"]=UPNAnchor;\\r\\nTopUsersByIncidents\\r\\n| where UserPrincipalName !contains \\\"[\\\"\\r\\n| where UserPrincipalName <> \\\"\\\"\\r\\n| project UserPrincipalName, IncidentCount, AlertCount, AnomalyCount\\r\\n| sort by AlertCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Entity Behavior Analytics Alerts\",\"noDataMessage\":\"There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"fusion\\\" or Title contains \\\"dynamic\\\" or Title contains \\\"anomal\\\" or Title contains \\\"behavior\\\" or Title contains \\\"learning\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Dynamic Threat Discovery\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDynamicVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Dynamic Threat Discovery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Policy Enforcement Parity](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nConsistently applying security protections and other policies, independent of the communication mechanism, forwarding path, or endpoints used.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [What is Azure Policy?](https://docs.microsoft.com/azure/governance/policy/overview)<br>\\r\\n💡 [Review your security recommendations](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade/Overview) <Br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isPolicyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Policy Enforcement Parity\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Effective Use of Shared Services](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEmploying shared services, where applicable, that can be individually tailored, measured to independently validate service conformance, and offer effective protections for tenants against malicious actors, both external as well as internal to the service provider.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Get Started with Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/)<br>\\r\\n💡 [Customer Lockbox for Microsoft Azure](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview)<br>\\r\\n💡 [What are External Identities in Microsoft Entra ID?](https://docs.microsoft.com/azure/active-directory/external-identities/compare-with-b2c)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Lighthouse](https://portal.azure.com/#blade/Microsoft_Azure_CustomerHub/LighthouseBlade) <br>\\r\\n🔀 [Customer Lockbox for Microsoft Azure](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview) <br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, ID.GV, ID.RM, ID.SC, PR.AT, RS.CO](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"guest\\\" or RecommendationDisplayName contains \\\"shared\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| where UserType == \\\"Guest\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, UserType, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| project UserPrincipalName, UserType, SignInCount=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Guest Accounts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"shared\\\" or Description contains \\\"guest\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"shared\\\" or Description contains \\\"guest\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"shared\\\" or Description contains \\\"guest\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| where Description !contains \\\"not shared\\\"\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isEffectiveVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Effective Use of Shared Services\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Integrated Desktop, Mobile, and Remote Policies](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDefining polices such that they apply to a given agency entity no matter its location.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)<br>\\r\\n💡 [What are Common Ways to Use Conditional Access with Intune?](https://docs.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://devicemanagement.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| extend DeviceOS = tostring(DeviceDetail.operatingSystem)\\r\\n| summarize count() by DeviceOS\\r\\n| where DeviceOS <> \\\"\\\"\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Policy Application by Operating System\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ConditionalAccessPolicy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where ResultType == 0\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sign-Ins By Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"Location\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| mv-expand ConditionalAccessPolicies\\r\\n| extend ConditionalAccessPolicy = tostring(ConditionalAccessPolicies.displayName)\\r\\n| summarize count() by ConditionalAccessPolicy\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Conditional Access Policies\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ConditionalAccessPolicy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isIntegratedVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Integrated Desktop, Mobile, and Remote Policies\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UniversalSecurityCapabilities\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Files](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nFile-based protections including anti-malware, malicious code removal, content disarm & reconstruction, and detonation chambers.\\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Files Capabilities Overview\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 106\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Anti-Malware\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Malware\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Content Disarm & Reconstruction\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Content\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Detonation Chamber\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Detonation\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data Loss Prevention\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMalwareVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Malware\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isContentVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Content\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"1f176b0f-1f2f-4e12-afb0-3f10c834ef24\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDetonationVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Detonation\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b17f2902-5d29-45b2-8712-bff5b7dd1487\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"793ffbca-13bc-4fac-9535-048cbd9efc54\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Anti-Malware](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAnti-malware protections detect the presence of malicious code and facilitate its quarantine or removal.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)\\r\\n ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/azure-defender/)\\r\\n✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br> ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) ✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) ✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security)\\r\\n\\r\\n### Implementation\\r\\n💡 [Microsoft Antimalware Extension for Windows](https://docs.microsoft.com/azure/virtual-machines/extensions/iaas-antimalware-windows)<br>\\r\\n💡 [Microsoft Antimalware for Azure Cloud Services and Virtual Machines](https://docs.microsoft.com/azure/security/fundamentals/antimalware)<br>\\r\\n💡 [Microsoft Defender for Cloud Apps: Malware Detection](https://docs.microsoft.com/cloud-app-security/anomaly-detection-policy#malware-detection)<br>\\r\\n💡 [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Microsoft Defender for Identity](https://security.microsoft.com/settings/identities) <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS, PR.PT, DE.CM, DE.DP, RS.MI](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"endpoint protection\\\" or RecommendationDisplayName contains \\\"malware\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"malware\\\" or Title contains \\\"malware\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Malware\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where AlertName contains \\\"mal\\\"\\r\\n| summarize count() by ProductName\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Malware Detected by Product\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isMalwareVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Anti-Malware\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Content Disarm & Reconstruction](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nContent disarm and reconstruction technology detects the presence of unapproved active content and facilitates its removal.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [EmailAttachmentInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailattachmentinfo) ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)\\r\\n\\r\\n### Implementation \\r\\n💡 [Setup Safe Attachments Policies in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/set-up-atp-safe-attachments-policies)<br>\\r\\n💡 [Threat and Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)<br>\\r\\n💡 [Microsoft Defender Application Guard overview](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)<br>\\r\\n💡 [Create and deploy an Exploit Guard policy](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"exploit\\\" or Title contains \\\"exploit\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Exploits\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailAttachmentInfo\\r\\n| extend Detection = strcat(DetectionMethods)\\r\\n| where ThreatTypes <> \\\"\\\"\\r\\n| project RecipientEmailAddress, FileName, ThreatTypes, ThreatNames, Detection, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Safe Attachments: Attachment Mitigation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isContentVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Content Disarm & Reconstruction\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Detonation Chamber](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDetonation chambers facilitate the detection of malicious code through the use of protected and isolated execution environments to analyze the files.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents)  ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Submit File for Deep Analysis](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts#submit-files-for-deep-analysis)<br>\\r\\n💡 [Using the Built-in URL Detonation in Microsoft Sentinel](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/using-the-new-built-in-url-detonation-in-azure-sentinel/996229)<br>\\r\\n💡 [Safe Links in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-links)<br>\\r\\n💡 [Safe Attachments in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-attachments)<br>\\r\\n💡 [Microsoft Defender Application Guard overview](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)<br>\\r\\n💡 [Create and deploy an Exploit Guard policy](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy)<br>\\r\\n\\r\\n### Microsoft Portals \\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.CM, DE.DP, RS.AN, RS.MI](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"detonation\\\" or Title contains \\\"detonation\\\" or Description contains \\\"sand\\\" or Title contains \\\"sand\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Detonation\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\r\\n| where DetectionMethods <>\\\"\\\"\\r\\n| project RecipientEmailAddress, DeliveryAction, DeliveryLocation, EmailDirection, EmailAction, DetectionMethods, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Email Detonation: SafeLinks, SafeAttachments, SafeFiles\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DeliveryAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EmailDirection\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Outbound\",\"representation\":\"right\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"left\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EmailAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DetectionMethods\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDetonationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Detonation Chamber\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender) ✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [How to Configure a Label for Rights Management Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-protection)<br>\\r\\n💡 [Hunt for Threats with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/hunting)<br>\\r\\n💡 [Learn about Microsoft 365 Endpoint Data Loss Prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about)<br>\\r\\n💡 [Configure and View Alerts for DLP Polices](https://docs.microsoft.com/microsoft-365/compliance/dlp-configure-view-alerts-policies)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br> \\r\\n🔀 [Office 365 Security & Compliance Center](https://protection.office.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Description contains \\\"data\\\" or Title contains \\\"data\\\" or Description contains \\\"loss\\\" or Title contains \\\"loss\\\" or Description contains \\\"exfil\\\" or Title contains \\\"exfil\\\" or Tactics contains \\\"exfil\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Data Loss\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| project UserId_s, LabelName_s, Operation_s, Activity_s, IPv4_s, ProtectionOwner_s, ApplicationName_s, ProcessName_s, Platform_s, ContentId_g, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Scan/Monitor for Sensitive Data with Azure Information Protection\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| extend UserPrincipalName = UserId_s_s\\r\\n| where LabelName_s <> \\\"\\\"\\r\\n| join (SigninLogs) on UserPrincipalName\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| extend State = tostring(LocationDetails.state)\\r\\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Sensitive Data Access by Geolocation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UncommonActionVolume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UncommonAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"FirstTimeUserAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"FirstTimeDeviceLogon\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\"}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"yellow\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 12\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDataVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"FilesGroup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Email](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nEmail-based protections including anti-phishing, anti-spam, authenticated received chain, data loss prevention, DMARC for incoming/outgoing mail, email encryption, and malicious URL protections.\\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Email Capabilities Help\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 107\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Anti-Phishing Protections\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Phishing\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Anti-Spam Protections\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Spam\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Authenticated Received Chain\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Authenticated\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data Loss Prevention\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DMARC for Incoming Email\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Incoming\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPhishingVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Phishing\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSpamVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Spam\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"5e162b71-5dff-4440-8bd9-111c1ec62efb\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAuthenticatedVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Authenticated\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"37272499-cf34-4fd3-8f26-5929ea74e783\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"2086488a-60de-43a5-a31f-0ae0eca9abd3\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIncomingVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Incoming\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e35e9dbc-8e1d-4749-9fe3-6e1b7cc19f2c\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DMARC for Outgoing Email\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Outgoing\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Encryption for Email Transmission\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Encryption\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Malicious URL Protections\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Malicious\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"URL Click-Through Protection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Url\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"2477e9e4-bcad-49d6-a4b6-df6672debb7b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isOutgoingVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Outgoing\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEncryptionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Encryption\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"1fa8afad-de60-4eb0-8a40-a43bde323bdb\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMaliciousVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Malicious\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"125bc4a9-0a88-4bef-80c9-2707fa0e5f74\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isUrlVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Url\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e62d359a-891b-4663-9384-b7891d8dc461\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Anti-Phishing Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAnti-phishing protections detect instances of phishing and prevent users from accessing them.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Anti-Phishing Protection in Microsoft 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/anti-phishing-protection)<br>\\r\\n💡 [Configure Anti-Phishing Policies in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-atp-anti-phishing-policies)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AT, PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"email\\\" or Title contains \\\"phish\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Phishing\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isPhishingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Anti-Phishing Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Anti-SPAM Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAnti-SPAM protections detect and quarantine instances of SPAM.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents)  ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [Anti-Spam protection in Exchange Online Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/anti-spam-protection)<br>\\r\\n💡 [Configure Anti-Spam Policies in Exchange Online Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-your-spam-filter-policies)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\r\\n| extend Spam = tostring(parse_json(ConfidenceLevel).Spam)\\r\\n| where Spam <> \\\"Skipped\\\"\\r\\n| where Spam <> \\\"Not spam\\\"\\r\\n| where Spam <> \\\"\\\"\\r\\n| project Spam, RecipientEmailAddress, DeliveryAction, EmailDirection, ConfidenceLevel, DetectionMethods, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Spam Email Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isSpamVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Anti-SPAM Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Authenticated Received Chain](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAuthenticated Received Chain allows for an intermediary, like a mailing list or forwarding service, to sign its own authentication of the original email, allowing downstream entities to accept the intermediary’s authentication even if the email was changed.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [How Microsoft 365 Utilizes Authenticated Received Chain (ARC)](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email#how-microsoft-365-utilizes-authenticated-received-chain-arc)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"OATP\\\"\\r\\n| where Entities contains \\\"Fail\\\"\\r\\n| project AlertName, AlertLink, ProductName, Entities, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Alerts for DMARC, SPF, DKIM Validations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >>\"}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_AlertName_0\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_AlertName_0\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAuthenticatedVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Authenticated Received Chain\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Microsoft References \\r\\n💡 [How to Configure a Label for Rights Management Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-protection)<br>\\r\\n💡 [Configure and View Alerts for DLP Polices](https://docs.microsoft.com/microsoft-365/compliance/dlp-configure-view-alerts-policies)<br>\\r\\n💡 [How DLP Works Between the Security & Compliance Center and Exchange Admin Centers](https://docs.microsoft.com/microsoft-365/compliance/how-dlp-works-between-admin-centers)<br>\\r\\n💡 [Email Entity Page](https://docs.microsoft.com/microsoft-365/security/office-365-security/mdo-email-entity-page)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)<br> \\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Tactics contains \\\"exfil\\\"\\r\\n| where Title contains \\\"email\\\" or Title contains \\\"phish\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Email Data Loss\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDataVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DMARC for Incoming Email](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDMARC protections authenticate incoming email according to the DMARC email authentication protocol defined in RFC 7489.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Use DMARC to Validate Email](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email)<br>\\r\\n💡 [How Microsoft 365 Handles Inbound Emails that Fail DMARC](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email#how-microsoft-365-handles-inbound-email-that-fails-dmarc)<Br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.IP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"OATP\\\"\\r\\n| where Entities contains \\\"Fail\\\" and Entities contains \\\"inbound\\\"\\r\\n| project AlertName, AlertLink, ProductName, Entities, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Inbound DMARC Failures\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >>\"}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isIncomingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DMARC for Incoming Email\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DMARC for Outgoing Email](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDMARC protections facilitate the authentication of outgoing email by signing the emails and ensuring that external parties may validate the email signatures. The DMARC email authentication protocol is defined in RFC7489.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Use DMARC to Validate Email](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email)<br>\\r\\n💡 [How Microsoft 365 Handles Inbound Emails that Fail DMARC](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email#how-microsoft-365-handles-inbound-email-that-fails-dmarc)<Br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.IP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"OATP\\\"\\r\\n| where Entities contains \\\"Fail\\\" and Entities contains \\\"outbound\\\"\\r\\n| project AlertName, AlertLink, ProductName, Entities, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Outbound DMARC Failures\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >>\"}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isOutgoingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DMARC for Outgoing Email\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Encryption for Email Transmission](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEmail services are configured to use encrypted connections, when possible, for communications between clients and other email servers.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Email Encryption](https://docs.microsoft.com/microsoft-365/compliance/ome)<br>\\r\\n💡 [How Exchange Online Uses TLS to Secure Email Connections](https://docs.microsoft.com/microsoft-365/compliance/exchange-online-uses-tls-to-secure-email-connections)<br>\\r\\n💡 [Define Mail Flow Rules to Encrypt Email Messages](https://docs.microsoft.com/microsoft-365/compliance/define-mail-flow-rules-to-encrypt-email)<br>\\r\\n💡 [Setup New Message Encryption Capabilities](https://docs.microsoft.com/microsoft-365/compliance/set-up-new-message-encryption-capabilities)<br>\\r\\n💡 [Define Mail Flow Rules to Encrypt Email Messages](https://docs.microsoft.com/microsoft-365/compliance/define-mail-flow-rules-to-encrypt-email)<br>\\r\\n💡 [Manage Office 365 Message Encryption](https://docs.microsoft.com/microsoft-365/compliance/manage-office-365-message-encryption)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/)<br> 🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>  🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"encrypt\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information.\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEncryptionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Encryption for Email Transmission\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Malicious URL Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMalicious URL protections detect malicious URLs in emails and prevent users from accessing them.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents)  ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Safe Links in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-links)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\r\\n| where DetectionMethods contains \\\"url\\\"\\r\\n| join (EmailUrlInfo) on NetworkMessageId\\r\\n| project RecipientEmailAddress, DeliveryAction, Url, UrlDomain, EmailDirection, ConfidenceLevel, DetectionMethods, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"SafeLinks Email Protections\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DeliveryAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Url\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isMaliciousVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Malicious URL Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [URL Click-Through Protection](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nURL click-through protections ensure that when a URL from an email is clicked, the requester is directed to a protection that verifies the security of the URL destination before permitting access.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Safe Links in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-links)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"url\\\" or Title contains \\\"url\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Urls\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isUrlVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"URL Click-Through Protection\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Email Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Web](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nWeb-based protections including break/inspect, active content mitigation, certificate blacklisting/consensus, content filtering, authenticated proxy, data loss prevention, DNS-over-HTTPS filtering, RFC compliance enforcement, domain category filtering, domain reputation filtering, bandwidth control, malicious content filtering, and access control.\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Web Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 108\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Break and Inspect\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Break\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Active Content Mitigation\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Active\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Certificate Denylisting\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Certificate\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Content Filtering\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Content\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Authenticated Proxy\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Authenticated\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data Loss Prevention\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DNS-over-HTTPS Filtering\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DNS\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a30d01d0-38f1-4a91-9cf6-cdb181d676b5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isBreakVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Break\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isActiveVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Active\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b2b0b9d3-128b-4ec7-a1e8-287df84633da\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCertificateVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Certificate\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"508474da-365f-43db-9c42-4331e8648144\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isContentVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Content\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"68f6fab3-9f4c-4ea8-ac17-064809f6740e\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAuthenticatedVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Authenticated\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a539291a-2744-47ef-9558-f15986ecf508\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"bd2ce9fe-9e44-4bcf-9f00-83a04c86e456\"},{\"id\":\"5cb17a08-31fb-4eee-87d8-abef7ecbb7e2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDNSVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DNS\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"RFC Compliance Enforcement\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"RFC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Domain Category Filtering\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Category\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Domain Reputation Filter\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Reputation\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Bandwidth Control\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Bandwidth\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Malicious Content Filtering\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Malicious\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Access Control\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Access\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0114faf6-043c-452c-9249-34899d8965a1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRFCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"RFC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCategoryVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Category\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"35f239a8-a4dc-4e7f-8b70-dd4c876151db\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isReputationVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Reputation\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"57218915-069e-4559-94ff-29144252c397\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isBandwidthVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Bandwidth\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"d77f49a8-0e58-46c3-b705-5a61736b41ea\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMaliciousVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Malicious\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a11bbfd4-4c45-4527-b1d2-6cab517590cb\"},{\"id\":\"a1bdb4f4-7f9d-48f8-8deb-e979a7e203a6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAccessVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Access\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Break and Inspect](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nBreak-and-Inspect systems, or encryption proxies, terminate encrypted traffic, logging or performing policy enforcement against the plaintext, and re-encrypting the traffic, if applicable, before transmitting to the final destination.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Firewall Premium](https://azure.microsoft.com/services/azure-firewall/) ✳️ [Network Watcher](https://azure.microsoft.com/services/network-watcher/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Firewall Premium Features](https://docs.microsoft.com/azure/firewall/premium-features) <br>\\r\\n💡 [Inspect Traffic with Azure Firewall](https://docs.microsoft.com/azure/private-link/inspect-traffic-with-azure-firewall) <br>\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal) <br>\\r\\n💡 [Create an Azure Network Watcher instance](https://docs.microsoft.com/azure/network-watcher/network-watcher-create) <br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)  <br>\\r\\n🔀 [Network Watcher](https://portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/overview)  <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"protected by Azure Firewall\\\" or RecommendationDisplayName contains \\\"watcher\\\" or RecommendationDisplayName contains \\\"proxy\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"azurefirewalls\\\" or type contains \\\"firewallpolicies\\\" or type contains \\\"networkwatchers\\\" or type contains \\\"webapplicationfirewall\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Break & Inspect Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isBreakVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Break and Inspect\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Active Content Mitigation](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nActive content mitigation protections detect the presence of unapproved active content and facilitate its removal.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) 🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)\\r\\n\\r\\n\\r\\n### Implementation \\r\\n💡[What is Azure Web Application Firewall on Azure Application Gateway?](https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview)<br>\\r\\n💡[Azure Web Application Firewall on Azure Front Door](https://docs.microsoft.com/azure/web-application-firewall/afds/afds-overview)<br>\\r\\n💡[Connect data from Microsoft 365 Defender to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender?tabs=MDE)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)  <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"endpoint protection\\\" or RecommendationDisplayName contains \\\"Web Application Firewall\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"webapplicationfirewall\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Content Mitigation Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message: string, ruleName_s: string, clientIp_s: string, clientIP_s: string, action_s: string, transactionId_s: string, trackingReference_s: string) [\\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\"]);\\r\\nFakeData\\r\\n| union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"Application Gateway\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"Application Gateway\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"Application Gateway\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"Application Gateway\\\" contains \\\"cdn\\\")) and (\\\"SOC-NS-AG-WAFV2 - 1129440\\\" == \\\"All\\\" or Resource in ('SOC-NS-AG-WAFV2'))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '*' == Action or '*' == \\\"*\\\" \\r\\n| where '*' == requestUri_s or '*' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Rule= iif(Rule contains \\\"Mandatory rule. Cannot be disabled.\\\", strcat_array(split(Rule, \\\"Mandatory rule. Cannot be disabled. Inbound \\\", 1), \\\"\\\"), Rule) // Removes initial component for mandatory rule \\r\\n| extend Rule = iif(Rule contains \\\"Total Inbound Score\\\", strcat_array(array_concat(split(Rule, \\\" - SQLI=\\\", 0), parse_json('[\\\") -\\\"]'), split(Rule, \\\"):\\\", 1)), \\\"\\\"), Rule) // Removes smaller information if more info is available for anomaly score\\r\\n| summarize count() by Rule\\r\\n| top 50 by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure WAF Events\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Rule\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redDark\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isActiveVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Active Content Mitigation\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Certificate Denylisting](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCertificate denylisting protections prevent communication with entities that use a set of known bad certificates.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Certificates Used by Azure Firewall Premium](https://docs.microsoft.com/azure/firewall/premium-certificates)<br>\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal)<br>\\r\\n💡 [Quickstart: Create a Key Vault using the Azure Portal](https://docs.microsoft.com/azure/key-vault/general/quick-create-portal)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)<br>\\r\\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"certificate\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"cert\\\" \\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"cert\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"cert\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCertificateVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Certificate Denylisting\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Content Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nContent filtering protections detect the presence of unapproved content and facilitate its removal or denial of access.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/)\\r\\n\\r\\n### Implementation\\r\\n💡 [Azure Firewall Web Categories](https://docs.microsoft.com/azure/firewall/web-categories)<br>\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal)<br>\\r\\n💡 [Web Content Filtering](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/web-content-filtering)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)<br>\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)<br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\n    materialize(\\r\\n    AzureDiagnostics\\r\\n    | where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n    | project msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s has \\\". Url\\\"\\r\\n        and msg_s has \\\". No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s has \\\". No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\" Reason: \\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\"TLS extension was missing\\\"\\r\\n    | where msg_s has \\\" Reason:\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"TLS extension was missing\\\"\\r\\n        and msg_s !has \\\"No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\" Reason: \\\"\\r\\n    | where msg_s has \\\"Rule Collection Group\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n    )\\r\\n| summarize Count = count(), last_log = datetime_diff(\\\"second\\\", now(), max(TimeGenerated)) by RuleCollection, Rule, WebCategory\",\"size\":1,\"showAnalytics\":true,\"title\":\"Azure Firewall: Content Enforcement\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"last_log\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_heatmap_last_log_4\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_heatmap_last_log_4\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 36\"}]},\"conditionalVisibility\":{\"parameterName\":\"isContentVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Content Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Authenticated Proxy](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAuthenticated proxies require entities to authenticate with the proxy before making use of it, enabling user, group, and location-aware security controls.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Plan an Azure AD Application Proxy Deployment](https://learn.microsoft.com/en-us/entra/identity/app-proxy/conceptual-deployment-plan)<br>\\r\\n💡 [Configure Real-Time Application Access Monitoring with Microsoft Defender for Cloud Apps and Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-integrate-with-microsoft-cloud-application-security)<br>\\r\\n💡 [Protect Apps with Microsoft Defender for Cloud Apps Conditional Access App Control](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| mv-expand ConditionalAccessPolicies\\r\\n| extend ConditionalAccessPolicy = tostring(ConditionalAccessPolicies.displayName)\\r\\n| summarize count() by ConditionalAccessPolicy\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Conditional Access Policies\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ConditionalAccessPolicy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAuthenticatedVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Authenticated Proxy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Microsoft Defender for Cloud Apps: File Policies](https://docs.microsoft.com/cloud-app-security/data-protection-policies)<br>\\r\\n💡 [Content Inspection for Protected Files](https://docs.microsoft.com/cloud-app-security/content-inspection)<br>\\r\\n💡 [How to Configure a Label for Rights Management Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-protection)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Microsoft Defender for Identity Portal](https://security.microsoft.com/settings/identities) <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) <br>\\r\\n🔀 [Office 365 Security & Compliance Center](https://protection.office.com/) <br>\\r\\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Tactics contains \\\"exfil\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Data Exfiltration\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDataVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention_W\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNS-over-HTTPS Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNS-over-HTTPS filtering prevents entities from using the DNS-over-HTTPS protocol, possibly evading DNS-based protections.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Microsoft Defender for DNS](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-dns-introduction)<br>\\r\\n💡 [Azure Firewall DNS settings](https://docs.microsoft.com/azure/firewall/dns-settings)<br>\\r\\n💡 [Web Content Filtering](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Workload Protections](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/26)<br>\\r\\n🔀 [Azure Firewall](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls) <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"dns\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNS-over-HTTPS Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [RFC Compliance Enforcement](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nRFC compliant enforcement technologies ensure that traffic complies with protocol definitions.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Implementation\\r\\n💡[What is Azure Web Application Firewall on Azure Application Gateway?](https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview)<br>\\r\\n💡[Tutorial: Create an Application Gateway with a Web Application Firewall using the Azure Portal](https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-web-application-firewall-portal)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers) <br> \\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics \\r\\n| where Category == \\\"ApplicationGatewayFirewallLog\\\"\\r\\n| where details_file_s contains \\\"rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\\\"\\r\\n| summarize count() by ResourceId, Message\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Web Protocol Enforcement Alerts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isRFCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"RFC Compliance Enforcement\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Domain Category Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDomain category filtering technologies allow for classes of domains (e.g. banking, medical) to receive a different set of security protections.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Firewall: Web Categories](https://docs.microsoft.com/azure/firewall/premium-deploy#web-categories-testing) <br> \\r\\n💡 [Use FQDN Filtering in Network Rules](https://docs.microsoft.com/azure/firewall/fqdn-filtering-network-rules) <br> \\r\\n💡 [Azure Firewall Premium Features](https://docs.microsoft.com/azure/firewall/premium-features) <br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)<br> \\r\\n🔀 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) <br>\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)\\t<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\n    materialize(\\r\\n    AzureDiagnostics\\r\\n    | where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n    | project msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s has \\\". Url\\\"\\r\\n        and msg_s has \\\". No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s has \\\". No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\" Reason: \\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\"TLS extension was missing\\\"\\r\\n    | where msg_s has \\\" Reason:\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"TLS extension was missing\\\"\\r\\n        and msg_s !has \\\"No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\" Reason: \\\"\\r\\n    | where msg_s has \\\"Rule Collection Group\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n    )\\r\\n| where Action == \\\"Deny\\\"\\r\\n| where '*' == SourceIP or '*' == \\\"*\\\"  \\r\\n| summarize count() by FQDN\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Domain & Category Filtering\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FQDN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Diagnostics\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isCategoryVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Domain Category Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Domain Reputation Filter](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDomain reputation filtering protections are a form of domain denylisting based on a domain’s reputation, as defined by either the agency or an external entity.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Firewall Threat Intelligence-Based Filtering](https://docs.microsoft.com/azure/firewall/threat-intel)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls) <br>\\r\\n🔀 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\r\\n| where OperationName == \\\"AzureFirewallThreatIntelLog\\\"\\r\\n| where msg_s <> \\\" request from  to . Action: . ThreatIntel: \\\"\\r\\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url: \\\" Url \\\". Action: \\\" Action \\\". ThreatIntel: \\\" ThreatIntelMsg\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". ThreatIntel: \\\" ThreatIntelMsg\\r\\n)\\r\\n| summarize by ThreatIntelMsg, Url, FQDN, Action, Protocol, SourceIP, SourcePort, DestinationPort,  TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewall: Threat Intelligence URL Blocks\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Url\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Diagnostics\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Action\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"FQDN\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"FQDN\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isReputationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Domain Reputation Filter\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Bandwidth Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nBandwidth control technologies allow for limiting the amount of bandwidth used by different classes of domains.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Metrics](https://docs.microsoft.com/azure/azure-monitor/essentials/data-platform-metrics) ✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/)\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Monitor Metrics Overview](https://docs.microsoft.com/azure/azure-monitor/essentials/data-platform-metrics)<br>\\r\\n💡 [Monitor Azure Firewall Logs and Metrics](https://docs.microsoft.com/azure/firewall/firewall-diagnostics)  \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls) <br>\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"Bandwidth Control\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"40\",\"name\":\"Control Smartcard\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5084e141-6c56-4d7f-bd8a-09f7ef9af1bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Resource\",\"label\":\"Azure Firewalls\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"where type =~ 'Microsoft.Network/azureFirewalls'\\r\\n| project id, name\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"parameters - 1\"},{\"type\":10,\"content\":{\"chartId\":\"workbook76864ed5-dd34-42d0-ae35-f3db9f9e8f15\",\"version\":\"MetricsItem/2.0\",\"size\":0,\"chartType\":2,\"resourceType\":\"microsoft.network/azurefirewalls\",\"metricScope\":0,\"resourceParameter\":\"Resource\",\"resourceIds\":[\"{Resource}\"],\"timeContextFromParameter\":\"TimeRange\",\"timeContext\":{\"durationMs\":604800000},\"metrics\":[{\"namespace\":\"microsoft.network/azurefirewalls\",\"metric\":\"microsoft.network/azurefirewalls--Throughput\",\"aggregation\":4,\"columnName\":\"All Firewall Throughput Average\"}],\"title\":\"Average Throughput of Firewall Traffic\",\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"metric - 25\"}]},\"conditionalVisibility\":{\"parameterName\":\"isBandwidthVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Bandwidth Control\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Malicious Content Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMalicious content filtering protections detect the presence of malicious content and facilitate its removal.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/)  ✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)\\r\\n\\r\\n### Implementation \\r\\n💡 [Microsoft Defender for Cloud's enhanced security features](https://docs.microsoft.com/azure/defender-for-cloud/enhanced-security-features-overview)<br>\\r\\n💡 [What is Azure Web Application Firewall on Azure Application Gateway?](https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview)<br>\\r\\n💡 [Azure Web Application Firewall on Azure Front Door](https://docs.microsoft.com/azure/web-application-firewall/afds/afds-overview)<br>\\r\\n💡 [Azure Firewall Premium Features](https://docs.microsoft.com/azure/firewall/premium-features)  <br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)<br>\\r\\n🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS, PR.PT, PR.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"firewall\\\" or RecommendationDisplayName contains \\\"defender\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"mal\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Malicious Content\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| project Category, ResourceType, OperationName);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n    | where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n    | summarize Volume=count() by OperationName\\r\\n    | project Category=OperationName, Volume\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n    | where OperationName == \\\"AzureFirewallThreatIntelLog\\\"\\r\\n    | summarize Volume=count() by OperationName\\r\\n    | project Category=OperationName, Volume\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n    | where OperationName <> \\\"AzureFirewallThreatIntelLog\\\"\\r\\n    | where OperationName <> \\\"AzureFirewallIDSLog\\\"\\r\\n    | summarize Volume=count() by Category\\r\\n)\\r\\n| sort by Volume desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Web Protections by Rule Category\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"noDataMessageStyle\":4,\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Category\",\"exportParameterName\":\"SelectedCategory\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Volume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Category\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Volume\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMaliciousVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Malicious Content Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAccess control technologies allow an agency to define policies limiting what actions may be performed by connected users and entities.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Overview of Role-Based Access Control in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/roles/custom-overview)<br>\\r\\n💡 [What is Azure AD Privileged Identity Management?](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\\r\\n💡 [Secure Your Management Ports With Just-In-Time Access](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"Just\\\" or RecommendationDisplayName contains \\\"privilege\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAccessVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Access Control\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Web Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Networking](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nNetwork-based protections including network access controls, IP denylisting, host containment, network segmentation, and microsegmentation. \\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Networking Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 109\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Access Control\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Access\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"IP Denylisting\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IP\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Host Containment\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Host\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Network Segmentation\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Network\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Microsegmentation\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Micro\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAccessVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Access\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIPVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IP\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"50ab20f8-9e71-4938-a67c-fc3cddda9d3e\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isHostVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Host\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"297ab54c-7fb4-4d69-b331-d06b5848b0c2\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isNetworkVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Network\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4c49d950-1bd2-45c1-8a98-4f17abff2088\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMicroVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Micro\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"cf2d16a5-def7-4887-87ff-188258574464\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAccess control protections prevent the ingest, egress, or transiting of unauthorized network traffic.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n✳️ [Virtual Network](https://azure.microsoft.com/services/virtual-network/)\\r\\n✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)\\r\\n\\r\\n### Implementation \\r\\n💡 [Security Recommendations in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-recommendations)<br>\\r\\n💡 [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview)<br>\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal)<br>\\r\\n💡 [Tutorial: Create an Application Gateway with a Web Application Firewall using the Azure Portal](https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-web-application-firewall-portal)<br>\\r\\n💡 [Tutorial: Create and Manage a VPN Gateway using Azure Portal]( https://docs.microsoft.com/azure/vpn-gateway/tutorial-create-gateway-portal)<br>\\r\\n💡 [What is Azure ExpressRoute?](https://docs.microsoft.com/azure/expressroute/expressroute-introduction)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br> 🔀 [Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)<br> 🔀 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls) <br>🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers) <br>🔀 [Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways)<br> 🔀 [ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits)  \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"network access\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"network\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Networking Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where OperationName == \\\"NetworkSecurityGroupEvents\\\"\\r\\n| summarize count() by ruleName_s\\r\\n| project NetworkSecurityGroupRule=ruleName_s, FlowCount=count_\\r\\n| sort by FlowCount desc \",\"size\":0,\"showAnalytics\":true,\"title\":\"Flow Counts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"NetworkSecurityGroupRule\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Lateral_Movement\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"FlowCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAccessVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Access Control\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [IP Denylisting](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIP denylisting protections prevent the ingest or transiting of traffic received from or destined to a denylisted IP address.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [ThreatIntelligenceIndicator](https://docs.microsoft.com/azure/azure-monitor/reference/tables/threatintelligenceindicator) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)<br>\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Connect Data from Threat Intelligence Providers](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence)<br>\\r\\n💡 [Azure Firewall Threat Intelligence Configuration](https://docs.microsoft.com/azure/firewall-Manager/threat-intelligence-settings)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n\\t    iff(isnotempty(Url), \\\"URL\\\",\\r\\n\\t    iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n\\t    iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n\\t    iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n\\t    \\\"Other\\\")))))\\r\\n| where IndicatorType == \\\"IP\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by IndicatorType\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsoft Sentinel: Threat Intelligence IP Indicators Ingested\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"VMConnection\\r\\n| extend NetworkSourceIP=RemoteIp\\r\\n| where NetworkSourceIP <> \\\"\\\"\\r\\n| extend FirewallManager=strcat(\\\"FirewallManager\\\")\\r\\n| join (ThreatIntelligenceIndicator) on NetworkSourceIP\\r\\n| extend Indicator = strcat(NetworkSourceIP, FileHashValue, NetworkIP, NetworkDestinationIP, Url, EmailSourceIpAddress, EmailSenderAddress, DomainName)\\r\\n| extend Source=SourceSystem1\\r\\n| summarize count () by ThreatType, Action, Indicator, Direction, _ResourceId, FirewallManager, RemoteCountry, RemoteIp, Source\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence: IP Denylisting\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"FirewallManager\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Firewall Manager >>\",\"bladeOpenContext\":{\"bladeName\":\"FirewallManagerMenuBlade\",\"extensionName\":\"Microsoft_Azure_HybridNetworking\"}}},{\"columnMatch\":\"RemoteCountry\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"RiskIQ_Lookup\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"RiskIQ Lookup >\"}},{\"columnMatch\":\"VirusTotalURL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"VirusTotal Lookup >\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"RemoteCountry\",\"latitude\":\"RemoteLatitude\",\"longitude\":\"RemoteLongitude\",\"sizeSettings\":\"RemoteCountry\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"RemoteCountry\",\"legendMetric\":\"RemoteCountry\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"RemoteIp\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"redBright\"}]}}},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Threat Intelligence: IP Denylisting\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIPVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IP Denylisting\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Host Containment](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nHost containment protections enable a network to revoke or quarantine a host’s access to the network.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)  ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Security Orchestration, Automation, and Response (SOAR) in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/automation-in-azure-sentinel)<br>\\r\\n💡 [How to Isolate an Azure VM Using Microsoft Defender for Cloud’s Workflow Automation](https://techcommunity.microsoft.com/t5/azure-security-center/how-to-isolate-an-azure-vm-using-azure-security-center-s/ba-p/1250985)<br>\\r\\n💡 [Isolate Endpoints from the Network](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#isolate-endpoints-from-the-network)<br>\\r\\n\\r\\n### Microsoft Portals \\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"logic\\\"\\r\\n| where id contains \\\"block\\\" or id contains \\\"isolate\\\" or id contains \\\"lock\\\" or id contains \\\"revoke\\\" or id contains \\\"quarantine\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Containment Automations Configured\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isHostVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Host Containment\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Network Segmentation](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nNetwork segmentation separates a given network into subnetworks, facilitating security controls between the subnetworks, and decreasing the attack surface of the network.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)  ✳️ [Virtual Network](https://azure.microsoft.com/services/virtual-network/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Implement Network Segmentation Patterns on Azure](https://docs.microsoft.com/azure/architecture/framework/security/design-network-segmentation)<br>\\r\\n💡 [What is Azure Virtual Network?](https://docs.microsoft.com/azure/virtual-network/virtual-networks-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"segment\\\" or RecommendationDisplayName contains \\\"network security group\\\" or RecommendationDisplayName contains \\\"subnet\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"networksecuritygroups\\\" or type contains \\\"virtualnetworks\\\" or type contains \\\"tables\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Segmentation Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isNetworkVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Network Segmentation\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Microsegmentation](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMicrosegmentation divides the network, either physically or virtually, according to the communication needs of application and data workflows, facilitating security controls to protect the data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)  ✳️ [Virtual Network](https://azure.microsoft.com/services/virtual-network/)\\r\\n✳️ [Application Gateway](https://azure.microsoft.com/services/application-gateway/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Network Security & Containment](https://docs.microsoft.com/azure/virtual-network/virtual-networks-overview)<br>\\r\\n💡 [What is Azure Virtual Network?](https://docs.microsoft.com/azure/virtual-network/virtual-networks-overview)<br>\\r\\n💡 [Implement network segmentation patterns on Azure](https://docs.microsoft.com/azure/architecture/framework/security/design-network-segmentation)<br>\\r\\n💡 [Application Security Groups](https://docs.microsoft.com/azure/virtual-network/application-security-groups)<br>\\r\\n💡 [Tutorial: Filter Network Traffic with a Network Security Group using the Azure portal](https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Application Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) <br>\\r\\n🔀 [Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.DS, PR.IP, PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"application gateway\\\" or RecommendationDisplayName contains \\\"security group\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"applicationgateway\\\" or type contains \\\"securitygroup\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsegementation Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isMicroVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Microsegmentation\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Networking Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Resiliency](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nResiliency measures including DDoS protections, elastic expansion, and regional delivery.\\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Resiliency Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 110\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DDoS Protections\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DDoS\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Elastic Expansion\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Elastic\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Regional Delivery\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Regional\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDDoSVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DDoS\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isElasticVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Elastic\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"c6997d7f-b3e5-431c-b747-ea5a75b533e0\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRegionalVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Regional\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"250d293f-5d5f-4944-8cd4-5ec0183b9053\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DDoS Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDDoS protections mitigate the effects of distributed denial of service attacks.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) 🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure DDoS Protection]( https://azure.microsoft.com/services/ddos-protection/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure DDoS Protection Standard Overview](https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [DDoS Protection Plans](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FddosProtectionPlans) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"dos\\\" or Title contains \\\"denial\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: DDoS\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Resources\\r\\n| where type contains \\\"microsoft.network/ddosprotectionplans\\\"\\r\\n| extend RG = substring(id, 0, indexof(id, '/providers'))\\r\\n| extend virtualNetworks = properties.virtualNetworks\\r\\n| mvexpand bagexpansion=array virtualNetworks\\r\\n| extend VNETid = virtualNetworks.id\\r\\n| project-away kind, managedBy, sku, plan, identity, zones, extendedLocation, name, tenantId, properties, tags, virtualNetworks, resourceGroup\",\"size\":0,\"showAnalytics\":true,\"title\":\"DDoS Protection Plans\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"type\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"location\",\"formatter\":17},{\"columnMatch\":\"subscriptionId\",\"formatter\":15,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"VNETid\",\"formatter\":13,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"id\",\"label\":\"Name\"},{\"columnId\":\"type\",\"label\":\"Type\"},{\"columnId\":\"location\",\"label\":\"Region\"},{\"columnId\":\"subscriptionId\",\"label\":\"Subscription\"},{\"columnId\":\"VNETid\",\"label\":\"Virtual Networks\"}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DDoSPlans\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"DDoSMitigationReports\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| extend TopAttackVector = tostring(parse_json(AttackVectors_s)[0]) \\r\\n| extend Total_packets_ = tostring(parse_json(TrafficOverview_s).Total_packets) \\r\\n| extend Total_packets_dropped_ = todouble(parse_json(TrafficOverview_s).Total_packets_dropped)\\r\\n| extend TotalPackets =todouble(Total_packets_)\\r\\n| where TotalPackets > 0\\r\\n| where TopAttackVector <> \\\"\\\"\\r\\n| project TopAttackVector, TotalPackets, TotalPacketsDropped = Total_packets_dropped_ , ResourceId , SourceIP=IPAddress, Resource, TimeGenerated\\r\\n| sort by TotalPacketsDropped desc\\r\\n| limit 100\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"DDoS Mitigation Activity\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"IPAddress\",\"parameterName\":\"IPAddress\",\"parameterType\":1},{\"fieldName\":\"ResourceId\",\"parameterName\":\"ResourceId\",\"parameterType\":1,\"defaultValue\":\"ResourceId\"},{\"fieldName\":\"Resource\",\"parameterName\":\"AttackReport\",\"parameterType\":1,\"defaultValue\":\"/\"}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TopAttackVector\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"TotalPackets\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"TotalPacketsDropped\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Resource\",\"formatter\":5},{\"columnMatch\":\"Total_packets_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Total_packets_dropped_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"IPAddress\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"subtitleContent\":{\"columnMatch\":\"TopAttackVector\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Resource\"},\"rightContent\":{\"columnMatch\":\"TimeGenerated\"},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"50\",\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDDoSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DDoS Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Elastic Expansion](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nElastic expansion enables agencies to dynamically expand the resources available for services as conditions require.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Virtual Machine Scale Sets](https://azure.microsoft.com/services/virtual-machine-scale-sets/) ✳️ [Traffic Manager]( https://azure.microsoft.com/services/traffic-manager/) ✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) ✳️ [Azure Availability Zones]( https://azure.microsoft.com/global-infrastructure/availability-zones/)\\r\\n\\r\\n### Implementation \\r\\n💡 [What are Virtual Machine Scale Sets?](https://docs.microsoft.com/azure/virtual-machine-scale-sets/overview) <br>\\r\\n💡 [Elastic Pools Help You Manage and Scale Multiple Databases in Azure SQL Database](https://www.cisa.gov/trusted-internet-connections)<br>\\r\\n💡 [What is Azure Load Balancer?](https://docs.microsoft.com/azure/load-balancer/load-balancer-overview)<br>\\r\\n💡 [What is Traffic Manager?](https://docs.microsoft.com/azure/traffic-Manager/traffic-Manager-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Virtual Machine Scale Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Compute%2FvirtualMachineScaleSets)<br> 🔀 [Azure SQL](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Sql%2Fazuresql)<br> 🔀 [Load Balancer](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)<br> 🔀 [Traffic Manager Profiles](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2Ftrafficmanagerprofiles)<br> 🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"load\\\" or Description contains \\\"scale\\\" or Description contains \\\"front\\\" or Description contains \\\"traffic manager\\\" or Description contains \\\"pool\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":12531600000,\"endTime\":\"2022-02-23T15:45:00Z\"},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"scale\\\" or type contains \\\"traffic\\\" or type contains \\\"load\\\" or type contains \\\"balance\\\" or type contains \\\"pool\\\" or type contains \\\"set\\\" or type contains \\\"manager\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Elastic Expansion Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isElasticVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Elastic Expansion\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Regional Delivery](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nRegional delivery technologies enable the deployment of agency services across geographically diverse locations.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)\\r\\n\\r\\n### Implementation \\r\\n💡 [Building Solutions for High Availability Using Availability Zones](https://docs.microsoft.com/azure/architecture/high-availability/building-solutions-for-high-availability)<br> \\r\\n💡 [Azure Infrastructure Availability](https://docs.microsoft.com/azure/security/fundamentals/infrastructure-availability) <br>\\r\\n💡 [Data residency in Azure](https://azure.microsoft.com/global-infrastructure/data-residency/#overview) <br>\\r\\n💡 [Regions and availability zones](https://docs.microsoft.com/azure/availability-zones/az-overview) <br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Availability Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FavailabilitySets) <br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"disaster\\\" or RecommendationDisplayName contains \\\"region\\\" or RecommendationDisplayName contains \\\"redundant\\\" or RecommendationDisplayName contains \\\"geo\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":12531600000,\"endTime\":\"2022-02-23T15:45:00Z\"},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where ResultType == 0\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sign-Ins By Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"Location\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| project id,type,location,resourceGroup\\r\\n| summarize count() by location\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets by Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"location\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isRegionalVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Regional Delivery\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Resiliency Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNS](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nDNS measures including DNS blackholing, DNSSEC for clients, and DNSSEC for domains. \\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNS Capability Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 111\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DNS Sinkholing\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Sink\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DNSSEC for Agency Clients\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Clients\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DNSSEC for Agency Domains\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Domains\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSinkVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Sink\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"aaf5f338-70e7-4910-8b24-0256c3e819ab\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isClientsVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Clients\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDomainsVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Domains\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b454a300-8718-4f34-a5e9-722b582dc95d\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNS Sinkholing](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNS sinkholing protections are a form of denylisting that protect clients from accessing malicious domains by responding to DNS queries for those domains.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure DNS](https://azure.microsoft.com/services/dns/) \\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [What is Azure DNS?](https://docs.microsoft.com/azure/dns/dns-overview)<br>\\r\\n💡 [How to protect DNS zones and records](https://docs.microsoft.com/azure/dns/dns-protect-zones-recordsets)<br>\\r\\n💡 [Microsoft Defender for DNS](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-dns-introduction)<br>\\r\\n💡 [Azure Firewall DNS settings](https://docs.microsoft.com/azure/firewall/dns-settings)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones)<br> 🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)<br>🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"domain\\\" or type contains \\\"dns\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"dns\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: DNS\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSinkVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNS Sinkholing\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNSSEC for Agency Clients](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNSSEC protections ensure that domain name lookups from agency clients, whether for internal or external domains, are validated.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Enabling Central Visibility For DNS Using Azure Firewall Custom DNS and DNS Proxy](https://techcommunity.microsoft.com/t5/azure-network-security/enabling-central-visibility-for-dns-using-azure-firewall-custom/ba-p/2156331)<br>\\r\\n💡 [DANE Support](https://docs.microsoft.com/windows-server/networking/dns/what-s-new-in-dns-server#dane-support)<br>\\r\\n💡 [Support of DANE and DNSSEC in Office 365 Exchange Online](https://techcommunity.microsoft.com/t5/exchange-team-blog/support-of-dane-and-dnssec-in-office-365-exchange-online/ba-p/1275494)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [DNS zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones)<br>\\r\\n🔀 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"dns\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"dns\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"dns\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\r\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\r\\n| project-away msg_s\\r\\n| summarize by TimeGenerated, ResourceId, ClientIP, ClientPort, QueryID, Request_Type, Request_Class, Request_Name, Request_Protocol, Request_Size, EDNSO_DO, EDNS0_Buffersize, Responce_Code, Responce_Flags, Responce_Size, Response_Duration, SubscriptionId\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Request_Type\\r\\n| render areachart \",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewall: DNS Proxy Actions over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isClientsVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNSSEC for Agency Clients\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNSSEC for Agency Domains](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNSSEC protections ensure that all agency domain names are secured using DNSSEC, enabling external entities to validate their resolution the domain names.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [What is Azure DNS?](https://docs.microsoft.com/azure/dns/dns-overview)<br>\\r\\n💡 [Security Recommendations in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-recommendations)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones) <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"dns\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":12531600000,\"endTime\":\"2022-02-23T15:45:00Z\"},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDomainsVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNSSEC for Agency Domains\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNS Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Intrusion Detection](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nIntrusion Detection measures including endpoint detection & response, intrusion protection systems, adaptive access control, deception platforms, and certificate transparency log monitoring.\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Intrusion Detection Capability Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 112\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Endpoint Detection and Response\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Endpoint\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Intrusion Protection Systems (IPS)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Intrusion\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Adaptive Access Control\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Adaptive\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Deception Platforms\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Deception\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Certificate Transparency Log Monitoring\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Certificate\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEndpointVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Endpoint\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIntrusionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Intrusion\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"f683c8d4-894a-4863-a2c6-03d36d6d7819\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAdaptiveVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Adaptive\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"27dcffa8-43ca-4d68-b69d-11dbd33dcbcb\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDeceptionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Deception\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b4f96879-69b4-45b3-b6a6-384a91e9569c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCertificateVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Certificate\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"51c9fd25-2fa3-4cca-bc9f-bf8b5d0a0e07\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Endpoint Detection and Response](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEndpoint detection and response tools combine endpoint and network event data to aid in the detection of malicious activity.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Overview of Endpoint Detection and Response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/)<br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.AE, DE.CM, RS.AN](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"endpoint protection\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":12531600000,\"endTime\":\"2022-02-23T15:45:00Z\"},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where AdditionalData contains \\\"Microsoft Defender for Endpoint\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Endpoint Detection & Response\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isEndpointVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Endpoint Detection and Response\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Intrusion Protection Systems (IPS)](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIntrusion protection systems detect malicious activity, attempt to stop the activity, and report the activity.\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Firewall Premium: IPS](https://docs.microsoft.com/azure/firewall/premium-features#idps)<br>\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) 🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.AE, DE.CM, DE.DP, RS.AN](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"IPS\\\" or Title contains \\\"IDS\\\" or Title contains \\\"intrusion\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Intrusion Protection System\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\r\\n| where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n| parse msg_s with * \\\"TCP request from \\\" Source \\\" to \\\" Destination \\\". Action: \\\" ActionTaken \\\". Rule: \\\" IDPSSig \\\". IDS: \\\" IDSMessage \\\". Priority: \\\" Priority \\\". Classification: \\\" Classification\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by OperationName\\r\\n| render areachart \",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewall: IDPS Alerts over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"microsoft.network/firewallpolicies\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"IPS Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIntrusionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Intrusion Protection Systems (IPS)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Adaptive Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAdaptive access control technologies factor in additional context, like security risk, operational needs, and other heuristics, when evaluating access control decisions.\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)<br>\\r\\n💡 [Use adaptive application controls to reduce your machines' attack surfaces](https://docs.microsoft.com/Azure/defender-for-cloud/adaptive-application-controls)<br>\\r\\n💡 [Improve your network security posture with adaptive network hardening](https://docs.microsoft.com/Azure/defender-for-cloud/adaptive-application-controls)<br>\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Workload Protections](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/26)<br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"adaptive\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":12531600000,\"endTime\":\"2022-02-23T15:45:00Z\"},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = SigninLogs\\r\\n    | where AppDisplayName in ('*') or '*' in ('*')\\r\\n    | where UserDisplayName in ('*') or '*' in ('*')\\r\\n    | extend CAStatus = case(ConditionalAccessStatus == \\\"success\\\", \\\"Successful\\\",\\r\\n        ConditionalAccessStatus == \\\"failure\\\", \\\"Failed\\\",                                     \\r\\n        ConditionalAccessStatus == \\\"notApplied\\\", \\\"Not applied\\\",                                     \\r\\n        isempty(ConditionalAccessStatus), \\\"Not applied\\\", \\r\\n        \\\"Disabled\\\")\\r\\n    | mvexpand ConditionalAccessPolicies\\r\\n    | extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n    | extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n        CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n        CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n        CAGrantControlName contains \\\"endpoint\\\", \\\"Require endpoint Compliant\\\", \\r\\n        CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined endpoint\\\", \\r\\n        CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\r\\n        \\\"Other\\\");\\r\\ndata\\r\\n| summarize Count = dcount(Id) by CAStatus\\r\\n| join kind = inner (data\\r\\n    | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range(ago(14d), now(), 6h) by CAStatus\\r\\n    )\\r\\n    on CAStatus\\r\\n| project-away CAStatus1, TimeGenerated\\r\\n| order by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Conditional Access Status\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CAStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAdaptiveVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Adaptive Access Control\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Deception Platforms](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDeception platform technologies provide decoy environments, from individual machines to entire networks, that can be used to deflect attacks away from the operational systems supporting agency missions/business functions.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/)<br> \\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [Microsoft Sentinel Deception Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-microsoft-sentinel-deception-solution/ba-p/2904945)<br>\\r\\n💡 [Deploy and monitor Azure Key Vault honeytokens with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/monitor-key-vault-honeytokens?tabs=deploy-at-scale)<br>\\r\\n💡 [Manage Sensitive or Honeytoken Accounts](https://docs.microsoft.com/defender-for-identity/manage-sensitive-honeytoken-accounts)<br>\\r\\n\\r\\n### Microsoft Portal\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft Defender for Identity](https://security.microsoft.com/settings/identities) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.AE, RS.AN](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where id contains \\\"deception\\\" or id contains \\\"honey\\\" or id contains \\\"HTDK\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Deception Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"honeytoken\\\" or Title contains \\\"deception\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Deception\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"honey\\\" or RecommendationDisplayName contains \\\"deception\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDeceptionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Deception Platforms\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Certificate Transparency Log Monitoring](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCertificate transparency log monitoring allows agencies to discover when new certificates are issued for agency domains.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) <br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Get Started with Key Vault Certificates](https://docs.microsoft.com/azure/key-vault/certificates/certificate-scenarios)<br>\\r\\n💡 [Security Recommendations in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-recommendations)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"cert\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"key\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Key Vault Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Description contains \\\"certificate\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Certificates\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCertificateVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Certificate Transparency Log Monitoring\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Intrusion Detection Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Enterprise](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nEnterprise-based controls including security orchestration automation & response, shadow IT detection, and virtual private networks. \"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Enterprise Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 113\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Orchestration, Automation, and Response\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SOAR\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Shadow IT Detection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Shadow\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Virtual Private Network (VPN)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"VPN\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"6a82c6f2-dde9-45d9-acf4-23e96b5b2647\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSOARVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SOAR\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isShadowVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Shadow\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"750b4451-0f5d-4e58-95c2-c4b4c8991335\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isVPNVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"VPN\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a2f3d34f-7824-4733-bddc-00efb62da0f2\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Orchestration, Automation, and Response (SOAR)](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nSecurity Orchestration, Automation, and Response (SOAR) tools define, prioritize, and automate the response to security incidents.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Logic Apps](https://azure.microsoft.com/services/logic-apps/) <br>\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)  ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Tutorial: Setup Automated Threat Responses in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.AE, DE.CM, DE.DP, RS.CO, RS.AN, RC.RP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type == \\\"microsoft.logic/workflows\\\"\\r\\n| extend Connection = parse_json(properties)[\\\"parameters\\\"][\\\"$connections\\\"][\\\"value\\\"]\\r\\n| where Connection has \\\"managedApis/azuresentinel\\\"\\r\\n| project id, type, resourceGroup\",\"size\":0,\"showAnalytics\":true,\"title\":\"SOAR Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"playbook\\\" or RecommendationDisplayName contains \\\"automation\\\" or RecommendationDisplayName contains \\\"logic\\\" or RecommendationDisplayName contains \\\"notification\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| where OperationNameValue startswith \\\"Microsoft.Logic\\\"\\r\\n| where ActivityStatusValue == \\\"Success\\\" or ActivityStatusValue == \\\"Succeeded\\\"\\r\\n| extend scope_ = tostring(Authorization_d.scope)\\r\\n| parse-where scope_ with * 'workflows/' PlaybookName '/' *\\r\\n| where PlaybookName contains \\\"notify\\\" or PlaybookName contains \\\"email\\\" or PlaybookName contains \\\"teams\\\" or PlaybookName contains \\\"ticket\\\" or PlaybookName contains \\\"post\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by PlaybookName\\r\\n| render timechart \",\"size\":0,\"showAnnotations\":true,\"showAnalytics\":true,\"title\":\"Notification SOAR Playbooks (Triggered over Time)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSOARVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Security Orchestration, Automation, and Response (SOAR)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Shadow IT Detection](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nShadow IT detection systems detect the presence of unauthorized software and systems in use by an agency.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Tutorial: Discover and Manage Shadow IT in Your Network](https://docs.microsoft.com/cloud-app-security/tutorial-shadow-it)<br>\\r\\n💡 [Review Your Security Recommendations](https://docs.microsoft.com/azure/security-center/security-center-recommendations)<br>\\r\\n💡 [Endpoint Discovery - Navigating Your Way Through Unmanaged Devices](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/endpoint-discovery-navigating-your-way-through-unmanaged-devices/ba-p/2248909)<br>\\r\\n💡 [Device Discovery Overview](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/device-discovery)<br>\\r\\n💡 [Welcome to Microsoft Defender for IoT](https://docs.microsoft.com/azure/defender-for-iot/overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft Defender for IoT](https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started)<br>  \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.IP, PR.MA, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Description contains \\\"shadow\\\" or Description contains \\\"unauth\\\" or Description contains \\\"rogue\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Shadow IT\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"safe\\\" or RecommendationDisplayName contains \\\"authorized\\\" or RecommendationDisplayName contains \\\"endpoint protection\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| extend Azure_Inventory=location\\r\\n| extend M365_Inventory=strcat(\\\"https://security.microsoft.com/machines\\\")\\r\\n| project AssetID=id,AssetType=type, Azure_Inventory, M365_Inventory\\r\\n| sort by AssetType desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Asset Inventory\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Azure_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Inventory >>\",\"bladeOpenContext\":{\"bladeName\":\"InventoryBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"\",\"source\":\"static\",\"value\":\"25\"}]}}},{\"columnMatch\":\"M365_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"M365 Inventory >>\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isShadowVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Shadow IT Detection\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Virtual Private Network (VPN)](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nVirtual private network (VPN) solutions provide a secure communications mechanism between networks that may traverse across unprotected or public networks.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [VPN Gateway]( https://azure.microsoft.com/services/vpn-gateway/)<br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [What is VPN Gateway?](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpngateways)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways)<br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.DS, PR.IP, PR.MA, PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"private\\\" or RecommendationDisplayName contains \\\"vpn\\\" or RecommendationDisplayName contains \\\"network gateway\\\" or RecommendationDisplayName contains \\\"express\\\" or RecommendationDisplayName contains \\\"VPC\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"gate\\\" or type contains \\\"bastion\\\" or type contains \\\"route\\\" or type contains \\\"privateend\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"VPN Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isVPNVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Virtual Private Network (VPN)\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Enterprise Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Unified Communications & Collaboration](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nUCC measures including identity verification, encrypted communications, connection terminations, and data loss prevention. \\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Unified Communications & Collaboration Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 114\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"UCC Identity Verification\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Identity\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"UCC Encrypted Communication\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Encrypted\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"UCC Connection Termination\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Connection\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"UCC Data Loss Prevention\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIdentityVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Identity\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEncryptedVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Encrypted\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9b640df5-5ec5-41bc-8e78-086304ed742a\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isConnectionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Connection\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"893f0857-1ccf-4c35-8432-abe89d1fcf15\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"767d26fb-524c-448c-9240-40f069a8db45\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Identity Verification](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIdentity verification ensures that access to the virtual meeting is limited to appropriate individuals. Waiting room features, where the meeting host authorizes vetted individuals to join the meeting can also be utilized.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Security and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-security-guide)<br>\\r\\n💡 [Identity Models and Authentication for Microsoft Teams](https://docs.microsoft.com/microsoftteams/identify-models-authentication)<br>\\r\\n💡 [Microsoft Sentinel and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-sentinel-guide)<br>\\r\\n💡 [Microsoft Teams Meeting Attendance Report](https://docs.microsoft.com/microsoftteams/teams-analytics-and-reports/meeting-attendance-report)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/)<br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where AppDisplayName has_any (\\\"teams\\\", \\\"webex\\\", \\\"slack\\\", \\\"zoom\\\", \\\"meet\\\", \\\"chat\\\", \\\"goto\\\")\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId, AppDisplayName\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| project UserPrincipalName, AppDisplayName, SignInCount=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"UCC Authentications\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIdentityVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Identity Verification\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Encrypted Communication](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCommunication between virtual meeting participants and any data exchanged is encrypted at rest and in transit. Some UCC offerings support end-to-end encryption, where encryption is performed on the clients and can only be decrypted by the other authenticated participants and cannot be decrypted by the UCC vendor.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [OfficeActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/officeactivity) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br> \\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Security and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-security-guide)<br>\\r\\n💡 [Microsoft Sentinel and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-sentinel-guide)<br>\\r\\n💡 [Trustworthy by Default](https://docs.microsoft.com/microsoftteams/teams-security-guide#trustworthy-by-default)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where RecordType == \\\"MicrosoftTeams\\\"\\r\\n| extend TeamsMembers = strcat(Members)\\r\\n| distinct Operation, UserId, TeamsMembers, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsoft Teams Logs\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"web apps\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEncryptedVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Encrypted Communication\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Connection Termination](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMechanisms that ensure the meeting host can positively control participation. These can include inactivity timeouts, on-demand prompts, unique access codes for each meeting, host participant eviction, and even meeting duration limits.\\r\\n\\r\\n### Implementation \\r\\n💡 [Manage Meeting Policies in Teams](https://docs.microsoft.com/microsoftteams/meeting-policies-in-teams)<br>\\r\\n💡 [Manage Microsoft Teams Rooms](https://docs.microsoft.com/microsoftteams/rooms/rooms-manage)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Teams Admin Center](https://admin.teams.microsoft.com/)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, PR.AT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":1,\"content\":{\"json\":\"### ✳️ [Leverage Microsoft Teams for UCC Connection Termination Controls via Meeting Policies](https://docs.microsoft.com/microsoftteams/meeting-policies-in-teams?WT.mc_id=Portal-fx)\\r\\n![Image Name](https://docs.microsoft.com/microsoftteams/media/designated-presenter-role.png) \\r\\n\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isConnectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Connection Termination\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMechanisms for controlling the sharing of information between UCC participants, intentional or incidental. This may be integrated into additional agency data loss prevention technologies and can include keyword matching, attachment file type or existence prohibitions, attachment size limitations, or even audio/visual filters.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Data Loss Prevention and Microsoft Teams](https://docs.microsoft.com/microsoft-365/compliance/dlp-microsoft-teams)<br>\\r\\n💡[Communication Compliance in Microsoft 365](https://docs.microsoft.com/microsoft-365/compliance/communication-compliance-solution-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft 365 Compliance Center](https://compliance.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| summarize count() by ApplicationName_s, LabelName_s\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sensitive Data Actions by Application\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDataVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Data Loss Prevention\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Protection](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nData protection measures including access control, protections for data at rest, protections for data in transit, data loss prevention, and data access & use telemetry. \"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Protection Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 115\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Access Control\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Access\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Protections for Data at Rest\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Rest\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Protections for Data in Transit\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Transit\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data Loss Prevention\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data Access and Use Telemetry\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Use\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"6a82c6f2-dde9-45d9-acf4-23e96b5b2647\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAccessVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Access\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRestVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Rest\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b91d3f98-d0d1-4e31-a63c-d949e61ec08b\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isTransitVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Transit\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a34338fa-6463-4b8f-866f-2d79396eceb7\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9a520097-2a54-41dd-bf84-7ca039dd1939\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isUseVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Use\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"22c31b63-743c-4b33-924e-26a70aa0fefb\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAccess control technologies allow an agency to define policies concerning the allowable activities of users and entities to data and resources.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [How Access Management in Azure AD works](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-manage-groups#how-access-management-in-azure-ad-works)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId, AppDisplayName\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| project UserPrincipalName, AppDisplayName, SignInCount=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Access by Application\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":2500,\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OperationName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Runs\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"TrendList\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where ResultType == 0\\r\\n| where Location <> \\\"\\\"\\r\\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude)\\r\\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)\\r\\n| extend city_ = tostring(LocationDetails.city)\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"User Sign-Ins by Geolocation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Caller\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OperationName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Runs\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"TrendList\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":10,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"},\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}}},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"showPin\":false,\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAccessVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Access Control\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Protections for Data at Rest](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData protection at rest aims to secure data stored on any endpoint or storage medium.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Data Encryption at Rest](https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest)<br>\\r\\n💡 [About Azure Key Vault](https://docs.microsoft.com/azure/key-vault/general/overview)<br>\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\")\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isRestVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Protections for Data at Rest\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Protections for Data in Transit](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData protection in transit, or data in motion, aims to secure data that is actively moving from one location to another, such as across the internet or through a private enterprise network.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Data Encryption in Transit](https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit)<br>\\r\\n💡 [About Azure Key Vault](https://docs.microsoft.com/azure/key-vault/general/overview)<br>\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n💡 [Encryption for Data in Transit](https://docs.microsoft.com/compliance/assurance/assurance-encryption-in-transit)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName has_any(\\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\")\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isTransitVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Protections for Data in Transit\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender) ✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [How to Configure a Label for Rights Management Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-protection)<br>\\r\\n💡 [Hunt for Threats with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/hunting)<br>\\r\\n💡 [Learn about Microsoft 365 Endpoint Data Loss Prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about)<br>\\r\\n💡 [Configure and View Alerts for DLP Polices](https://docs.microsoft.com/microsoft-365/compliance/dlp-configure-view-alerts-policies)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br> \\r\\n🔀 [Office 365 Security & Compliance Center](https://protection.office.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Description contains \\\"data\\\" or Title contains \\\"data\\\" or Description contains \\\"loss\\\" or Title contains \\\"loss\\\" or Description contains \\\"exfil\\\" or Title contains \\\"exfil\\\" or Tactics contains \\\"exfil\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Data Loss\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| project UserId_s, LabelName_s, Operation_s, Activity_s, IPv4_s, ProtectionOwner_s, ApplicationName_s, ProcessName_s, Platform_s, ContentId_g, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Scan/Monitor for Sensitive Data with Azure Information Protection\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDataVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Access and Use Telemetry](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIdentify agency sensitive data stored, processed, or transmitted, including those located at a service provider. Enforce detailed logging for access or changes to sensitive data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [What is Azure Information Protection?](https://docs.microsoft.com/azure/information-protection/what-is-information-protection)<br>\\r\\n💡 [Tutorial: Discovering Your Sensitive Content with the Azure Information Protection (AIP) scanner](https://docs.microsoft.com/azure/information-protection/tutorial-scan-networks-and-content)<br>\\r\\n💡 [Quickstart: Deploying the Azure Information Protection (AIP) Unified Labeling Client](https://docs.microsoft.com/azure/information-protection/quickstart-deploy-client)<br>\\r\\n💡 [Azure Information Protection (AIP) Labeling, Classification, and Protection](https://docs.microsoft.com/azure/information-protection/aip-classification-and-protection)<br>\\r\\n💡 [Overview of Data Loss Prevention](https://docs.microsoft.com/microsoft-365/compliance/data-loss-prevention-policies)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)<br> \\r\\n🔀 [Microsoft 365 Compliance Center](https://compliance.microsoft.com/)  <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS, PR.PT, DE.AE, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| summarize count() by UserId_s, LabelName_s, ApplicationName_s_s, Operation_s_s, Platform_s_s, Activity_s_s, IPv4_s_s\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Data Access and Use Telemetry\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| extend UserPrincipalName = UserId_s_s\\r\\n| where LabelName_s <> \\\"\\\"\\r\\n| join (SigninLogs) on UserPrincipalName\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| extend State = tostring(LocationDetails.state)\\r\\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Sensitive Data Access by Geolocation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UncommonActionVolume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UncommonAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"FirstTimeUserAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"FirstTimeDeviceLogon\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\"}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"yellow\"}]}}},\"name\":\"query - 12\"}]},\"conditionalVisibility\":{\"parameterName\":\"isUseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Access and Use Telemetry\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Protection Group\"}],\"fromTemplateId\":\"sentinel-ZeroTrust(TIC3.0)\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\",\"value\":\"No\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2592000000}],\"allowCustom\":true},\"id\":\"6539479a-3e0d-42c6-bcbe-2d1f11bb9896\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"<svg viewBox=\\\"0 0 19 19\\\" width=\\\"20\\\" class=\\\"fxt-escapeShadow\\\" role=\\\"presentation\\\" focusable=\\\"false\\\" xmlns:svg=\\\"http://www.w3.org/2000/svg\\\" xmlns:xlink=\\\"http://www.w3.org/1999/xlink\\\" aria-hidden=\\\"true\\\"><g><path fill=\\\"#1b93eb\\\" d=\\\"M16.82 8.886c0 4.81-5.752 8.574-7.006 9.411a.477.477 0 01-.523 0C8.036 17.565 2.18 13.7 2.18 8.886V3.135a.451.451 0 01.42-.419C7.2 2.612 6.154.625 9.5.625s2.3 1.987 6.8 2.091a.479.479 0 01.523.419z\\\"></path><path fill=\\\"url(#0024423711759027356)\\\" d=\\\"M16.192 8.99c0 4.392-5.333 7.947-6.483 8.575a.319.319 0 01-.418 0c-1.15-.732-6.483-4.183-6.483-8.575V3.762a.575.575 0 01.313-.523C7.2 3.135 6.258 1.357 9.4 1.357s2.2 1.882 6.274 1.882a.45.45 0 01.419.418z\\\"></path><path d=\\\"M9.219 5.378a.313.313 0 01.562 0l.875 1.772a.314.314 0 00.236.172l1.957.284a.314.314 0 01.174.535l-1.416 1.38a.312.312 0 00-.09.278l.334 1.949a.313.313 0 01-.455.33l-1.75-.92a.314.314 0 00-.292 0l-1.75.92a.313.313 0 01-.455-.33L7.483 9.8a.312.312 0 00-.09-.278L5.977 8.141a.314.314 0 01.174-.535l1.957-.284a.314.314 0 00.236-.172z\\\" class=\\\"msportalfx-svg-c01\\\"></path></g></svg>&nbsp;<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> Please take time to answer a quick survey,\\r\\n</span>[<span style=\\\"font-family: Open Sans; font-weight: 620; font-size: 14px;font-style: bold;margin:-10px 0px 0px 0px;position: relative;top:-3px;left:-4px;\\\"> click here. </span>](https://forms.office.com/r/0xxx6arkaS)\"},\"name\":\"Survey\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Getting Started\\r\\nThis solution is designed to augment staffing through automation, machine learning, query/alerting generation, and visualizations. This workbook leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with Zero Trust (TIC 3.0) control requirements. A filter set is available for custom reporting by guides, subscriptions, workspaces, time-filtering, control family, and controls. This offering telemetry from 25+ Microsoft Security and partner offerings, while only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, each offering provides additional enrichment for aligning with control requirements. Each control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads. \\r\\n\\r\\n### [Recommended Microsoft Sentinel Roles](https://docs.microsoft.com/azure/sentinel/roles) / [Recommended Microsoft Defender for Cloud Roles](https://docs.microsoft.com/azure/defender-for-cloud/permissions#roles-and-allowed-actions)\\r\\n| <strong> Roles </strong> | <strong> Rights </strong> | \\r\\n|:--|:--|\\r\\n|Security Reader | View Workbooks, Analytics, Hunting, Security Recommendations |\\r\\n|Security Contributor| Deploy/Modify Workbooks, Analytics, Hunting Queries, Apply Security Recommendations |\\r\\n|Automation Contributor| Deploy/Modify Playbooks & Automation Rules |\\r\\n\\r\\n### Onboarding Prerequisites \\r\\n1️⃣ [Access Microsoft 365 Compliance Manager: Assessments](https://compliance.microsoft.com/compliancemanager?viewid=Assessments)<br>\\r\\n2️⃣  [Onboard Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)<br>\\r\\n3️⃣  [Onboard Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-get-started)<br>\\r\\n4️⃣ [Continuously Export Security Center Data to Log Analytics Workspace](https://docs.microsoft.com/azure/security-center/continuous-export)<br>\\r\\n5️⃣ [Extend Microsoft Sentinel Across Workspaces and Tenants](https://docs.microsoft.com/azure/sentinel/extend-sentinel-across-workspaces-tenants)<br>\\r\\n6️⃣ [Implement CLAW Aggregator](https://github.com/Azure/trusted-internet-connection)<br>\\r\\n7️⃣ [Configure Auto Provisioning of Microsoft Defender for Cloud Agents](https://docs.microsoft.com/azure/defender-for-cloud/enable-data-collection)<br>\\r\\n8️⃣ [Review Microsoft Service Trust Portal Documentation/Audit/Resources](https://servicetrust.microsoft.com/)<br>\\r\\n\\r\\n### Recommended Enrichments\\r\\n✳️[Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n✳️[Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n✳️[Azure Firewall Premium](https://azure.microsoft.com/services/azure-firewall)<br>\\r\\n✳️[Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br>\\r\\n✳️[Azure Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/)<br>\\r\\n✳️[Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)<br>\\r\\n✳️[Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n✳️[Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender)<br>\\r\\n✳️[Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security)<br>\\r\\n✳️[Key Vault](https://azure.microsoft.com/services/key-vault/)<br>\\r\\n✳️[Azure DDoS Protection](https://azure.microsoft.com/services/ddos-protection/)<br>\\r\\n✳️[Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender)<br>\\r\\n\\r\\n### Print/Export Report\\r\\n1️⃣ Set Background Theme: Settings > Appearance > Theme: Azure > Apply<br>\\r\\n2️⃣ Print/Export Report: More Content Actions (...) > Print Content<br>\\r\\n3️⃣ Settings: Layout (Landscape), Pages (All), Print (One Sided), Scale (60), Pages Per Sheet (1), Quality (1,200 DPI), Margins (None) > Print<br>\\r\\n\\r\\n### Important\\r\\nThis solution provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective requirements. Each control is associated with one or more 💡[Azure Policy](https://docs.microsoft.com/azure/governance/policy/overview) definitions. These policies may help you 💡[assess compliance](https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data) with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. \",\"style\":\"info\"},\"name\":\"Help\"},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Microsoft Zero Trust Deployment Center](https://docs.microsoft.com/security/zero-trust)\\r\\n![Image Name](https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4KvMM?ver=13f6&q=0&m=6&h=600&w=1600&b=%23FFFFFFFF&u=t&l=f&f=jpg&o=t&aim=true  \\\"Security Policy Enforcement\\\")\\r\\n\\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Zero Trust Model\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 109\"},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Trusted Internet Connections 3.0](https://www.cisa.gov/trusted-internet-connections)\\r\\n\\r\\n| <em> Security Objectives </em> |\\r\\n| : | : | \\r\\n| <strong> Manage Traffic </strong>| Observe, validate, and filter data connections to align with authorized activities; least privilege and default deny |\\r\\n| <strong> Protect Traffic Confidentiality </strong>| Ensure only authorized parties can discern the contents of data in transit; sender and receiver identification and enforcement |\\r\\n| <strong> Protect Traffic Integrity </strong>| Prevent alteration of data in transit; detect altered data in transit |\\r\\n| <strong> Ensure Service Resiliency </strong>| Promote resilient application and security services for continuous operation as the technology and threat landscape evolve |\\r\\n| <strong> Ensure Effective Response </strong>| Promote timely reaction and adapt future response to discovered threats; policies defined and implemented; simplified adoption of new countermeasures |\\r\\n\\r\\n\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Trusted Internet Connections 3.0\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Zero Trust (TIC 3.0) Solution](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\\n---\\nThe Microsoft Sentinel Zero Trust (TIC 3.0) Solution provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft and partner ecosystem. This solution enables governance and compliance teams to design, build, monitor, and respond to Zero Trust (TIC 3.0) requirements across cloud, multi-cloud, 1st/3rd party workloads. The solution includes the new Zero Trust (TIC 3.0) Workbook, (1) Analytics Rule, and (3) Playbooks. While only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, the solution is enhanced with numerous Microsoft offerings. This Solution enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud, multi-cloud, hybrid, and on-premise workloads. For more information, see 💡[Microsoft Zero Trust Model](https://www.microsoft.com/security/business/zero-trust) 💡[Trusted Internet Connections](https://www.cisa.gov/trusted-internet-connections)\"},\"name\":\"Workbook Overview\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/next-evolution-of-the-microsoft-sentinel-zero-trust-tic-3-0/ba-p/3278097\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/CxLzTRPuw-4\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ZeroTrust(TIC3.0)\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"79\",\"name\":\"group - 22\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"customWidth\":\"21\",\"name\":\"Microsoft Sentinel Logo\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Executive Summary\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Assessment\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Controls Crosswalk\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"CC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Recommended Data Connectors\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Recommended Content\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"GC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Azure Lighthouse\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"AL\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Universal Security Capabilities\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Universal Security Capabilities\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Files\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Files\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Capabilities\\\\\\\": \\\\\\\"Email\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Email\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 107\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cec6c07e-2856-4c77-8b48-98935f2c1218\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAssessmentVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Assessment\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isControlsCrosswalkVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"CC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"20f1daf6-59a0-4673-b1bf-cc388d52debf\"},{\"id\":\"2919b971-fb14-440c-ab42-50304df3ceab\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isGCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"GC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"fa7b0ee3-8d6e-4ff7-bb64-cf2241f30f98\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAzureLighthouseVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"AL\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9944cda7-77aa-4189-8061-afc260130b84\"},{\"id\":\"eab3e5a8-66c3-4304-8c2b-43264e858ba8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isUniversalSecurityCapabilitiesVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Universal Security Capabilities\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isFilesVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Files\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"67de7a24-1840-4fc5-94d5-a6b5d7520a7c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEmailVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Email\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"ec480379-6561-4a30-b005-7533da78ed14\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"isVisible Navigation\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Web\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Web\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Networking\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Networking\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Resiliency\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Resiliency\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"DNS\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DNS\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Intrusion Detection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Intrusion Detection\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Enterprise\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Enterprise\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Unified Communications & Collaboration\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Unified Communications & Collaboration\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control Family\\\\\\\": \\\\\\\"Data Protection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data Protection\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 109\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"740b611b-8155-4e96-bbcc-bbdba0541143\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isWebVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Web\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"62d67234-8fb2-43e6-b5d2-945692493431\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isNetworkingVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Networking\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isResiliencyVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Resiliency\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4f04758a-2908-474e-bfe0-13d072241fd2\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDNSVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DNS\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9cb339a8-c8b4-43ad-b2e5-76f61b87d8c1\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIntrusionDetectionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Intrusion Detection\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4b799471-726e-432c-b577-2f45474d883c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEnterpriseVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Enterprise\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"584fbe21-b31b-49cb-bd65-62ef850a8310\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isUnifiedCommunicationsCollaborationVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Unified Communications & Collaboration\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"78d61c25-823a-4232-8a32-1a7e7018e596\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataProtectionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data Protection\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4da988d5-15f9-4ea8-bbd5-2153bfcae0a0\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"isVisible Navigation - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Executive Summary](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)\\r\\n---\\r\\nThis section provides a mechanism to find, fix, and resolve Zero Trust (TIC 3.0) recommendations. A selector provides capability to filter by all, specific, or groups of TIC 3.0 control families. Upon selection, subordinate panels will summarize recommendations by control family, status over time, recommendations, and resources identified. These panels are helpful for identifying the controls of interest, status over time, and impacted resources. The recommendation details pane provides a mechanism to identify specific recommendation details with deep-links to pivot to Microsoft Defender for Cloud for remediation. \"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 7\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"99a47f97-1aa4-4840-91ee-119aad6d6217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ControlFamily\",\"label\":\"Control Family\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Universal Security Capabilities\\\", \\\"label\\\": \\\"Universal Security Capabilities\\\"},\\r\\n    {\\\"value\\\": \\\"Files\\\", \\\"label\\\": \\\"Files\\\"},\\r\\n    {\\\"value\\\": \\\"Email\\\", \\\"label\\\": \\\"Email\\\"},\\r\\n    {\\\"value\\\": \\\"Web\\\", \\\"label\\\": \\\"Web\\\"},\\r\\n    {\\\"value\\\": \\\"Networking\\\", \\\"label\\\": \\\"Networking\\\"},\\r\\n    {\\\"value\\\": \\\"Resiliency\\\", \\\"label\\\": \\\"Resiliency\\\"},\\r\\n    {\\\"value\\\": \\\"DNS\\\", \\\"label\\\": \\\"DNS\\\"},\\r\\n    {\\\"value\\\": \\\"Intrusion Detection\\\", \\\"label\\\": \\\"Intrusion Detection\\\"},\\r\\n    {\\\"value\\\": \\\"Enterprise\\\", \\\"label\\\": \\\"Enterprise\\\"},\\r\\n    {\\\"value\\\": \\\"Unified Communications & Collaboration\\\", \\\"label\\\": \\\"Unified Communications & Collaboration\\\"},\\r\\n    {\\\"value\\\": \\\"Data Protection\\\", \\\"label\\\": \\\"Data Protection\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"40\",\"name\":\"parameters - 26\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend ControlFamily=iff(RecommendationDisplayName has_any(\\\"email\\\"), \\\"Email\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"apps\\\", \\\"teams\\\", \\\"meeting\\\", \\\"call\\\"), \\\"Unified Communications & Collaboration\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"dns\\\", \\\"domain\\\"), \\\"DNS\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"endpoint protection\\\", \\\"malware\\\", \\\"file\\\", \\\"files\\\",\\\"IaaSAntimalware\\\"), \\\"Files\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"Security Center\\\",\\\"defender\\\", \\\"adaptive\\\", \\\"HoneyTokens\\\", \\\"honey\\\", \\\"deception\\\", \\\"intrusion\\\", \\\"incident\\\", \\\"incidents\\\"), \\\"Intrusion Detection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"firewall\\\", \\\"watcher\\\", \\\"proxy\\\", \\\"certificate\\\", \\\"url\\\", \\\"web\\\"), \\\"Web\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\", \\\"segment\\\", \\\"network security groups\\\", \\\"subnet\\\", \\\"application gateway\\\", \\\"security groups\\\", \\\"IP forwarding\\\", \\\"port\\\", \\\"ports\\\", \\\"networks\\\"), \\\"Networking\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"backup\\\",\\\"denial\\\", \\\"DDoS\\\", \\\"load\\\", \\\"scale\\\", \\\"front\\\", \\\"traffic manager\\\", \\\"pool\\\", \\\"disaster\\\", \\\"region\\\", \\\"redundant\\\", \\\"geo\\\"), \\\"Resiliency\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"rest\\\", \\\"transit\\\", \\\"data\\\", \\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\"), \\\"Data Protection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"private\\\", \\\"vpn\\\", \\\"automation\\\", \\\"playbook\\\", \\\"logic\\\", \\\"notification\\\", \\\"authorized\\\", \\\"safe\\\", \\\"network gateway\\\", \\\"express\\\", \\\"VPC\\\"), \\\"Enterprise\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"recover\\\", \\\"log\\\", \\\"configured\\\", \\\"configuration\\\", \\\"identity\\\", \\\"privilege\\\", \\\"admin\\\", \\\"authentication\\\", \\\"JIT\\\", \\\"just\\\", \\\"password\\\", \\\"time\\\", \\\"sync\\\", \\\"vulnerability\\\", \\\"Vulnerabilities\\\", \\\"updates\\\", \\\"update\\\", \\\"upgrade\\\", \\\"audit\\\", \\\"account\\\",  \\\"guest\\\", \\\"shared\\\", \\\"access\\\", \\\"machines\\\", \\\"rights\\\", \\\"VM\\\", \\\"key\\\", \\\"keys\\\", \\\"IAM\\\", \\\"EC2\\\", \\\"GuardDuty\\\", \\\"logs\\\", \\\"CloudTrail\\\", \\\"MFA\\\", \\\"External accounts\\\", \\\"accounts\\\", \\\"config\\\", \\\"credentials\\\", \\\"privileged\\\", \\\"owner\\\", \\\"owners\\\", \\\"login\\\", \\\"logon\\\", \\\"virtual machine\\\", \\\"container\\\", \\\"containers\\\", \\\"Kubernetes\\\"), \\\"Universal Security Capabilities\\\", \\\"Other\\\")))))))))))\\r\\n| where ControlFamily in ({ControlFamily})\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by ControlFamily\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| project ControlFamily, Total, PassedControls, Passed, Failed\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations by Control Family\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_1\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_1\",\"sortOrder\":2}]},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationDisplayName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend ControlFamily=iff(RecommendationDisplayName has_any(\\\"email\\\"), \\\"Email\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"apps\\\", \\\"teams\\\", \\\"meeting\\\", \\\"call\\\"), \\\"Unified Communications & Collaboration\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"dns\\\", \\\"domain\\\"), \\\"DNS\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"endpoint protection\\\", \\\"malware\\\", \\\"file\\\", \\\"files\\\",\\\"IaaSAntimalware\\\"), \\\"Files\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"Security Center\\\",\\\"defender\\\", \\\"adaptive\\\", \\\"HoneyTokens\\\", \\\"honey\\\", \\\"deception\\\", \\\"intrusion\\\", \\\"incident\\\", \\\"incidents\\\"), \\\"Intrusion Detection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"firewall\\\", \\\"watcher\\\", \\\"proxy\\\", \\\"certificate\\\", \\\"url\\\", \\\"web\\\"), \\\"Web\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\", \\\"segment\\\", \\\"network security groups\\\", \\\"subnet\\\", \\\"application gateway\\\", \\\"security groups\\\", \\\"IP forwarding\\\", \\\"port\\\", \\\"ports\\\", \\\"networks\\\"), \\\"Networking\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"backup\\\",\\\"denial\\\", \\\"DDoS\\\", \\\"load\\\", \\\"scale\\\", \\\"front\\\", \\\"traffic manager\\\", \\\"pool\\\", \\\"disaster\\\", \\\"region\\\", \\\"redundant\\\", \\\"geo\\\"), \\\"Resiliency\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"rest\\\", \\\"transit\\\", \\\"data\\\", \\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\"), \\\"Data Protection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"private\\\", \\\"vpn\\\", \\\"automation\\\", \\\"playbook\\\", \\\"logic\\\", \\\"notification\\\", \\\"authorized\\\", \\\"safe\\\", \\\"network gateway\\\", \\\"express\\\", \\\"VPC\\\"), \\\"Enterprise\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"recover\\\", \\\"log\\\", \\\"configured\\\", \\\"configuration\\\", \\\"identity\\\", \\\"privilege\\\", \\\"admin\\\", \\\"authentication\\\", \\\"JIT\\\", \\\"just\\\", \\\"password\\\", \\\"time\\\", \\\"sync\\\", \\\"vulnerability\\\", \\\"Vulnerabilities\\\", \\\"updates\\\", \\\"update\\\", \\\"upgrade\\\", \\\"audit\\\", \\\"account\\\",  \\\"guest\\\", \\\"shared\\\", \\\"access\\\", \\\"machines\\\", \\\"rights\\\", \\\"VM\\\", \\\"key\\\", \\\"keys\\\", \\\"IAM\\\", \\\"EC2\\\", \\\"GuardDuty\\\", \\\"logs\\\", \\\"CloudTrail\\\", \\\"MFA\\\", \\\"External accounts\\\", \\\"accounts\\\", \\\"config\\\", \\\"credentials\\\", \\\"privileged\\\", \\\"owner\\\", \\\"owners\\\", \\\"login\\\", \\\"logon\\\", \\\"virtual machine\\\", \\\"container\\\", \\\"containers\\\", \\\"Kubernetes\\\"), \\\"Universal Security Capabilities\\\", \\\"Other\\\")))))))))))\\r\\n| where ControlFamily in ({ControlFamily})\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationDisplayName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationDisplayName\\r\\n| project RecommendationDisplayName, Total, RecommendationLink, PassedControls, Passed, Failed, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"rowLimit\":2500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_1\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_compositeBar_Total_1\",\"sortOrder\":2}]},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend ControlFamily=iff(RecommendationDisplayName has_any(\\\"email\\\"), \\\"Email\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"apps\\\", \\\"teams\\\", \\\"meeting\\\", \\\"call\\\"), \\\"Unified Communications & Collaboration\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"dns\\\", \\\"domain\\\"), \\\"DNS\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"endpoint protection\\\", \\\"malware\\\", \\\"file\\\", \\\"files\\\",\\\"IaaSAntimalware\\\"), \\\"Files\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"Security Center\\\",\\\"defender\\\", \\\"adaptive\\\", \\\"HoneyTokens\\\", \\\"honey\\\", \\\"deception\\\", \\\"intrusion\\\", \\\"incident\\\", \\\"incidents\\\"), \\\"Intrusion Detection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"firewall\\\", \\\"watcher\\\", \\\"proxy\\\", \\\"certificate\\\", \\\"url\\\", \\\"web\\\"), \\\"Web\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\", \\\"segment\\\", \\\"network security groups\\\", \\\"subnet\\\", \\\"application gateway\\\", \\\"security groups\\\", \\\"IP forwarding\\\", \\\"port\\\", \\\"ports\\\", \\\"networks\\\"), \\\"Networking\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"backup\\\",\\\"denial\\\", \\\"DDoS\\\", \\\"load\\\", \\\"scale\\\", \\\"front\\\", \\\"traffic manager\\\", \\\"pool\\\", \\\"disaster\\\", \\\"region\\\", \\\"redundant\\\", \\\"geo\\\"), \\\"Resiliency\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"rest\\\", \\\"transit\\\", \\\"data\\\", \\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\"), \\\"Data Protection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"private\\\", \\\"vpn\\\", \\\"automation\\\", \\\"playbook\\\", \\\"logic\\\", \\\"notification\\\", \\\"authorized\\\", \\\"safe\\\", \\\"network gateway\\\", \\\"express\\\", \\\"VPC\\\"), \\\"Enterprise\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"recover\\\", \\\"log\\\", \\\"configured\\\", \\\"configuration\\\", \\\"identity\\\", \\\"privilege\\\", \\\"admin\\\", \\\"authentication\\\", \\\"JIT\\\", \\\"just\\\", \\\"password\\\", \\\"time\\\", \\\"sync\\\", \\\"vulnerability\\\", \\\"Vulnerabilities\\\", \\\"updates\\\", \\\"update\\\", \\\"upgrade\\\", \\\"audit\\\", \\\"account\\\",  \\\"guest\\\", \\\"shared\\\", \\\"access\\\", \\\"machines\\\", \\\"rights\\\", \\\"VM\\\", \\\"key\\\", \\\"keys\\\", \\\"IAM\\\", \\\"EC2\\\", \\\"GuardDuty\\\", \\\"logs\\\", \\\"CloudTrail\\\", \\\"MFA\\\", \\\"External accounts\\\", \\\"accounts\\\", \\\"config\\\", \\\"credentials\\\", \\\"privileged\\\", \\\"owner\\\", \\\"owners\\\", \\\"login\\\", \\\"logon\\\", \\\"virtual machine\\\", \\\"container\\\", \\\"containers\\\", \\\"Kubernetes\\\"), \\\"Universal Security Capabilities\\\", \\\"Other\\\")))))))))))\\r\\n| where ControlFamily in ({ControlFamily})\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by AssessedResourceId\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| project AssessedResourceId, Total, PassedControls, Passed, Failed\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations by Asset\",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AssessedResourceId\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend ControlFamily=iff(RecommendationDisplayName has_any(\\\"email\\\"), \\\"Email\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"apps\\\", \\\"teams\\\", \\\"meeting\\\", \\\"call\\\"), \\\"Unified Communications & Collaboration\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"dns\\\", \\\"domain\\\"), \\\"DNS\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"endpoint protection\\\", \\\"malware\\\", \\\"file\\\", \\\"files\\\",\\\"IaaSAntimalware\\\"), \\\"Files\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"Security Center\\\",\\\"defender\\\", \\\"adaptive\\\", \\\"HoneyTokens\\\", \\\"honey\\\", \\\"deception\\\", \\\"intrusion\\\", \\\"incident\\\", \\\"incidents\\\"), \\\"Intrusion Detection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"firewall\\\", \\\"watcher\\\", \\\"proxy\\\", \\\"certificate\\\", \\\"url\\\", \\\"web\\\"), \\\"Web\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\", \\\"segment\\\", \\\"network security groups\\\", \\\"subnet\\\", \\\"application gateway\\\", \\\"security groups\\\", \\\"IP forwarding\\\", \\\"port\\\", \\\"ports\\\", \\\"networks\\\"), \\\"Networking\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"backup\\\",\\\"denial\\\", \\\"DDoS\\\", \\\"load\\\", \\\"scale\\\", \\\"front\\\", \\\"traffic manager\\\", \\\"pool\\\", \\\"disaster\\\", \\\"region\\\", \\\"redundant\\\", \\\"geo\\\"), \\\"Resiliency\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"rest\\\", \\\"transit\\\", \\\"data\\\", \\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\"), \\\"Data Protection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"private\\\", \\\"vpn\\\", \\\"automation\\\", \\\"playbook\\\", \\\"logic\\\", \\\"notification\\\", \\\"authorized\\\", \\\"safe\\\", \\\"network gateway\\\", \\\"express\\\", \\\"VPC\\\"), \\\"Enterprise\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"recover\\\", \\\"log\\\", \\\"configured\\\", \\\"configuration\\\", \\\"identity\\\", \\\"privilege\\\", \\\"admin\\\", \\\"authentication\\\", \\\"JIT\\\", \\\"just\\\", \\\"password\\\", \\\"time\\\", \\\"sync\\\", \\\"vulnerability\\\", \\\"Vulnerabilities\\\", \\\"updates\\\", \\\"update\\\", \\\"upgrade\\\", \\\"audit\\\", \\\"account\\\",  \\\"guest\\\", \\\"shared\\\", \\\"access\\\", \\\"machines\\\", \\\"rights\\\", \\\"VM\\\", \\\"key\\\", \\\"keys\\\", \\\"IAM\\\", \\\"EC2\\\", \\\"GuardDuty\\\", \\\"logs\\\", \\\"CloudTrail\\\", \\\"MFA\\\", \\\"External accounts\\\", \\\"accounts\\\", \\\"config\\\", \\\"credentials\\\", \\\"privileged\\\", \\\"owner\\\", \\\"owners\\\", \\\"login\\\", \\\"logon\\\", \\\"virtual machine\\\", \\\"container\\\", \\\"containers\\\", \\\"Kubernetes\\\"), \\\"Universal Security Capabilities\\\", \\\"Other\\\")))))))))))\\r\\n| where ControlFamily in ({ControlFamily})\\r\\n| where RecommendationState == \\\"Unhealthy\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by ControlFamily\\r\\n| render timechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations over Time\",\"noDataMessage\":\"No Current Zero Trust(TIC 3.0) Recommendations in this Area. Confirm the CMMC Level 3 Assessment is Enabled in Microsoft Defender for Cloud: Regulatory Compliance Blade.\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"greenRed\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName <> \\\"\\\"\\r\\n| extend ControlFamily=iff(RecommendationDisplayName has_any(\\\"email\\\"), \\\"Email\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"apps\\\", \\\"teams\\\", \\\"meeting\\\", \\\"call\\\"), \\\"Unified Communications & Collaboration\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"dns\\\", \\\"domain\\\"), \\\"DNS\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"endpoint protection\\\", \\\"malware\\\", \\\"file\\\", \\\"files\\\",\\\"IaaSAntimalware\\\"), \\\"Files\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"Security Center\\\",\\\"defender\\\", \\\"adaptive\\\", \\\"HoneyTokens\\\", \\\"honey\\\", \\\"deception\\\", \\\"intrusion\\\", \\\"incident\\\", \\\"incidents\\\"), \\\"Intrusion Detection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"firewall\\\", \\\"watcher\\\", \\\"proxy\\\", \\\"certificate\\\", \\\"url\\\", \\\"web\\\"), \\\"Web\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"network\\\", \\\"segment\\\", \\\"network security groups\\\", \\\"subnet\\\", \\\"application gateway\\\", \\\"security groups\\\", \\\"IP forwarding\\\", \\\"port\\\", \\\"ports\\\", \\\"networks\\\"), \\\"Networking\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"backup\\\",\\\"denial\\\", \\\"DDoS\\\", \\\"load\\\", \\\"scale\\\", \\\"front\\\", \\\"traffic manager\\\", \\\"pool\\\", \\\"disaster\\\", \\\"region\\\", \\\"redundant\\\", \\\"geo\\\"), \\\"Resiliency\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"rest\\\", \\\"transit\\\", \\\"data\\\", \\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\"), \\\"Data Protection\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"private\\\", \\\"vpn\\\", \\\"automation\\\", \\\"playbook\\\", \\\"logic\\\", \\\"notification\\\", \\\"authorized\\\", \\\"safe\\\", \\\"network gateway\\\", \\\"express\\\", \\\"VPC\\\"), \\\"Enterprise\\\",\\r\\niff(RecommendationDisplayName has_any(\\\"recover\\\", \\\"log\\\", \\\"configured\\\", \\\"configuration\\\", \\\"identity\\\", \\\"privilege\\\", \\\"admin\\\", \\\"authentication\\\", \\\"JIT\\\", \\\"just\\\", \\\"password\\\", \\\"time\\\", \\\"sync\\\", \\\"vulnerability\\\", \\\"Vulnerabilities\\\", \\\"updates\\\", \\\"update\\\", \\\"upgrade\\\", \\\"audit\\\", \\\"account\\\",  \\\"guest\\\", \\\"shared\\\", \\\"access\\\", \\\"machines\\\", \\\"rights\\\", \\\"VM\\\", \\\"key\\\", \\\"keys\\\", \\\"IAM\\\", \\\"EC2\\\", \\\"GuardDuty\\\", \\\"logs\\\", \\\"CloudTrail\\\", \\\"MFA\\\", \\\"External accounts\\\", \\\"accounts\\\", \\\"config\\\", \\\"credentials\\\", \\\"privileged\\\", \\\"owner\\\", \\\"owners\\\", \\\"login\\\", \\\"logon\\\", \\\"virtual machine\\\", \\\"container\\\", \\\"containers\\\", \\\"Kubernetes\\\"), \\\"Universal Security Capabilities\\\", \\\"Other\\\")))))))))))\\r\\n| where ControlFamily in ({ControlFamily})\\r\\n| where RecommendationState == \\\"Unhealthy\\\"\\r\\n| parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *\\r\\n| project ResourceID=AssessedResourceId, RecommendationName=RecommendationDisplayName, ControlFamily, Severity=RecommendationSeverity, CurrentState=RecommendationState, RecommendationLink, DiscoveredTimeUTC, assessmentKey\\r\\n| extend Rank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, 0)))\\r\\n| sort by Rank desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendation Details\",\"noDataMessage\":\"No Current Zero Trust (TIC 3.0) Recommendations in this Area. Confirm the CMMC Level 3 Assessment is Enabled in Microsoft Defender for Cloud: Regulatory Compliance Blade.\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ResourceID\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"linkIsContextBlade\":false,\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Rank\",\"formatter\":5},{\"columnMatch\":\"RecommendationSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":2500,\"filter\":true}},\"name\":\"query - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAssessmentVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Controls Crosswalk](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\\r\\n---\\r\\nControls crosswalk provides a mapping of Zero Trust (TIC 3.0) controls across additional compliance frameworks. This provides free-text search capabilities mapping Zero Trust pillars, TIC 3.0 controls, Microsoft offering overlays, and the NIST Cybersecurity Framework.\"},\"customWidth\":\"40\",\"name\":\"Controls Mapping\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Crosswalk = datatable([\\\"Control Name\\\"]: string, [\\\"Zero Trust Pillars\\\"]: string, [\\\"TIC 3.0 Control Family\\\"]: string, [\\\"NIST Cybersecurity Framework\\\"]: string, [\\\"Microsoft Offerings\\\"]: string) [\\r\\n\\\"Backup & Recovery\\\", \\\"Data, Infrastructure\\\", \\\"Universal Security Capabilities\\\", \\\"ID.BE, PR.IP, PR.DS, RS.MI, RC.RP\\\", \\\"Backup Vaults, Recovery Services Vaults, Microsoft Defender for Cloud\\\",\\r\\n\\\"Central Log Management with Analysis\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, PR.PT, DE.AE, RS.AN\\\", \\\"Microsoft Defender for Cloud, Azure Monitor, Azure Lighthouse\\\",\\r\\n\\\"Configuration Management\\\", \\\"Endpoints, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.BE, PR.DS, PR.IP, PR.MA\\\", \\\"Automation Accounts, Azure Active Directory, Microsoft Defender for Cloud\\\",\\r\\n\\\"Incident Response Plan & Incident Handling\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.GV, ID.RA, PR.IP, DE.DP, DE.AE, RS.RP, RS.CO, RS.AN, RS.MI\\\", \\\"Microsoft Sentinel\\\",\\r\\n\\\"Inventory\\\", \\\"Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, PR.AC, PR.DS, PR.IP\\\", \\\"Azure Resource Graph Explorer, Azure Active Directory, Microsoft Defender for Cloud, Microsoft 365 Defender\\\",\\r\\n\\\"Least Privilege\\\", \\\"Identities\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, PR.AC, PR.IP, PR.PT, DE.CM\\\", \\\"Azure Active Directory, Microsoft Sentinel, Microsoft Defender for Cloud\\\",\\r\\n\\\"Secure Administration\\\", \\\"Identities\\\", \\\"Universal Security Capabilities\\\", \\\"PR.MA\\\", \\\"Azure Active Directory, Privileged Identity Management, Microsoft Defender for Cloud\\\",\\r\\n\\\"Strong Authentication\\\", \\\"Identities\\\", \\\"Universal Security Capabilities\\\", \\\"PR.AC\\\", \\\"Azure Active Directory, Microsoft Defender for Cloud, Microsoft Sentinel, Key Vault\\\",\\r\\n\\\"Time Synchronization\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"PR.IP\\\", \\\"Azure Portal, Virtual Machines, Microsoft Defender for Cloud\\\",\\r\\n\\\"Vulnerability Management\\\", \\\"Endpoints, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.RA, PR.IP, DE.AE, DE.CM, DE.DP\\\", \\\"Microsoft Defender for Cloud, Microsoft 365 Defender\\\",\\r\\n\\\"Patch Management\\\", \\\"Endpoints, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, PR.IP, PR.MA\\\", \\\"Automation Accounts, Microsoft Defender for Cloud\\\",\\r\\n\\\"Auditing & Accounting\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.SC, PR.AC, PR.PT\\\", \\\"Azure Active Directory, Microsoft Defender for Cloud, Microsoft Sentinel\\\",\\r\\n\\\"Resilience\\\", \\\"Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.BE, PR.PT\\\", \\\"DDoS Protection Plans, Availability Sets, Load Balancing, Virtual Machine Scale Sets\\\",\\r\\n\\\"Enterprise Threat Intelligence\\\", \\\"Visibility & Analytics\\\", \\\"Universal Security Capabilities\\\", \\\"ID.RA, DE.AE, DE.CM, DE.DP\\\", \\\"Microsoft Sentinel, Microsoft Defender Security Intelligence Portal, MSTICpy\\\",\\r\\n\\\"Situational Awareness\\\", \\\"Visibility & Analytics\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, ID.RA, PR.DS, PR.IP, DE.AE, DE.CM, DE.DP, RS.CO\\\", \\\"Microsoft Sentinel\\\",\\r\\n\\\"Dynamic Threat Discovery\\\", \\\"Visibility & Analytics\\\", \\\"Universal Security Capabilities\\\", \\\"ID.RA, DE.AE, DE.CM, DE.DP\\\", \\\"Microsoft Sentinel, Microsoft Defender for Cloud\\\",\\r\\n\\\"Policy Enforcement Parity\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"PR.DS, PR.IP, PR.MA\\\", \\\"Azure Policy, Microsoft Defender for Cloud\\\",\\r\\n\\\"Effective Use of Shared Services\\\", \\\"Data, Apps\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, ID.GV, ID.RM, ID.SC, PR.AT, RS.CO\\\", \\\"Azure Lighthouse, Customer Lockbox, Azure Active Directory\\\",\\r\\n\\\"Integrated Desktop, Mobile, & Remote Policies\\\", \\\"Identities, Endpoints, Data, Apps, Infrastructure, Network\\\", \\\"Universal Security Capabilities\\\", \\\"ID.AM, PR.AC, PR.DS, PR.IP, PR.MA\\\", \\\"Azure Active Directory, Microsoft Endpoint Manager\\\",\\r\\n\\\"Anti-Malware\\\", \\\"Endpoints, Apps, Infrastructure, Network\\\", \\\"Files\\\", \\\"PR.DS, PR.PT, DE.CM, DE.DP, RS.MI\\\", \\\"Microsoft Sentinel, Microsoft Defender for Cloud, Microsoft Defender for Identity, Microsoft 365 Defender, Microsoft Defender for Cloud Apps\\\",\\r\\n\\\"Content Disarm & Reconstruction\\\", \\\"Data, Apps\\\", \\\"Files\\\", \\\"PR.PT, DE.CM, DE.DP\\\", \\\"Microsoft 365 Defender, Microsoft Endpoint Manager Admin Center, Microsoft Sentinel\\\",\\r\\n\\\"Detonation Chamber\\\", \\\"Endpoints, Apps, Infrastructure, Network\\\", \\\"Files\\\", \\\"DE.CM, DE.DP, RS.AN, RS.MI\\\", \\\"Microsoft 365 Defender, Microsoft Endpoint Manager, Microsoft Sentinel\\\",\\r\\n\\\"Data Loss Prevention\\\", \\\"Data\\\", \\\"Files\\\", \\\"PR.DS\\\", \\\"Azure Information Protection, Microsoft Sentinel, Office 365 Security & Compliance Center\\\",\\r\\n\\\"Anti-Phishing Protections\\\", \\\"Identity, Endpoints, Data\\\", \\\"Email\\\", \\\"PR.AT, PR.PT, DE.CM\\\", \\\"Microsoft 365 Defender\\\",\\r\\n\\\"Anti-SPAM Protections\\\", \\\"Identity, Endpoints, Data\\\", \\\"Email\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft 365 Defender\\\",\\r\\n\\\"Authenticated Received Chain\\\", \\\"Authenticated Received Chain\\\", \\\"Email\\\", \\\"PR.AC\\\", \\\"Microsoft 365 Defender, Microsoft 365 Admin Center\\\",\\r\\n\\\"Data Loss Prevention\\\", \\\"Data\\\", \\\"Email\\\", \\\"PR.DS\\\", \\\"Azure Information Protection, Microsoft 365 Defender\\\",\\r\\n\\\"DMARC for Incoming Email\\\", \\\"Identities, Data\\\", \\\"Email\\\", \\\"PR.PT, PR.IP\\\", \\\"Microsoft 365 Defender, Microsoft 365 Admin Center\\\",\\r\\n\\\"DMARC for Outgoing Email\\\", \\\"Identities, Data\\\", \\\"Email\\\", \\\"PR.PT, PR.IP\\\", \\\"Microsoft 365 Defender, Microsoft 365 Admin Center\\\",\\r\\n\\\"Encryption for Email Transmission\\\", \\\"Data\\\", \\\"Email\\\", \\\"PR.PT, PR.DS\\\", \\\"Microsoft 365 Admin Center, Microsoft 365 Defender, Microsoft Defender for Cloud\\\",\\r\\n\\\"Malicious URL Protections\\\", \\\"Network\\\", \\\"Email\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft 365 Defender, Microsoft Sentinel\\\",\\r\\n\\\"URL Click-Through Protection\\\", \\\"Network\\\", \\\"Email\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft 365 Defender, Microsoft Sentinel\\\",\\r\\n\\\"Break & Inspect\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT, DE.CM\\\", \\\"Firewall Policies, Network Watcher\\\",\\r\\n\\\"Active Content Mitigation\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT, DE.CM\\\", \\\"Web Application Firewall Policies, Microsoft 365 Defender, Microsoft Defender for Cloud\\\",\\r\\n\\\"Certificate Denylisting\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft Defender for Cloud, Firewall Policies, Key Vault\\\",\\r\\n\\\"Content Filtering\\\", \\\"Endpoints, Network\\\", \\\"Web\\\", \\\"PR.PT, DE.CM, DE.DP\\\", \\\"Firewalls, Firewall Policies, Microsoft 365 Defender\\\",\\r\\n\\\"Authenticated Proxy\\\", \\\"Identities, Network\\\", \\\"Web\\\", \\\"PR.AC\\\", \\\"Azure Active Directory, Microsoft Defender for Cloud Apps\\\",\\r\\n\\\"Data Loss Prevention\\\", \\\"Data\\\", \\\"Web\\\", \\\"PR.DS\\\", \\\"Microsoft Sentinel, Microsoft Defender for Cloud, Microsoft Defender for Identity Portal, Microsoft 365 Defender, Microsoft Defender for Cloud Apps, Office 365 Security & Compliance Center, Azure Information Protection\\\",\\r\\n\\\"DNS-over-HTTPS Filtering\\\", \\\"Endpoints, Network\\\", \\\"Web\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft Defender for Cloud, Azure Firewall, Microsoft 365 Defender\\\",\\r\\n\\\"RFC Compliance Enforcement\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT\\\", \\\"Web Application Firewall, Azure Firewall\\\",\\r\\n\\\"Domain Category Filtering\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.AC, PR.IP\\\", \\\"Azure Firewall\\\",\\r\\n\\\"Domain Reputation Filter\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT\\\", \\\"Azure Firewall, Microsoft Sentinel\\\",\\r\\n\\\"Bandwidth Control\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.PT\\\", \\\"Azure Firewall\\\",\\r\\n\\\"Malicious Content Filtering\\\", \\\"Network\\\", \\\"Web\\\", \\\"PR.DS, PR.PT, PR.CM\\\", \\\"Microsoft Defender for Cloud, Microsoft Sentinel, Azure Firewall, Web Application Firewall\\\",\\r\\n\\\"Access Control\\\", \\\"Identities, Network\\\", \\\"Web\\\", \\\"PR.AC\\\", \\\"Microsoft Defender for Cloud, Privileged Identity Management\\\",\\r\\n\\\"Access Control\\\", \\\"Infrastructure, Network\\\", \\\"Networking\\\", \\\"PR.AC, PR.IP, DE.CM\\\", \\\"Microsoft Defender for Cloud, Network Security Groups, Azure Firewall, Web Application Firewall, Virtual Network Gateways, ExpressRoute Circuits\\\",\\r\\n\\\"IP Denylisting\\\", \\\"Infrastructure, Network\\\", \\\"Networking\\\", \\\"PR.PT, DE.CM\\\", \\\"Microsoft Sentinel, Azure Firewall\\\",\\r\\n\\\"Host Containment\\\", \\\"Endpoints, Infrastructure, Network\\\", \\\"Networking\\\", \\\"PR.AC, PR.IP, PR.PT\\\", \\\"Microsoft Sentinel, Microsoft Defender for Cloud, Microsoft 365 Defender\\\",\\r\\n\\\"Network Segmentation\\\", \\\"Infrastructure, Network\\\", \\\"Networking\\\", \\\"PR.AC\\\", \\\"Virtual Networks, Microsoft Defender for Cloud\\\",\\r\\n\\\"Microsegmentation\\\", \\\"Infrastructure, Network\\\", \\\"Networking\\\", \\\"PR.AC, PR.DS, PR.IP, PR.PT\\\", \\\"Application Security Groups, Network Security Groups, Microsoft Defender for Cloud\\\",\\r\\n\\\"DDoS Protections\\\", \\\"Data, Apps, Infrastructure, Network\\\", \\\"Resiliency\\\", \\\"PR.PT\\\", \\\"DDoS Protection Plans, Microsoft Sentinel\\\",\\r\\n\\\"Elastic Expansion\\\", \\\"Infrastructure\\\", \\\"Resiliency\\\", \\\"ID.AM, PR.DS\\\", \\\"Virtual Machine Scale Sets, Azure SQL, Load Balancer, Traffic Manager Profiles, Microsoft Defender for Cloud\\\",\\r\\n\\\"Regional Delivery\\\", \\\"Infrastructure\\\", \\\"Resiliency\\\", \\\"ID.AM, PR.AC, PR.DS\\\", \\\"Availability Sets, Azure Active Directory, Microsoft Defender for Cloud\\\",\\r\\n\\\"DNS Sinkholing\\\", \\\"Network\\\", \\\"DNS\\\", \\\"PR.PT\\\", \\\"DNS Zones, Azure Firewall, Microsoft Defender for Cloud, Microsoft Sentinel\\\",\\r\\n\\\"DNSSEC for Agency Clients\\\", \\\"Network\\\", \\\"DNS\\\", \\\"PR.PT\\\", \\\"DNS Zones, Azure Firewall, Microsoft Defender for Cloud, Microsoft Sentinel\\\",\\r\\n\\\"DNSSEC for Agency Domains\\\", \\\"Network\\\", \\\"DNS\\\", \\\"PR.PT\\\", \\\"DNS Zones, Microsoft Defender for Cloud, Microsoft 365 Defender\\\",\\r\\n\\\"Endpoint Detection & Response\\\", \\\"Endpoints, Infrastructure\\\", \\\"Intrusion Detection\\\", \\\"DE.AE, DE.CM, RS.AN\\\", \\\"Microsoft 365 Defender, Microsoft Defender for Cloud\\\",\\r\\n\\\"Intrusion Protection Systems (IPS)\\\", \\\"Network\\\", \\\"Intrusion Detection\\\", \\\"DE.AE, DE.CM, DE.DP, RS.AN\\\", \\\"Azure Firewall, Microsoft Sentinel\\\",\\r\\n\\\"Adaptive Access Control\\\", \\\"Identities\\\", \\\"Intrusion Detection\\\", \\\"PR.AC, DE.CM\\\", \\\"Microsoft Defender for Cloud, Azure Active Directory\\\",\\r\\n\\\"Deception Platforms\\\", \\\"Identities\\\", \\\"Intrusion Detection\\\", \\\"PR.PT, DE.AE, RS.AN\\\", \\\"Microsoft Sentinel, Microsoft Defender for Identity\\\",\\r\\n\\\"Certificate Transparency Log Monitoring\\\", \\\"Infrastructure, Apps\\\", \\\"Intrusion Detection\\\", \\\"DE.CM\\\", \\\"Key Vault, Microsoft Sentinel, Microsoft Defender for Cloud\\\",\\r\\n\\\"Security Orchestration, Automation, & Response (SOAR)\\\", \\\"Visibility & Automation\\\", \\\"Enterprise\\\", \\\"DE.AE, DE.CM, DE.DP, RS.CO, RS.AN, RC.RP\\\", \\\"Microsoft Sentinel\\\",\\r\\n\\\"Shadow IT Detection\\\", \\\"Endpoints, Infrastructure, Apps\\\", \\\"Enterprise\\\", \\\"PR.IP, PR.MA, DE.CM\\\", \\\"Microsoft Defender for Cloud Apps, Microsoft Defender for Cloud, Microsoft Sentinel, Microsoft 365 Defender, Microsoft Defender for IoT\\\",\\r\\n\\\"Virtual Private Network (VPN)\\\", \\\"Network\\\", \\\"Enterprise\\\", \\\"PR.AC, PR.DS, PR.IP, PR.MA, PR.PT\\\", \\\"Virtual Network Gateways, Microsoft Defender for Cloud\\\",\\r\\n\\\"UCC Identity Verification\\\", \\\"Identities\\\", \\\"Unified Communications & Collaboration\\\", \\\"PR.AC\\\", \\\"Microsoft 365 Admin Center, Azure Active Directory\\\",\\r\\n\\\"UCC Encrypted Communication\\\", \\\"Data\\\", \\\"Unified Communications & Collaboration\\\", \\\"PR.PT, PR.DS\\\", \\\"Microsoft 365 Admin Center\\\",\\r\\n\\\"UCC Connection Termination\\\", \\\"Identities\\\", \\\"Unified Communications & Collaboration\\\", \\\"PR.AC, PR.IP, PR.AT\\\", \\\"Microsoft Teams\\\",\\r\\n\\\"UCC Data Loss Prevention\\\", \\\"Data\\\", \\\"Unified Communications & Collaboration\\\", \\\"PR.DS\\\", \\\"Microsoft 365 Defender, Microsoft 365 Compliance Center\\\",\\r\\n\\\"Access Control\\\", \\\"Identities\\\", \\\"Data Protection\\\", \\\"PR.AC, PR.IP, DE.CM\\\", \\\"Azure Active Directory\\\",\\r\\n\\\"Protections for Data at Rest\\\", \\\"Data\\\", \\\"Data Protection\\\", \\\"PR.DS\\\", \\\"Microsoft Defender for Cloud, Key Vault\\\",\\r\\n\\\"Protections for Data in Transit\\\", \\\"Data\\\", \\\"Data Protection\\\", \\\"PR.DS\\\", \\\"Microsoft Defender for Cloud, Key Vault\\\",\\r\\n\\\"Data Loss Prevention\\\", \\\"Data\\\", \\\"Data Protection\\\", \\\"PR.DS\\\", \\\"Azure Information Protection, Microsoft Sentinel, Office 365 Security & Compliance Center\\\",\\r\\n\\\"Data Access & Use Telemetry\\\", \\\"Data\\\", \\\"Data Protection\\\", \\\"ID.AM, PR.AC, PR.DS, PR.PT, DE.AE, DE.CM\\\", \\\"Azure Active Directory, Azure Information Protection, Microsoft 365 Compliance Center\\\"\\r\\n];\\r\\nCrosswalk\\r\\n| project [\\\"Control Name\\\"],[\\\"Zero Trust Pillars\\\"],[\\\"TIC 3.0 Control Family\\\"],[\\\"NIST Cybersecurity Framework\\\"],[\\\"Microsoft Offerings\\\"]\",\"size\":0,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Control Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"TIC 3.0 Control Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Microsoft Offerings\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isControlsCrosswalkVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Controls Mapping\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Recommended Data Connectors](https://docs.microsoft.com/azure/sentinel/connect-data-sources)\\r\\n---\\r\\n\\r\\nAfter onboarding Microsoft Sentinel into your workspace, connect data sources to start ingesting your data into Microsoft Sentinel. Microsoft Sentinel comes with many connectors for Microsoft products, available out of the box and providing real-time integration. For example, service-to-service connectors include Microsoft 365 Defender connectors and Microsoft 365 sources, such as Office 365, Microsoft Entra ID, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. Check out these references if you're new to Microsoft Sentinel.\"},\"customWidth\":\"40\",\"name\":\"NS Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"b1cd1f8a-e807-4deb-93f4-7812e5ed014a\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Data Connectors >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorsBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\"}}]},\"customWidth\":\"20\",\"name\":\"EL0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/best-practices\",\"linkTarget\":\"Url\",\"linkLabel\":\"Best Practices\",\"style\":\"link\"},{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-all-in-one-accelerator/ba-p/1807933\",\"linkTarget\":\"Url\",\"linkLabel\":\"Microsoft Sentinel All-In-One Accelerator\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://docs.microsoft.com/learn/browse/?wt.mc_id=resilience_skilling_webpage_gdc&terms=sentinel\",\"linkTarget\":\"Url\",\"linkLabel\":\"Microsoft Sentinel Training\",\"style\":\"link\"}]},\"customWidth\":\"40\",\"name\":\"links - 29\"}],\"exportParameters\":true},\"name\":\"group - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Foundational Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Activity Connector](https://docs.microsoft.com/azure/azure-monitor/essentials/activity-log)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"909d0019-23cb-43ad-8285-9f1dca1cd1be\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureActivity\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureActivity\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"58cc25ab-a9af-4516-99e1-fa22e0637a76\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActivity\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"33\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Entra ID Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"23ba579d-c894-43be-9fe1-d1b04bc34d7a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SignInLogs\",\"label\":\"Status\",\"type\":1,\"query\":\"SigninLogs\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Active Directory\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"7c97e893-29f3-4d4c-a379-f220bb82518c\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActiveDirectory\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Active Directory (AAD) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Office 365 Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-office-365)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"68bd12c8-e473-45d1-8bbc-2dd9f326ea69\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"OfficeActivity\",\"label\":\"Status\",\"type\":1,\"query\":\"OfficeActivity\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"6a86eb8d-5487-4aad-ae7b-b526e68a249f\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Office365\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Office 365 Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for Cloud Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-cloud)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"1673e4cf-354f-4a42-bed2-2374be47779e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MDfC\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"Azure Security Center\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"56600b70-0e55-433a-be86-b7c561bced8b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureSecurityCenter\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft Defender for Cloud Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Network Security Groups (NSG) Connector](https://docs.microsoft.com/azure/virtual-network/virtual-network-nsg-manage-log)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"b17ce357-e8d5-4c7c-a4f0-765598462a1c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NSG\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"NetworkSecurityGroupEvent\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"935bb630-1fce-4021-b7b4-c010b9e05973\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureNSG\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Network Security Groups (NSG) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Windows Security Events (AMA) Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-windows-microsoft-services?tabs=SA%2CAMA#windows-agent-based-connections)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"d9af27d9-8c90-4c85-a57f-f329257d9956\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AMA\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityEvent\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d002eb41-c632-429b-8504-846b69314620\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WindowsSecurityEvents\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Windows Security Events (AMA) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Security Events via Legacy Agent Connector](https://docs.microsoft.com/azure/sentinel/connect-azure-windows-microsoft-services?tabs=SA%2CLAA#windows-agent-based-connections)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"b2737fbc-c0e2-4584-9fba-ee7d057d7db0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecurityEvent\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityEvent\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"9a8b0649-e79b-4a30-be25-4a5486f302ee\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"SecurityEvents\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Security Events via Legacy Agent Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [DNS Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#windows-dns-server-preview)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"8b7ac3ca-b46c-43e0-ae8c-e2b5189596bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DNS\",\"label\":\"Status\",\"type\":1,\"query\":\"DnsEvents\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"2d8731f5-c225-4a39-9914-6391b2c89ecb\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"DNS\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"DNS Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Storage Accounts Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-storage-account)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"4f291c03-8d98-47b6-ba82-1282322bb7a5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"StorageTableLogs\",\"label\":\"Status\",\"type\":1,\"query\":\"StorageTableLogs\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"6d9cd26b-3fcd-4556-b2eb-3dcb711c4de4\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureStorageAccount\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Storage Logs Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Common Event Format (CEF) Connector](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"4fcf795c-75b8-4010-bd24-1d66511ff6e8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CommonSecurityLog\",\"label\":\"Status\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"452e02e1-b0c4-4b9b-8a54-bc9295db22b9\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"CEF\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Common Event Format (CEF) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Syslog Connector](https://docs.microsoft.com/azure/sentinel/connect-syslog)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"fa63a08f-dd08-4e11-bcb6-c075a6d6c15c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Syslog\",\"label\":\"Status\",\"type\":1,\"query\":\"Syslog\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"021644a3-bd51-4b09-8117-017a89c71d58\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Syslog\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Syslog Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Amazon Web Services (AWS) Connector](https://docs.microsoft.com/azure/sentinel/connect-aws?tabs=s3)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"18ed59f0-c497-44b1-94b7-8700051cf189\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AWS\",\"label\":\"Status\",\"type\":1,\"query\":\"AWSCloudTrail\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"393c465e-4398-428b-8da2-87ac07d8a987\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AWS\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Amazon Web Services (AWS) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Amazon Web Services (AWS) S3 Connector](https://docs.microsoft.com/azure/sentinel/connect-aws?tabs=s3)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AWSS3\",\"label\":\"Status\",\"type\":1,\"query\":\"AWSVPCFlow\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AwsS3\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Amazon Web Services (AWS) S3 Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Google Cloud Platform IAM Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#google-workspace-g-suite-preview)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"GCP\",\"label\":\"Status\",\"type\":1,\"query\":\"GCP_IAM_CL\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"1f2ba663-dd7a-49b6-87ba-0b8adf6d2d34\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Amazon Web Services (AWS) S3 Connector - Copy\",\"styleSettings\":{\"showBorder\":true}}],\"exportParameters\":true},\"name\":\"group - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Basic Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft 365 Defender Connector](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender?tabs=MDE)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"M365Defender\",\"label\":\"Status\",\"type\":1,\"query\":\"AlertEvidence\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"MicrosoftThreatProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft 365 Defender Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for Endpoint Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-endpoint)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MDE\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"MDATP\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"MicrosoftDefenderAdvancedThreatProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft 365 Defender Connector - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-firewall)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureFirewall\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureFirewall\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Firewall Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Windows Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#windows-firewall)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"WindowsFirewall\",\"label\":\"Status\",\"type\":1,\"query\":\"WindowsFirewall\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WindowsFirewall\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Windows Firewall Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Web Application Firewall Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-web-application-firewall-waf)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureWAF\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where ResourceType in (\\\"APPLICATIONGATEWAYS\\\", \\\"FRONTDOORS\\\", \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\", \\\"PROFILES\\\")\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"WAF\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Web Application Firewall Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure SQL Databases Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-sql-databases)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"8b7ac3ca-b46c-43e0-ae8c-e2b5189596bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SQL\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where Category contains \\\"SQL\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"2d8731f5-c225-4a39-9914-6391b2c89ecb\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureSql\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"SQL Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Key Vault Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-key-vault)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AzureKeyVault\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where ResourceProvider == \\\"MICROSOFT.KEYVAULT\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureKeyVault\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Key Vault Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure DDoS Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-ddos-protection)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DDoS\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics | where ResourceType == \\\"PUBLICIPADDRESSES\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Azure Activity Connector - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"DDOS\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure DDoS Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [VMware Carbon Black Cloud via AWS S3](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#vmware-esxi-preview)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"VMwareCarbon\",\"label\":\"Status\",\"type\":1,\"query\":\"CarbonBlack_Alerts_CL\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"VMwareESXi\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"VMware ESXi Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for Cloud: Continuous Export](https://docs.microsoft.com/azure/defender-for-cloud/continuous-export?tabs=azure-portal)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecurityRecommendation\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityRecommendation\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 3\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Feature\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"SecurityMenuBlade\",\"extensionName\":\"Microsoft_Azure_Security\"}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Continuous Export Connector\",\"styleSettings\":{\"showBorder\":true}}],\"exportParameters\":true},\"name\":\"group - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Intermediate Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Purview Information Protection](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#Microsoft-Purview-Information-Protection)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MicrosoftPurviewInformationProtection\",\"type\":1,\"query\":\"MicrosoftPurviewInformationProtection​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"Status\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureInformationProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Information Protection Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Dynamics 365 Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#dynamics-365)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Dynamics365Activity\",\"label\":\"Status\",\"type\":1,\"query\":\"Dynamics365Activity\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"Dynamics365\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Dynamics 365 Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Azure Kubernetes Service (AKS) Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-kubernetes-service-aks)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AKS\",\"label\":\"Status\",\"type\":1,\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"kube-audit\\\"\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureKubernetes\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Kubernetes Service (AKS) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Qualys Vulnerability Management Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#qualys-vulnerability-management-vm-preview)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"QualysHostDetectionV3_CL\",\"label\":\"Status\",\"type\":1,\"query\":\"QualysHostDetectionV3_CL\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"QualysVulnerabilityManagement\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Qualys Vulnerability Management Connector\",\"styleSettings\":{\"showBorder\":true}}],\"exportParameters\":true},\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Advanced Connectors\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Entity Behavior (UEBA)](https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"BehaviorAnalytics\",\"label\":\"Status\",\"type\":1,\"query\":\"BehaviorAnalytics​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Feature\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"EntitySearchBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\"}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Entity Behavior (UEBA) Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Entra ID Protection Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#azure-active-directory-identity-protection)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"AADIP\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert | where ProductName == \\\"Azure Active Directory Identity Protection\\\"​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"AzureActiveDirectoryIdentityProtection\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Azure Active Directory Identity Protection Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Threat Intelligence TAXII Connector](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence-taxii)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TAXII\",\"label\":\"Status\",\"type\":1,\"query\":\"ThreatIntelligenceIndicator | where SourceSystem !in (\\\"SecurityGraph\\\", \\\"Azure Sentinel\\\", \\\"Microsoft Sentinel\\\") ​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"ThreatIntelligenceTaxii\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Threat Intelligence TAXII Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Threat Intelligence Platform Connector](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence-tip)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatIntelligence\",\"label\":\"Status\",\"type\":1,\"query\":\"ThreatIntelligenceIndicator | where SourceSystem in (\\\"SecurityGraph\\\", \\\"Azure Sentinel\\\", \\\"Microsoft Sentinel\\\") ​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"ThreatIntelligence\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Threat Intelligence Platform Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Defender for IoT Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-iot)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MD4IOT\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert | where ProductName == \\\"Azure Security Center for IoT\\\"​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"IoT\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft Defender for IoT Connector\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### [Microsoft Purview: Insider Risk Management Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-purview-insider-risk-management-irm-preview)\"},\"customWidth\":\"33\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"548cdd92-87c3-4e69-be08-52ecca0f76a8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IRM\",\"label\":\"Status\",\"type\":1,\"query\":\"SecurityAlert\\r\\n| where ProductName == \\\"Microsoft 365 Insider Risk Management\\\"​​\\r\\n| limit 1\\r\\n| summarize count()\\r\\n| extend Results = iff(count_ ==0, \\\"❌ Not Connected\\\", \\\"✅ Connected\\\")\\r\\n| project Results\",\"crossComponentResources\":[\"{Workspace}\"],\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d9b9144c-69bc-4eb2-a747-a9e0d206780b\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Enable Connector\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"DataConnectorBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"dataConnectorId\",\"source\":\"static\",\"value\":\"OfficeIRM\"}]}}]},\"customWidth\":\"33\",\"name\":\"EL0\"}],\"exportParameters\":true},\"name\":\"Microsoft Purview: Insider Risk Management Connector\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 6\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"isDCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Recommended Data Connectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Recommended Content](https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog)\\r\\n---\\r\\n\\r\\nThe following content packages provide utility for regulated industries use cases.\"},\"name\":\"NS Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/sentinel-solutions\",\"linkTarget\":\"Url\",\"linkLabel\":\"About Microsoft Sentinel Content & Solutions\",\"style\":\"link\"},{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog\",\"linkTarget\":\"Url\",\"linkLabel\":\"Content Hub Catalog\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"40\",\"name\":\"group - 4\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"76c7831e-386d-4289-8145-486f52cba8ec\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Content Hub >>\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"ContentHub.ReactView\",\"extensionName\":\"Microsoft_Azure_SentinelUS\"}}]},\"customWidth\":\"40\",\"name\":\"EL0\"}]},\"name\":\"group - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [NIST SP 800-53 Solution](https://docs.microsoft.com/security/zero-trust/integrate/sentinel-solution)\\r\\n\\r\\n---\\r\\nThis solution is designed to augment staffing through automation, machine learning, query/alerting generation, and visualizations. This workbook leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with NIST SP 800-53 control requirements. This offering telemetry from 25+ Microsoft Security products (1P/3P/Multi-Cloud/Hybrid/On-Premises). Each NIST SP 800-53 control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads.<br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNISTSP80053%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNISTSP80053%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-nist-sp-800-53-solution/ba-p/3381485\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/ju9hxtYnj7s\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NISTSP80053\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NISTSP80053/Workbooks/Images/NISTSP80053Black.png?raw=true)\"},\"customWidth\":\"90\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Threat Analysis & Response Solution](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ThreatAnalysis%26Response)\\r\\n---\\r\\n\\r\\nThis solution enables SecOps Analysts, Threat Intelligence Professional, and Threat Hunters to gain situational awareness for threats in cloud environment. The Solution includes (2) Workbooks designed to enable threat hunting programs. Threat analysis provides an understanding of where the attacker is in the cycle which often drives both a historic lens of where the threat may have progressed, but also predictive analytics on the threat’s objectives. This approach is adversarial as understanding of the threat’s attack cycle drives defense actions in a red versus blue model. The Threat Analysis & Response Solution augments the customer burden of building threat hunting programs.\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FThreatAnalysis%26Response%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FThreatAnalysis%26Response%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ThreatAnalysis%26Response\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ThreatAnalysis%26Response/Workbooks/Images/ThreatAnalysis%26ResponseWhite1.png?raw=true)\"},\"customWidth\":\" 100\",\"name\":\"text - 2\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Azure Security Benchmark v3](https://docs.microsoft.com/security/benchmark/azure/)\\r\\n---\\r\\n\\r\\nEnables Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to gain situational awareness for cloud security posture and hardening. Benchmark recommendations provide a starting point for selecting specific security configuration settings and facilitate risk reduction. The Azure Security Benchmark includes a collection of high-impact security recommendations for improving posture. This workbook provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Security-Center%2Fmain%2FWorkbooks%2FAzure%20Security%20Benchmark%20v3%2FarmTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Security-Center%2Fmain%2FWorkbooks%2FAzure%20Security%20Benchmark%20v3%2FarmTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/azure-security-benchmark-v3-workbook/ba-p/3257673\",\"linkTarget\":\"Url\",\"linkLabel\":\"Announce Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/v57gWjvcY4o\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"cc5f4830-f090-4f5e-afb2-47adba6be532\",\"cellValue\":\"https://youtu.be/qVJjwOipHDA\",\"linkTarget\":\"Url\",\"linkLabel\":\"ASC in the Field\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Workbooks/Azure%20Security%20Benchmark%20v3\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Cybersecurity Maturity Model Certification (CMMC) 2.0](https://dodcio.defense.gov/CMMC/)\\r\\n---\\r\\n\\r\\nThis solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This solution includes (1) Workbook for build/design/assessment/reporting, (2) Analytics rules for monitoring and (3) Playbooks for response/remediation. CMMC 2.0 is the next iteration of the Department’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity – Foundational, Advanced and Expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.<br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersecurityMaturityModelCertification(CMMC)2.0%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersecurityMaturityModelCertification(CMMC)2.0%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-cybersecurity-maturity-model/ba-p/3295095\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/-_a5HxJgriE\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Microsoft Insider Risk Management Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-microsoft-insider-risk/ba-p/2955786)\\r\\n---\\r\\n\\r\\nInsider risk management helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Insider risk policies allow you to define the types of risks to identify and detect in your organization, including acting on cases and escalating cases to Microsoft Advanced eDiscovery. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards. Insider risks come in various forms including both witting (intentional) and unwitting (unintentional). This workbook provides an automated visualization of Insider risk behavior cross walked to Microsoft security offerings. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMicrosoftPurviewInsiderRiskManagement%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMicrosoftPurviewInsiderRiskManagement%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-microsoft-sentinel-microsoft-insider-risk/ba-p/2955786\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MicrosoftPurviewInsiderRiskManagement\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [IT/OT Threat Monitoring Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/defending-critical-infrastructure-with-the-microsoft-sentinel-it/ba-p/3061184)\\r\\n---\\r\\n\\r\\nThis solution provides the foundation for building a SOC for monitoring IoT/ OT and includes (1) workbook for visibility/reporting, (14) analytics rules for monitoring, and (4) playbooks for response. The workbook leverages Microsoft Sentinel telemetry to create visualization to understand, analyze, and respond to IoT/OT threats. Understanding alerts over time provides unprecedented insights into security posture and where teams need to focus to harden against threats. Deep links directly to Microsoft Defender for IoT alerts empower analysts to focus on remediating threats rather than pivoting between tools. <br>\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FIoTOTThreatMonitoringwithDefenderforIoT%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FIoTOTThreatMonitoringwithDefenderforIoT%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/defending-critical-infrastructure-with-the-microsoft-sentinel-it/ba-p/3061184\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"8f7dce97-a41c-42b3-b62f-a21fbf5a1420\",\"cellValue\":\"https://youtu.be/hZS2aplJoy8\",\"linkTarget\":\"Url\",\"linkLabel\":\"YouTube Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/readme.md\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Maturity Model for Event Log Management Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/modernize-log-management-with-the-maturity-model-for-event-log/ba-p/3072842)\\r\\n---\\r\\n\\r\\nThis solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to increase visibility before, during, and after a cybersecurity incident.\\\"Executive Order 14028, Improving the Nation's Cybersecurity, directs decisive action to improve the Federal Government’s investigative and remediation capabilities. This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency.\\\" For more information, see 💡[OMB's M-21-31 Memorandum](https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)\\r\\n\\r\\n---\\r\\n<a href=\\\"https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMaturityModelForEventLogManagementM2131%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazurebutton\\\"/></a>\\r\\n<a href=\\\"https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMaturityModelForEventLogManagementM2131%2FPackage%2FmainTemplate.json\\\" target=\\\"_blank\\\"><img src=\\\"https://aka.ms/deploytoazuregovbutton\\\"/></a>\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/modernize-log-management-with-the-maturity-model-for-event-log/ba-p/3072842\",\"linkTarget\":\"Url\",\"linkLabel\":\"Solution Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/quV_80ts__k\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MaturityModelForEventLogManagementM2131\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Threat Intelligence Workbook](https://docs.microsoft.com/security/benchmark/azure/)\\r\\n---\\r\\n\\r\\nThe most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. <br>\\r\\n\\r\\n---\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"nav\",\"links\":[{\"id\":\"1bad541e-219a-4277-9510-876b0e8cad51\",\"cellValue\":\"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-azure-sentinel-threat-intelligence-workbook/ba-p/2858265\",\"linkTarget\":\"Url\",\"linkLabel\":\"Workbook Blog\",\"style\":\"link\"},{\"id\":\"b9a6293e-1c7b-4ec2-ad2a-d72b5ee01722\",\"cellValue\":\"https://youtu.be/SjEG7iVVBbI\",\"linkTarget\":\"Url\",\"linkLabel\":\"Video Demo\",\"style\":\"link\"},{\"id\":\"7e8ff8aa-f632-4a4d-90cf-a71da0dc6b31\",\"cellValue\":\"https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/ThreatIntelligence.json\",\"linkTarget\":\"Url\",\"linkLabel\":\"GitHub Repo\",\"style\":\"link\"}]},\"name\":\"links - 29\"}]},\"customWidth\":\"50\",\"name\":\"Zero Trust Solution - Copy - Copy - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isGCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Recommended Content\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/)\\r\\n---\\r\\nAzure Lighthouse helps service providers simplify customer engagement and onboarding experiences, while managing delegated resources at scale with agility and precision. Authorized users, groups, and service principals can work directly in the context of a customer subscription without having an account in that customer's Microsoft Entra ID tenant or being a co-owner of the customer's tenant. The mechanism used to support this access is called Azure delegated resource management. \"},\"customWidth\":\"40\",\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"1cf637a7-121d-4722-b511-b0c460625e31\",\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Access Azure Lighthouse\",\"style\":\"secondary\",\"bladeOpenContext\":{\"bladeName\":\"LighthouseBlade\",\"extensionName\":\"Microsoft_Azure_CustomerHub\"}}]},\"customWidth\":\"50\",\"name\":\"links - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"managedservicesresources\\r\\n| where type == \\\"microsoft.managedservices/registrationassignments\\\"\\r\\n| where properties.provisioningState == \\\"Succeeded\\\"\\r\\n| extend ManageeTenantName = properties.registrationDefinition.properties.manageeTenantName\\r\\n| extend ManagedByTenantName = properties.registrationDefinition.properties.managedByTenantName\\r\\n| extend ManagedByTenantId = properties.registrationDefinition.properties.managedByTenantId\\r\\n| extend ManageeTenantId = tostring(properties.registrationDefinition.properties.manageeTenantId)\\r\\n| extend PermanentAccess = properties.registrationDefinition.properties.authorizations\\r\\n| extend JITAccess = properties.registrationDefinition.properties.eligibleAuthorizations\\r\\n| extend AddedDate = properties.registrationDefinition.systemData.createdAt\\r\\n| extend CreatedBy = systemData.createdBy\\r\\n| project ManageeTenantName, ManageeTenantId, ManagedByTenantName, ManagedByTenantId, AddedDate, CreatedBy\",\"size\":1,\"showAnalytics\":true,\"title\":\"Azure Lighthouse Delegations\",\"noDataMessage\":\"No Azure Lighthouse Delegations/Customers Detected\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ManageeTenantName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Download\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ManageeTenantId\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"ManagedByTenantName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Upload\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ManagedByTenantId\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"AddedDate\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Clock\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"CreatedBy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"PermanentAccess\",\"formatter\":1},{\"columnMatch\":\"JITAccess\",\"formatter\":1}],\"filter\":true}},\"name\":\"query - 21 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAzureLighthouseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"group - 21\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Universal Security Capabilities](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\n---\\r\\nUniversal capabilities are enterprise-level capabilities that outline guiding principles for TIC use cases. Universal capabilities are selected to be broadly applicable; the same list of capabilities apply to every use case. However, certain use cases may provide unique guidance on specific capabilities where necessary. Agencies have significant discretion regarding how to meet the individual security capability requirements and address their particular needs. Agencies are free to determine the level of rigor necessary for applying universal capabilities based on federal guidelines and risk tolerance. While it is expected that agencies may often be able to employ a common solution to fulfill multiple roles or serve multiple purposes, the selection of an appropriate set of solutions is left to each agency.\"},\"customWidth\":\"40\",\"name\":\"text - 105\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 105\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Backup and Recovery\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Backup\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Central Log Management with Analysis\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Central\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Configuration Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Configuration\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Incident Response Plan and Incident Handling\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Incident\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Inventory\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Inventory\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Least Privilege\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Least\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Secure Administration\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Secure\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Strong Authentication\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Strong\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Time Synchronization\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Time\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Vulnerability Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Vulnerability\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"2adea420-fa6e-4073-8a78-1aeada742e2c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isBackupVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Backup\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCentralVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Central\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"04e846bb-6bca-4981-863b-76f4e8ea5667\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isConfigurationVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Configuration\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"7498b0e3-e4dd-44c9-868d-d5baef71ba17\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIncidentVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Incident\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"7010b3e9-27e4-40b0-8d4b-fdd05f940d92\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isInventoryVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Inventory\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"c9285caf-952f-458a-ac89-3fdb2871151f\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isLeastVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Least\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"356132e1-e5e8-4fd4-8a56-95bd91bc9470\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSecureVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Secure\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"8d5eb913-9e91-4f61-930b-26335aaad1cf\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isStrongVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Strong\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"232d115f-5a82-4a70-aa2d-12fb00993230\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isTimeVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Time\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"da3d19be-b7ed-4449-83ea-c9a001f54315\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isVulnerabilityVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Vulnerability\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"5e32dd42-2359-4ed6-a5e9-303873a50442\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Patch Management\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Patch\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Auditing and Accounting\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Auditing\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Resilience\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Resilience\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Enterprise Threat Intelligence\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Enterprise\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Situational Awareness\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Situational\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Dynamic Threat Discovery\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Dynamic\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Policy Enforcement Parity\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Policy\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Effective Use of Shared Services\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Effective\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Integrated Desktop, Mobile, and Remote Policies\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Integrated\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"2dc83cdc-c5e9-4ea7-a986-0294effc2e8e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPatchVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Patch\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAuditingVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Auditing\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"be23e804-75f9-486d-8478-8af0ed3b0b6d\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isResilienceVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Resilience\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"41d2063e-0f2b-47dc-9c7c-2cdcdafb80ec\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEnterpriseVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Enterprise\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b2752897-08eb-4f06-adae-d7e0b278acef\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSituationalVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Situational\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"0531d0e3-8eb9-4c7f-bedb-d29aed642c1b\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDynamicVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Dynamic\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"ee837eb2-25bb-4a51-bdd7-5d58640fb780\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPolicyVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Policy\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"683d9906-de4f-400f-b92e-8f6d5f346db7\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEffectiveVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Effective\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"6e5570df-f9fa-4ce9-b79c-74068100c9c6\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIntegratedVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Integrated\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e7db70e6-eafa-4cb0-ac08-58719fad7c33\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors  - Copy - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Backup and Recovery](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nKeeping copies of configuration and data, as needed, to allow for the quick restoration of service in the event of malicious incidents, system failures, or corruption.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> 🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Backup](https://azure.microsoft.com/services/backup/)\\r\\n\\r\\n### Implementation \\r\\n💡 [What is the Azure Backup Service?](https://docs.microsoft.com/azure/backup/backup-overview)<br>\\r\\n💡 [Review Your Security Recommendations](https://docs.microsoft.com/azure/security-center/security-center-recommendations)<br>\\r\\n💡 [Configure Recovery Service Vaults](https://docs.microsoft.com/azure/backup/backup-azure-recovery-services-vault-overview)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Backup Vaults](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade/Overview) <br>\\r\\n🔀 [Recovery Services Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.RecoveryServices%2Fvaults) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.BE, PR.IP, PR.DS, RS.MI, RC.RP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Text Group\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"back\\\" or RecommendationDisplayName contains \\\"recover\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"recover\\\" or type contains \\\"restore\\\" or type contains \\\"back\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Backup & Recovery Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"back\\\" or Description contains \\\"restore\\\" or Description contains \\\"recover\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"back\\\" or Description contains \\\"restore\\\" or Description contains \\\"recover\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"back\\\" or Description contains \\\"restore\\\" or Description contains \\\"recover\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isBackupVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Backup and Recovery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Central Log Management & Analysis](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCollecting, storing, and analyzing telemetry, where the collection and storage are designed to facilitate data fusion and the security analysis aids in discovery and response to malicious activity.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> 🔷 [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) 🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/)\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [Create Diagnostic Settings to Send Platform Logs and Metrics to Different Destinations](https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings)<br>\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n💡 [What is Azure Lighthouse?](https://docs.microsoft.com/azure/lighthouse/overview)<br>\\r\\n\\t\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n🔀 [Azure Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview) <br>\\r\\n🔀 [Azure Lighthouse](https://portal.azure.com/#blade/Microsoft_Azure_CustomerHub/LighthouseBlade)<br> \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.PT, DE.AE, RS.AN](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"log\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type == \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Logging Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union withsource=_TableName *\\r\\n| summarize Entries = count(), Size = sum(_BilledSize), last_log = datetime_diff(\\\"second\\\",now(), max(TimeGenerated)), estimate  = sumif(_BilledSize, _IsBillable==true)  by _TableName, _IsBillable\\r\\n| project ['Table Name'] = _TableName, ['Table Size'] = Size, ['Table Entries'] = Entries,\\r\\n          ['Size per Entry'] = 1.0 * Size / Entries, ['IsBillable'] = _IsBillable\\r\\n| order by ['Table Size']  desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Log Table Management\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Table Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Table Size\",\"formatter\":8,\"formatOptions\":{\"palette\":\"purple\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"Table Entries\",\"formatter\":8,\"formatOptions\":{\"palette\":\"turquoise\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"Size per Entry\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"IsBillable\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"True\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"False\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Important\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_IsBillable_4\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_IsBillable_4\",\"sortOrder\":2}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 5\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isCentralVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Central Log Management with Analysis\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Configuration Management](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nImplementing a formal plan for documenting, managing changes to the environment, and monitoring for deviations, preferably automated.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Enable Change Tracking and Inventory From an Automation Account](https://docs.microsoft.com/azure/automation/change-tracking/enable-from-automation-account)<br>\\r\\n💡 [Ensure Your Endpoints Are Configured Properly](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines)<br>\\r\\n💡 [Secure Score in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/secure-score-security-controls)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts) <br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.BE, PR.DS, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"config\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"config\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"config\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"config\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| summarize count() by OperationName\\r\\n| where OperationName <> \\\"Other\\\"\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Audit Logs\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isConfigurationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Configuration Management\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Incident Response Plan and Incident Handling](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDocumenting and implementing a set of instructions, procedures, or technical capabilities to sense and detect, respond to, limit consequences of malicious cyber attacks, and restore the integrity of the network and associated systems.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Quickstart: Tutorial: Investigate incidents with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/tutorial-investigate-cases)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.GV, ID.RA, PR.IP, DE.DP, DE.AE, RS.RP, RS.CO, RS.AN, RS.MI](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Security Incidents\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where Severity == \\\"High\\\"\\n| summarize count()\\n\\n\\n\\n\",\"size\":4,\"title\":\"High\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where Severity == \\\"Medium\\\"\\n| summarize count()\\n\\n\\n\\n\",\"size\":4,\"title\":\"Medium \",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"orange\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where Severity == \\\"Low\\\"\\n| summarize count()\\n\\n\\n\\n\",\"size\":4,\"title\":\"Low\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"yellow\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\n| where Status == \\\"New\\\" or Status == \\\"Active\\\"\\n| where dayofyear(TimeGenerated) == dayofyear(now())\\n| summarize count()\\n\\n\\n\",\"size\":4,\"title\":\"New Today\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Description\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"60%\"}},{\"columnMatch\":\"name\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"critical\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Major\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"customColumnWidthSetting\":\"5\"}},{\"columnMatch\":\"message\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70%\"}}]},\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"blueDark\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 10\"}]},\"customWidth\":\"50\",\"name\":\"Incidents\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber\\r\\n| where Status == \\\"Closed\\\"\\r\\n| extend TimeToRespond =  (CreatedTime - FirstActivityTime)/1h \\r\\n| extend TimeToResolve =  (ClosedTime - CreatedTime)/1h\\r\\n| extend AssignedAnalyst = tostring(Owner.assignedTo)\\r\\n| extend [\\\"MITRE ATT&CK Tactics\\\"] = tostring(parse_json(tostring(AdditionalData.tactics))[0])\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| project IncidentName=Title, IncidentNumber, Severity, IncidentUrl, [\\\"MITRE ATT&CK Tactics\\\"], AssignedAnalyst, Classification, ClassificationComment, ClassificationReason, Description, TimeToRespond, TimeToResolve, IncidentStartTime=CreatedTime, IncidentClosedTime=ClosedTime, IncidentBlade\\r\\n| sort by IncidentClosedTime desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Closure Reports\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"TimeToRespond\",\"formatter\":0,\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"TimeToResolve\",\"formatter\":0,\"numberFormat\":{\"unit\":27,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"name\":\"query - 9 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIncidentVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Incident Response Plan and Incident Handling\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Inventory](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDeveloping, documenting, and maintaining a current inventory of all systems, networks, and components so that only authorized endpoints are given access, and unauthorized and un-managed endpoints are found and prevented from gaining access.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/)<br>\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n🔷 [DeviceRegistryEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceregistryevents) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Explore and Manage Your Resources With Asset Inventory](https://docs.microsoft.com/azure/security-center/asset-inventory) <br>\\r\\n💡 [View Installed Software](https://docs.microsoft.com/azure/automation/automation-tutorial-installed-software#view-installed-software)<br>\\r\\n💡 [What is Azure Resource Graph?](https://docs.microsoft.com/azure/governance/resource-graph/overview)<br> \\r\\n\\t\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Resource Graph Explorer](https://portal.azure.com/#blade/HubsExtension/ArgQueryBlade) <br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS, PR.IP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"Implemented\"},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"04JUL76\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"Asset Inventory Implemented, Plan of Action & Milestones Documented, System Security Plan (SSP) Updated\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| extend Azure_Inventory=location\\r\\n| extend M365_Inventory=strcat(\\\"https://security.microsoft.com/machines\\\")\\r\\n| project AssetID=id,AssetType=type, Azure_Inventory, M365_Inventory\\r\\n| sort by AssetType desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Asset Inventory\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Azure_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Inventory >>\",\"bladeOpenContext\":{\"bladeName\":\"InventoryBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"\",\"source\":\"static\",\"value\":\"25\"}]}}},{\"columnMatch\":\"M365_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"M365 Inventory >>\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"where  type contains \\\"microsoft\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| summarize count() by location\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets by Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"location\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Computer\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| project id,type,location,resourceGroup\\r\\n| summarize count() by type\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Asset Count by Type\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"type\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"ResourceFlat\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Computer\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 8\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| summarize count() by ResourceDisplayName\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Application Inventory & Access\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceRegistryEvents  \\r\\n| summarize arg_max(TimeGenerated, *) by InitiatingProcessFileName, DeviceName\\r\\n| summarize count() by InitiatingProcessFileName\\r\\n| where InitiatingProcessFileName <> \\\"\\\"\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Software Inventory by Initiating Process\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isInventoryVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Inventory\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Least Privilege](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDesigning the security architecture such that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Administrator roles by admin task in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/roles/delegate-by-task)<br>\\r\\n💡 [Overview of role-based access control in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/roles/custom-overview)<br>\\r\\n💡 [Microsoft Entra ID Sign-In Activity](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-all-sign-ins)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.IP, PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"identity\\\" or RecommendationDisplayName contains \\\"privilege\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| project UserPrincipalName, SignInCount=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Valid Accounts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"IdentityInfo\\r\\n| extend GroupMemberships = strcat(GroupMembership)\\r\\n| extend AssignedRoles_ = strcat(AssignedRoles)\\r\\n| extend UserPrincipalName = MailAddress\\r\\n| where MailAddress <> \\\"\\\"\\r\\n| distinct UserPrincipalName, GroupMemberships, AssignedRoles_\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Assigned Roles & Group Memberships\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Activities\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isLeastVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Least Privilege\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Secure Administration](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nPerforming administrative tasks in a secure manner, using secure protocols.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Delegate Administration in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/roles/concept-delegation)<br>\\r\\n💡 [Start Using Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started#)<br> \\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.MA](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"admin\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"admin\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"admin\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"admin\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| where OperationName contains \\\"PIM\\\"\\r\\n| extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\r\\n| distinct OperationName, Identity, AADOperationType, InitiatedBy, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Privileged Identity Management\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"OperationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Identity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InitiatedBy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"PersonWithFriend\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"ComplianceDomain\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_InitiatedBy_3\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_InitiatedBy_3\",\"sortOrder\":2}],\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSecureVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Secure Administration\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Strong Authentication](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nVerifying the identity of users, endpoints, or other entities through rigorous means (e.g. multi-factor authentication) before granting access.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Plan an Azure AD Multi-Factor Authentication Deployment](https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-getstarted)<br>\\r\\n💡 [How it works: Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks)<br>\\r\\n💡 [Remediate recommendations in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-remediate-recommendations)<br>\\r\\n💡 [SecretManagement and Accessing Linux VMs in Azure](https://techcommunity.microsoft.com/t5/itops-talk-blog/secretmanagement-and-accessing-linux-vms-in-azure/ba-p/2278735)<br>\\r\\n💡 [Eliminate Password-Based Attacks on Azure Linux VMs](https://techcommunity.microsoft.com/t5/azure-security-center/eliminate-password-based-attacks-on-azure-linux-vms/ba-p/2271139)<br>\\r\\n💡 [Quickstart: Create a Key Vault Using the Azure Portal](https://techcommunity.microsoft.com/t5/itops-talk-blog/secretmanagement-and-accessing-linux-vms-in-azure/ba-p/2278735)<br>\\r\\n\\t\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"authentication\\\" or RecommendationDisplayName contains \\\"JIT\\\" or RecommendationDisplayName contains \\\"password\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"authentication\\\" or Description contains \\\"password\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"authentication\\\" or Description contains \\\"password\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"authentication\\\" or Description contains \\\"password\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Title contains \\\"auth\\\" or Title contains \\\"password\\\" or Title contains \\\"login\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Authentication Attacks\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isStrongVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\" Strong Authentication\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Time Synchronization](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCoordinating clocks on all systems (e.g. servers, workstations, network endpoints) to enable accurate comparison of timestamps between systems.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Time Sync for Windows VMs in Azure](https://docs.microsoft.com/azure/virtual-machines/windows/time-sync)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Portal](https://portal.azure.com/) <br>\\r\\n🔀 [Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.IP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Time Synchronization\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"time\\\" or Description contains \\\"sync\\\" or Description contains \\\"ntp\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"time\\\" or Description contains \\\"sync\\\" or Description contains \\\"ntp\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"time\\\" or Description contains \\\"sync\\\" or Description contains \\\"ntp\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| where Description !contains \\\"runtime\\\"\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isTimeVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Time Synchronization\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Vulnerability Management](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nProactively working to discover vulnerabilities, including the use of both active and passive means of discovery, and taking action to mitigate discovered vulnerabilities.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n💡 [Secure Score in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/secure-score-security-controls)<br>\\r\\n💡 [Microsoft Defender for Cloud's Integrated Vulnerability Assessment Solution for Azure and Hybrid Machine](https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment)<br>\\r\\n💡 [Threat and Vulnerability Management Walk-Through](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Microsoft 365 Defender: Threat & Vulnerability Management](https://security.microsoft.com/tvm_dashboard)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.RA, PR.IP, DE.AE, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"vuln\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityBaseline\\r\\n| where CceId <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by ResourceId, CceId\\r\\n|project CceId, RuleSeverity, Description, ResourceId\\r\\n|limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Vulnerability Management\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CceId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RuleSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Resource\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityBaseline\\r\\n| where CceId <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by Resource, CceId\\r\\n| summarize count() by ResourceId\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Vulnerability Count by Asset\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Resource\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"CceId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RuleSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isVulnerabilityVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Vulnerability Management\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Patch Management](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIdentifying, acquiring, installing, and verifying patches for products and systems.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Update Management Overview](https://docs.microsoft.com/azure/automation/update-management/overview)<br>\\r\\n💡 [Enable Update Management From the Azure Portal](https://docs.microsoft.com/azure/automation/update-management/enable-from-portal)<br>\\r\\n💡 [Handling Planned Maintenance Notifications Using the Azure Portal](https://docs.microsoft.com/azure/virtual-machines/maintenance-notifications-portal)<br>\\r\\n💡 [Managing Platform Updates with Maintenance Control](https://docs.microsoft.com/azure/virtual-machines/maintenance-control?toc=/azure/virtual-machines/linux/toc.json&bc=/azure/virtual-machines/linux/breadcrumb/toc.json)<br>\\r\\n💡 [Scheduling Maintenance Updates with Maintenance Control and Azure Functions](https://github.com/Azure/azure-docs-powershell-samples/tree/master/maintenance-auto-scheduler)<br>\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br> \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"update\\\" or RecommendationDisplayName contains \\\"upgrade\\\" or RecommendationDisplayName contains \\\"version\\\" or RecommendationDisplayName contains \\\"patch\\\" or RecommendationDisplayName contains \\\"java\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isPatchVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Patch Management\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Auditing and Accounting](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCapturing business records, including logs and other telemetry, and making them available for auditing and accounting as required. Design of the auditing system should take insider threat into consideration, including separation of duties violation tracking, such that insider abuse or misuse can be detected.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Create Diagnostic Settings to Send Platform Logs and Metrics to Different Destinations](https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings)<br>\\r\\n💡 [Tutorial: Grant a User Access to Azure Resources Using the Azure Portal](https://docs.microsoft.com/azure/role-based-access-control/quickstart-assign-role-user-portal)<br>\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n💡 [Auditing Microsoft Sentinel Activities](https://techcommunity.microsoft.com/t5/azure-sentinel/auditing-azure-sentinel-activities/ba-p/1718328)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br> \\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br> \\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br> \\r\\n\\r\\n### NIST CSF Mapping\\r\\n[ID.SC, PR.AC, PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"audit\\\" or RecommendationDisplayName contains \\\"account\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"audit\\\" or Description contains \\\"log\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"audit\\\" or Description contains \\\"log\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"audit\\\" or Description contains \\\"log\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Usage\\r\\n| summarize count() by DataType\\r\\n| sort by count_ desc\\r\\n| limit 100\",\"size\":0,\"showAnalytics\":true,\"title\":\"Log Events by Type\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"rowLimit\":100}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAuditingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Auditing and Accounting\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Resilience](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEnsuring that systems, services, and protections maintain acceptable performance under adverse conditions.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) 🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure DDoS Protection]( https://azure.microsoft.com/services/ddos-protection/) <br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [DDoS Protection Plans](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FddosProtectionPlans) <br>\\r\\n🔀 [Availability Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FavailabilitySets) <br>\\r\\n🔀 [Load Balancing](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)<br> \\r\\n🔀 [Virtual Machine Scale Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Compute%2FvirtualMachineScaleSets) <br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Azure DDoS Protection Standard Overview](https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview)<br>\\r\\n💡 [Building Solutions for High Availability Using Availability Zones](https://docs.microsoft.com/azure/architecture/high-availability/building-solutions-for-high-availability)<br> \\r\\n💡 [Azure Infrastructure Availability](https://docs.microsoft.com/azure/security/fundamentals/infrastructure-availability)<br> \\r\\n💡 [What is Azure Load Balancer?](https://docs.microsoft.com/azure/load-balancer/load-balancer-overview)<br>\\r\\n💡 [What are virtual machine scale sets?](https://docs.microsoft.com/azure/virtual-machine-scale-sets/overview)<br> \\r\\n\\r\\n### NIST CSF Mapping\\r\\n[ID.BE, PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"balance\\\" or RecommendationDisplayName contains \\\"denial\\\" or RecommendationDisplayName contains \\\"recover\\\" or RecommendationDisplayName contains \\\"back\\\" or RecommendationDisplayName contains \\\"scale\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"dos\\\"or type contains \\\"balance\\\" or type contains \\\"recover\\\" or type contains \\\"back\\\" or type contains \\\"scale\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Resilience Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"DDoSMitigationReports\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| extend TopAttackVector = tostring(parse_json(AttackVectors_s)[0]) \\r\\n| extend Total_packets_ = tostring(parse_json(TrafficOverview_s).Total_packets) \\r\\n| extend Total_packets_dropped_ = todouble(parse_json(TrafficOverview_s).Total_packets_dropped)\\r\\n| extend TotalPackets =todouble(Total_packets_)\\r\\n| where TotalPackets > 0\\r\\n| where TopAttackVector <> \\\"\\\"\\r\\n| project TopAttackVector, TotalPackets, TotalPacketsDropped = Total_packets_dropped_ , ResourceId , SourceIP=IPAddress, Resource, TimeGenerated\\r\\n| sort by TotalPacketsDropped desc\\r\\n| limit 100\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Denial of Service Attacks Observed\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"IPAddress\",\"parameterName\":\"IPAddress\",\"parameterType\":1},{\"fieldName\":\"ResourceId\",\"parameterName\":\"ResourceId\",\"parameterType\":1,\"defaultValue\":\"ResourceId\"},{\"fieldName\":\"Resource\",\"parameterName\":\"AttackReport\",\"parameterType\":1,\"defaultValue\":\"/\"}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TopAttackVector\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"TotalPackets\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"TotalPacketsDropped\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Resource\",\"formatter\":5},{\"columnMatch\":\"Total_packets_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Total_packets_dropped_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"IPAddress\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"subtitleContent\":{\"columnMatch\":\"TopAttackVector\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Resource\"},\"rightContent\":{\"columnMatch\":\"TimeGenerated\"},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"50\",\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isResilienceVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Resilience\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Enterprise Threat Intelligence](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nObtaining threat intelligence from private and government sources and implementing mitigation for the identified risks.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [ThreatIntelligenceIndicator](https://docs.microsoft.com/azure/azure-monitor/reference/tables/threatintelligenceindicator) 🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) 🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)\\r\\n\\r\\n### Implementation \\r\\n💡 [Connect Data from Threat Intelligence Providers](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence)<br>\\r\\n💡 [Microsoft Security Intelligence Portal](https://www.microsoft.com/wdsi)<br>\\r\\n💡 [Microsoft Graph Security tiIndicators API](https://docs.microsoft.com/graph/api/resources/tiindicator)<br>\\r\\n💡 [MSTIC Jupyter and Python Security Tools](https://github.com/Microsoft/msticpy)<br>\\r\\n💡 [Use Jupyter Notebook to Hunt for Security Threats](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence)<br>\\r\\n\\t\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender Security Intelligence Portal](https://microsoft.com/wdsi)<br>\\r\\n🔀 [MSTICpy](https://github.com/Microsoft/msticpy) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.RA, DE.AE, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Cyber Threat Intelligence Indicator Counts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"intel\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Threat Intelligence\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.  \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where Tactics <> \\\"\\\"\\r\\n| where Tactics <> \\\"Unknown\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n| summarize count() by Tactics\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Alerts by MITRE ATT&CK Tactics Observed\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set.  \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Tactics\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Enterprise Threat Intelligence\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Situational Awareness](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMaintaining effective awareness, both current and historical, across all components.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Get Visibility Into Alerts](https://docs.microsoft.com/azure/sentinel/quickstart-get-visibility)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, ID.RA, PR.DS, PR.IP, DE.AE, DE.CM, DE.DP, RS.CO](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where isnotempty(ProviderName)\\r\\n| summarize count() by ProductName\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Alerts By Product\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where isnotempty(ProviderName)\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by ProductName\\r\\n| render timechart \\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Alerts Over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSituationalVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Situational Awareness\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Dynamic Threat Discovery](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nUsing dynamic approaches (e.g. heuristics, baselining, etc.) to discover new malicious activity\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [BehaviorAnalytics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/behavioranalytics) 🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Advanced Multistage Attack Detection in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/fusion)<br>\\r\\n💡 [Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)<br>\\r\\n💡 [Heuristic Detections in Microsoft Defender for Cloud](https://azure.microsoft.com/blog/heuristic-dns-detections-in-azure-security-center/)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.RA, DE.AE, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"defender\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AnomalousSigninActivity = BehaviorAnalytics\\r\\n    | where ActionType == \\\"Sign-in\\\"\\r\\n    | where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\\r\\n        ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\\r\\n        or ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\\r\\n    | join (\\r\\n        SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \\\"none\\\"\\r\\n        )\\r\\n        on $left.SourceRecordId == $right._ItemId\\r\\n    | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n    | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n        Tactic = \\\"Persistence\\\",\\r\\n        Technique = \\\"Valid Accounts\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indication from AAD\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3', 'c4e39bd9-1100-46d3-8c65-fb160da0071f', '158c047a-c907-4556-b7ef-446551a6b5f7', '62e90394-69f5-4237-9190-012177145e10', 'd29b2b05-8046-44ba-8758-1e26182fcf32', '729827e3-9c14-49f7-bb1b-9608f156bbb8', '966707d0-3269-4727-9be2-8c3a10f19b9d', '194ae4cb-b126-40b2-bd5b-6091b380977d', 'fe930be7-5e62-47db-91af-98c3a49a38b1']);\\r\\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c', '7495fdc4-34c4-4d15-a289-98788ce399fd', 'aaf43236-0c0d-4d5f-883a-6955382ac081', '3edaf663-341e-4475-9f94-5c398ef6c070', '7698a772-787b-4ac8-901f-60d6b08affd2', 'b1be1c3e-b65d-4f19-8427-f6fa0d97feb9', '9f06204d-73c1-4d4c-880a-6edb90606fd8', '29232cdf-9323-42fd-ade2-1d097af3e4de', 'be2f45a1-457d-42af-a067-6ec1fa63bc45', '7be44c8a-adaf-4e2a-84d6-ab2649e08a13', 'e8611ab8-c189-46e8-94e1-60213ab1f814']);//\\r\\nlet AnomalousRoleAssignment = AuditLogs\\r\\n    | where TimeGenerated > ago(28d)\\r\\n    | where OperationName == \\\"Add member to role\\\"\\r\\n    | mv-expand TargetResources\\r\\n    | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n    | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n    | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n    | where isnotempty(RoleName)\\r\\n    | extend TargetId = tostring(TargetResources.id)\\r\\n    | extend Target = tostring(TargetResources.userPrincipalName)\\r\\n    | join kind=inner (\\r\\n        BehaviorAnalytics\\r\\n        | where ActionType == \\\"Add member to role\\\"\\r\\n        | where UsersInsights.BlastRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n        )\\r\\n        on $left._ItemId == $right.SourceRecordId\\r\\n    | extend AnomalyName = \\\"Anomalous Role Assignment\\\",\\r\\n        Tactic = \\\"Persistence\\\",\\r\\n        Technique = \\\"Account Manipulation\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privileged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access.  The query below generates an output of all high Blast Radius users performing Add member to privileged role, or ones that add users for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let LogOns=materialize(\\r\\n    BehaviorAnalytics\\r\\n    | where ActivityType == \\\"LogOn\\\");\\r\\nlet AnomalousResourceAccess = LogOns\\r\\n    | where ActionType == \\\"ResourceAccess\\\"\\r\\n    | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n    | extend AnomalyName = \\\"Anomalous Resource Access\\\",\\r\\n        Tactic = \\\"Lateral Movement\\\",\\r\\n        Technique = \\\"\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousRDPActivity = LogOns\\r\\n    | where ActionType == \\\"RemoteInteractiveLogon\\\"\\r\\n    | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n    | extend AnomalyName = \\\"Anomalous RDP Activity\\\",\\r\\n        Tactic = \\\"Lateral Movement\\\",\\r\\n        Technique = \\\"\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousLogintoDevices = LogOns\\r\\n    | where ActionType == \\\"InteractiveLogon\\\"\\r\\n    | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n    | where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\\r\\n    | extend AnomalyName = \\\"Anomalous Login To Devices\\\",\\r\\n        Tactic = \\\"Privilege Escalation\\\",\\r\\n        Technique = \\\"Valid Accounts\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administrator users performing an interactive logon (4624:2) to a device for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousPasswordReset = BehaviorAnalytics\\r\\n    | where ActionType == \\\"Reset user password\\\"\\r\\n    | where ActivityInsights.FirstTimeUserPerformedAction == \\\"True\\\"\\r\\n    | join (\\r\\n        AuditLogs\\r\\n        | where OperationName == \\\"Reset user password\\\"\\r\\n        )\\r\\n        on $left.SourceRecordId == $right._ItemId\\r\\n    | mv-expand TargetResources\\r\\n    | extend Target =  iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n    | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n    | extend AnomalyName = \\\"Anomalous Password Reset\\\",\\r\\n        Tactic = \\\"Impact\\\",\\r\\n        Technique = \\\"Account Access Removal\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n    | sort by TimeGenerated desc;\\r\\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\\r\\n    | where ActionType == \\\"Sign-in\\\"\\r\\n    | where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\\r\\n    | join (\\r\\n        SigninLogs\\r\\n        )\\r\\n        on $left.SourceRecordId == $right._ItemId\\r\\n    | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n    | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n        Tactic = \\\"Initial Access\\\",\\r\\n        Technique = \\\"Valid Accounts\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousFailedLogon = BehaviorAnalytics\\r\\n    | where ActivityType == \\\"LogOn\\\"\\r\\n    | where UsersInsights.BlastRadius == \\\"High\\\"\\r\\n    | join (\\r\\n        SigninLogs  \\r\\n        | where Status.errorCode == 50126\\r\\n        )\\r\\n        on $left.SourceRecordId == $right._ItemId\\r\\n    | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n    | extend AnomalyName = \\\"Anomalous Failed Logon\\\",\\r\\n        Tactic = \\\"Credential Access\\\",\\r\\n        Technique = \\\"Brute Force\\\",\\r\\n        SubTechnique = \\\"Password Guessing\\\",\\r\\n        Description = \\\"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousAADAccountManipulation = AuditLogs\\r\\n    | where OperationName == \\\"Update user\\\"\\r\\n    | mv-expand AdditionalDetails\\r\\n    | where AdditionalDetails.key == \\\"UserPrincipalName\\\"\\r\\n    | mv-expand TargetResources\\r\\n    | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n    | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n    | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n    | where isnotempty(RoleName)\\r\\n    | extend TargetId = tostring(TargetResources.id)\\r\\n    | extend Target =  iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n    | join kind=inner ( \\r\\n        BehaviorAnalytics\\r\\n        | where ActionType == \\\"Update user\\\"\\r\\n        | where UsersInsights.BlastRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n        )\\r\\n        on $left._ItemId == $right.SourceRecordId\\r\\n    | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName) \\r\\n    | extend AnomalyName = \\\"Anomalous Account Manipulation\\\",\\r\\n        Tactic = \\\"Persistence\\\",\\r\\n        Technique = \\\"Account Manipulation\\\",\\r\\n        SubTechnique = \\\"\\\",\\r\\n        Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privileged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to privileged role, or ones that changed users for the first time.\\\"\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\\r\\n    | where ActionType == \\\"Add user\\\"\\r\\n    | where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\\r\\n    | join(\\r\\n        AuditLogs\\r\\n        | where OperationName == \\\"Add user\\\"\\r\\n        )\\r\\n        on $left.SourceRecordId == $right._ItemId\\r\\n    | mv-expand TargetResources\\r\\n    | extend Target =  iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n    | extend DisplayName = tostring(UsersInsights.AccountDisplayName),\\r\\n        UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n        UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n    | extend AnomalyName = \\\"Anomalous Account Creation\\\",\\r\\n        Tactic = \\\"Persistence\\\",\\r\\n        Technique = \\\"Create Account\\\",\\r\\n        SubTechnique = \\\"Cloud Account\\\",\\r\\n        Description = \\\"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\\\"\\t\\r\\n    | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n    | sort by TimeGenerated desc;\\r\\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\\r\\nlet TopUsersByAnomalies = AnomalyTable\\r\\n    | summarize hint.strategy = shuffle AnomalyCount=count() by UserName, UserPrincipalName, tostring(UsersInsights.OnPremSid), tostring(UsersInsights.AccountObjectId)\\r\\n    | project Name=tolower(UserName), UPN=tolower(UserPrincipalName), AadUserId=UsersInsights_AccountObjectId, Sid=UsersInsights_OnPremSid, AnomalyCount\\r\\n    | sort by AnomalyCount desc;\\r\\nlet TopUsersByIncidents = SecurityIncident\\r\\n    | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\\r\\n    | where Status == \\\"New\\\" or Status == \\\"Active\\\"\\r\\n    | mv-expand AlertIds\\r\\n    | extend AlertId = tostring(AlertIds)\\r\\n    | join kind= innerunique ( \\r\\n        SecurityAlert \\r\\n        )\\r\\n        on $left.AlertId == $right.SystemAlertId\\r\\n    | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n    | mv-expand todynamic(Entities)\\r\\n    | where Entities[\\\"Type\\\"] =~ \\\"account\\\"\\r\\n    | extend Name = tostring(tolower(Entities[\\\"Name\\\"])), NTDomain = tostring(Entities[\\\"NTDomain\\\"]), UPNSuffix = tostring(Entities[\\\"UPNSuffix\\\"]), AadUserId = tostring(Entities[\\\"AadUserId\\\"]), AadTenantId = tostring(Entities[\\\"AadTenantId\\\"]), \\r\\n        Sid = tostring(Entities[\\\"Sid\\\"]), IsDomainJoined = tobool(Entities[\\\"IsDomainJoined\\\"]), Host = tostring(Entities[\\\"Host\\\"])\\r\\n    | extend UPN = iff(Name != \\\"\\\" and UPNSuffix != \\\"\\\", strcat(Name, \\\"@\\\", UPNSuffix), \\\"\\\")\\r\\n    | union TopUsersByAnomalies\\r\\n    | extend \\r\\n        AadPivot = iff(isempty(AadUserId), iff(isempty(Sid), Name, Sid), AadUserId),\\r\\n        SidPivot = iff(isempty(Sid), iff(isempty(AadUserId), Name, AadUserId), Sid),\\r\\n        UPNExists = iff(isempty(UPN), false, true),\\r\\n        NameExists = iff(isempty(Name), false, true),\\r\\n        SidExists = iff(isempty(Sid), false, true),\\r\\n        AADExists = iff(isempty(AadUserId), false, true)\\r\\n    | summarize hint.strategy = shuffle IncidentCount=dcount(IncidentNumber, 4), AlertCount=dcountif(AlertId, isnotempty(AlertId), 4), AnomalyCount=sum(AnomalyCount), any(Title, Severity, Status, StartTime, IncidentNumber, IncidentUrl, Owner), UPNAnchor=anyif(UPN, UPNExists == true), NameAnchor=anyif(Name, NameExists == true), AadAnchor=anyif(AadUserId, AADExists == true), SidAnchor=anyif(Sid, SidExists == true), any(SidPivot) by AadPivot\\r\\n    | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), NameAnchor=anyif(NameAnchor, isempty(NameAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_Title, any_Severity, any_StartTime, any_IncidentNumber, any_IncidentUrl) by any_SidPivot\\r\\n    | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_any_Title, any_any_Severity, any_any_StartTime, any_any_IncidentNumber, any_any_IncidentUrl) by NameAnchor\\r\\n    | project [\\\"UserName\\\"]=NameAnchor, IncidentCount, AlertCount, AnomalyCount, [\\\"AadUserId\\\"]=AadAnchor, [\\\"OnPremSid\\\"]=SidAnchor, [\\\"UserPrincipalName\\\"]=UPNAnchor;\\r\\nTopUsersByIncidents\\r\\n| where UserPrincipalName !contains \\\"[\\\"\\r\\n| where UserPrincipalName <> \\\"\\\"\\r\\n| project UserPrincipalName, IncidentCount, AlertCount, AnomalyCount\\r\\n| sort by AlertCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Entity Behavior Analytics Alerts\",\"noDataMessage\":\"There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"fusion\\\" or Title contains \\\"dynamic\\\" or Title contains \\\"anomal\\\" or Title contains \\\"behavior\\\" or Title contains \\\"learning\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Dynamic Threat Discovery\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDynamicVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Dynamic Threat Discovery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Policy Enforcement Parity](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nConsistently applying security protections and other policies, independent of the communication mechanism, forwarding path, or endpoints used.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [What is Azure Policy?](https://docs.microsoft.com/azure/governance/policy/overview)<br>\\r\\n💡 [Review your security recommendations](https://docs.microsoft.com/azure/defender-for-cloud/review-security-recommendations)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade/Overview) <Br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isPolicyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Policy Enforcement Parity\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Effective Use of Shared Services](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEmploying shared services, where applicable, that can be individually tailored, measured to independently validate service conformance, and offer effective protections for tenants against malicious actors, both external as well as internal to the service provider.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Get Started with Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/)<br>\\r\\n💡 [Customer Lockbox for Microsoft Azure](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview)<br>\\r\\n💡 [What are External Identities in Microsoft Entra ID?](https://docs.microsoft.com/azure/active-directory/external-identities/compare-with-b2c)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Lighthouse](https://portal.azure.com/#blade/Microsoft_Azure_CustomerHub/LighthouseBlade) <br>\\r\\n🔀 [Customer Lockbox for Microsoft Azure](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview) <br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, ID.GV, ID.RM, ID.SC, PR.AT, RS.CO](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"guest\\\" or RecommendationDisplayName contains \\\"shared\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| where UserType == \\\"Guest\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, UserType, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| project UserPrincipalName, UserType, SignInCount=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Guest Accounts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"shared\\\" or Description contains \\\"guest\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"shared\\\" or Description contains \\\"guest\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"shared\\\" or Description contains \\\"guest\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| where Description !contains \\\"not shared\\\"\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isEffectiveVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Effective Use of Shared Services\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Integrated Desktop, Mobile, and Remote Policies](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDefining polices such that they apply to a given agency entity no matter its location.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)<br>\\r\\n💡 [What are Common Ways to Use Conditional Access with Intune?](https://docs.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://devicemanagement.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| extend DeviceOS = tostring(DeviceDetail.operatingSystem)\\r\\n| summarize count() by DeviceOS\\r\\n| where DeviceOS <> \\\"\\\"\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Policy Application by Operating System\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ConditionalAccessPolicy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where ResultType == 0\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sign-Ins By Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"Location\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| mv-expand ConditionalAccessPolicies\\r\\n| extend ConditionalAccessPolicy = tostring(ConditionalAccessPolicies.displayName)\\r\\n| summarize count() by ConditionalAccessPolicy\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Conditional Access Policies\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ConditionalAccessPolicy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isIntegratedVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Integrated Desktop, Mobile, and Remote Policies\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UniversalSecurityCapabilities\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Files](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nFile-based protections including anti-malware, malicious code removal, content disarm & reconstruction, and detonation chambers.\\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Files Capabilities Overview\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 106\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Anti-Malware\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Malware\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Content Disarm & Reconstruction\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Content\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Detonation Chamber\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Detonation\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data Loss Prevention\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMalwareVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Malware\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isContentVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Content\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"1f176b0f-1f2f-4e12-afb0-3f10c834ef24\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDetonationVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Detonation\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b17f2902-5d29-45b2-8712-bff5b7dd1487\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"793ffbca-13bc-4fac-9535-048cbd9efc54\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Anti-Malware](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAnti-malware protections detect the presence of malicious code and facilitate its quarantine or removal.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)\\r\\n ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/azure-defender/)\\r\\n✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br> ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) ✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) ✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security)\\r\\n\\r\\n### Implementation\\r\\n💡 [Microsoft Antimalware Extension for Windows](https://docs.microsoft.com/azure/virtual-machines/extensions/iaas-antimalware-windows)<br>\\r\\n💡 [Microsoft Antimalware for Azure Cloud Services and Virtual Machines](https://docs.microsoft.com/azure/security/fundamentals/antimalware)<br>\\r\\n💡 [Microsoft Defender for Cloud Apps: Malware Detection](https://docs.microsoft.com/cloud-app-security/anomaly-detection-policy#malware-detection)<br>\\r\\n💡 [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Microsoft Defender for Identity](https://security.microsoft.com/settings/identities) <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS, PR.PT, DE.CM, DE.DP, RS.MI](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"endpoint protection\\\" or RecommendationDisplayName contains \\\"malware\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"malware\\\" or Title contains \\\"malware\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Malware\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where AlertName contains \\\"mal\\\"\\r\\n| summarize count() by ProductName\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Malware Detected by Product\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isMalwareVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Anti-Malware\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Content Disarm & Reconstruction](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nContent disarm and reconstruction technology detects the presence of unapproved active content and facilitates its removal.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [EmailAttachmentInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailattachmentinfo) ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)\\r\\n\\r\\n### Implementation \\r\\n💡 [Setup Safe Attachments Policies in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/set-up-atp-safe-attachments-policies)<br>\\r\\n💡 [Threat and Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)<br>\\r\\n💡 [Microsoft Defender Application Guard overview](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)<br>\\r\\n💡 [Create and deploy an Exploit Guard policy](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"exploit\\\" or Title contains \\\"exploit\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Exploits\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailAttachmentInfo\\r\\n| extend Detection = strcat(DetectionMethods)\\r\\n| where ThreatTypes <> \\\"\\\"\\r\\n| project RecipientEmailAddress, FileName, ThreatTypes, ThreatNames, Detection, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Safe Attachments: Attachment Mitigation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isContentVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Content Disarm & Reconstruction\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Detonation Chamber](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDetonation chambers facilitate the detection of malicious code through the use of protected and isolated execution environments to analyze the files.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents)  ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Submit File for Deep Analysis](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts#submit-files-for-deep-analysis)<br>\\r\\n💡 [Using the Built-in URL Detonation in Microsoft Sentinel](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/using-the-new-built-in-url-detonation-in-azure-sentinel/996229)<br>\\r\\n💡 [Safe Links in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-links)<br>\\r\\n💡 [Safe Attachments in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-attachments)<br>\\r\\n💡 [Microsoft Defender Application Guard overview](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)<br>\\r\\n💡 [Create and deploy an Exploit Guard policy](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy)<br>\\r\\n\\r\\n### Microsoft Portals \\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.CM, DE.DP, RS.AN, RS.MI](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Description contains \\\"detonation\\\" or Title contains \\\"detonation\\\" or Description contains \\\"sand\\\" or Title contains \\\"sand\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Detonation\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\r\\n| where DetectionMethods <>\\\"\\\"\\r\\n| project RecipientEmailAddress, DeliveryAction, DeliveryLocation, EmailDirection, EmailAction, DetectionMethods, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Email Detonation: SafeLinks, SafeAttachments, SafeFiles\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DeliveryAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EmailDirection\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Outbound\",\"representation\":\"right\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"left\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EmailAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DetectionMethods\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDetonationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Detonation Chamber\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender) ✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [How to Configure a Label for Rights Management Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-protection)<br>\\r\\n💡 [Hunt for Threats with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/hunting)<br>\\r\\n💡 [Learn about Microsoft 365 Endpoint Data Loss Prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about)<br>\\r\\n💡 [Configure and View Alerts for DLP Polices](https://docs.microsoft.com/microsoft-365/compliance/dlp-configure-view-alerts-policies)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br> \\r\\n🔀 [Office 365 Security & Compliance Center](https://protection.office.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Description contains \\\"data\\\" or Title contains \\\"data\\\" or Description contains \\\"loss\\\" or Title contains \\\"loss\\\" or Description contains \\\"exfil\\\" or Title contains \\\"exfil\\\" or Tactics contains \\\"exfil\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Data Loss\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| project UserId_s, LabelName_s, Operation_s, Activity_s, IPv4_s, ProtectionOwner_s, ApplicationName_s, ProcessName_s, Platform_s, ContentId_g, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Scan/Monitor for Sensitive Data with Azure Information Protection\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| extend UserPrincipalName = UserId_s_s\\r\\n| where LabelName_s <> \\\"\\\"\\r\\n| join (SigninLogs) on UserPrincipalName\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| extend State = tostring(LocationDetails.state)\\r\\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Sensitive Data Access by Geolocation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UncommonActionVolume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UncommonAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"FirstTimeUserAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"FirstTimeDeviceLogon\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\"}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"yellow\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 12\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDataVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"FilesGroup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Email](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nEmail-based protections including anti-phishing, anti-spam, authenticated received chain, data loss prevention, DMARC for incoming/outgoing mail, email encryption, and malicious URL protections.\\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Email Capabilities Help\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 107\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Anti-Phishing Protections\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Phishing\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Anti-Spam Protections\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Spam\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Authenticated Received Chain\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Authenticated\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data Loss Prevention\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DMARC for Incoming Email\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Incoming\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isPhishingVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Phishing\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSpamVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Spam\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"5e162b71-5dff-4440-8bd9-111c1ec62efb\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAuthenticatedVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Authenticated\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"37272499-cf34-4fd3-8f26-5929ea74e783\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"2086488a-60de-43a5-a31f-0ae0eca9abd3\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIncomingVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Incoming\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e35e9dbc-8e1d-4749-9fe3-6e1b7cc19f2c\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DMARC for Outgoing Email\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Outgoing\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Encryption for Email Transmission\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Encryption\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Malicious URL Protections\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Malicious\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"URL Click-Through Protection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Url\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"2477e9e4-bcad-49d6-a4b6-df6672debb7b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isOutgoingVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Outgoing\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEncryptionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Encryption\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"1fa8afad-de60-4eb0-8a40-a43bde323bdb\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMaliciousVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Malicious\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"125bc4a9-0a88-4bef-80c9-2707fa0e5f74\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isUrlVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Url\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"e62d359a-891b-4663-9384-b7891d8dc461\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Anti-Phishing Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAnti-phishing protections detect instances of phishing and prevent users from accessing them.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Anti-Phishing Protection in Microsoft 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/anti-phishing-protection)<br>\\r\\n💡 [Configure Anti-Phishing Policies in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-atp-anti-phishing-policies)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AT, PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"email\\\" or Title contains \\\"phish\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Phishing\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isPhishingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Anti-Phishing Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Anti-SPAM Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAnti-SPAM protections detect and quarantine instances of SPAM.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents)  ✳️ [Microsoft Defender for Office 365](https://learn.microsoft.com/defender-office-365/mdo-about)<br>\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [Anti-spam protection in cloud organizations](https://learn.microsoft.com/defender-office-365/anti-spam-protection-about)<br>\\r\\n💡 [Configure anti-spam policies for cloud mailboxes](https://learn.microsoft.com/defender-office-365/anti-spam-policies-configure)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\r\\n| extend Spam = tostring(parse_json(ConfidenceLevel).Spam)\\r\\n| where Spam <> \\\"Skipped\\\"\\r\\n| where Spam <> \\\"Not spam\\\"\\r\\n| where Spam <> \\\"\\\"\\r\\n| project Spam, RecipientEmailAddress, DeliveryAction, EmailDirection, ConfidenceLevel, DetectionMethods, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Spam Email Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isSpamVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Anti-SPAM Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Authenticated Received Chain](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAuthenticated Received Chain allows for an intermediary, like a mailing list or forwarding service, to sign its own authentication of the original email, allowing downstream entities to accept the intermediary’s authentication even if the email was changed.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [How Microsoft 365 Utilizes Authenticated Received Chain (ARC)](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email#how-microsoft-365-utilizes-authenticated-received-chain-arc)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"OATP\\\"\\r\\n| where Entities contains \\\"Fail\\\"\\r\\n| project AlertName, AlertLink, ProductName, Entities, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Alerts for DMARC, SPF, DKIM Validations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >>\"}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_AlertName_0\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_AlertName_0\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAuthenticatedVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Authenticated Received Chain\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Microsoft References \\r\\n💡 [How to Configure a Label for Rights Management Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-protection)<br>\\r\\n💡 [Configure and View Alerts for DLP Polices](https://docs.microsoft.com/microsoft-365/compliance/dlp-configure-view-alerts-policies)<br>\\r\\n💡 [How DLP Works Between the Security & Compliance Center and Exchange Admin Centers](https://docs.microsoft.com/microsoft-365/compliance/how-dlp-works-between-admin-centers)<br>\\r\\n💡 [Email Entity Page](https://docs.microsoft.com/microsoft-365/security/office-365-security/mdo-email-entity-page)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)<br> \\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Tactics contains \\\"exfil\\\"\\r\\n| where Title contains \\\"email\\\" or Title contains \\\"phish\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Email Data Loss\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDataVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DMARC for Incoming Email](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDMARC protections authenticate incoming email according to the DMARC email authentication protocol defined in RFC 7489.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Use DMARC to Validate Email](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email)<br>\\r\\n💡 [How Microsoft 365 Handles Inbound Emails that Fail DMARC](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email#how-microsoft-365-handles-inbound-email-that-fails-dmarc)<Br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.IP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"OATP\\\"\\r\\n| where Entities contains \\\"Fail\\\" and Entities contains \\\"inbound\\\"\\r\\n| project AlertName, AlertLink, ProductName, Entities, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Inbound DMARC Failures\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >>\"}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isIncomingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DMARC for Incoming Email\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DMARC for Outgoing Email](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDMARC protections facilitate the authentication of outgoing email by signing the emails and ensuring that external parties may validate the email signatures. The DMARC email authentication protocol is defined in RFC7489.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Use DMARC to Validate Email](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email)<br>\\r\\n💡 [How Microsoft 365 Handles Inbound Emails that Fail DMARC](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email#how-microsoft-365-handles-inbound-email-that-fails-dmarc)<Br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.IP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"OATP\\\"\\r\\n| where Entities contains \\\"Fail\\\" and Entities contains \\\"outbound\\\"\\r\\n| project AlertName, AlertLink, ProductName, Entities, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Outbound DMARC Failures\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >>\"}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isOutgoingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DMARC for Outgoing Email\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Encryption for Email Transmission](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEmail services are configured to use encrypted connections, when possible, for communications between clients and other email servers.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Email Encryption](https://docs.microsoft.com/microsoft-365/compliance/ome)<br>\\r\\n💡 [How Exchange Online Uses TLS to Secure Email Connections](https://docs.microsoft.com/microsoft-365/compliance/exchange-online-uses-tls-to-secure-email-connections)<br>\\r\\n💡 [Define Mail Flow Rules to Encrypt Email Messages](https://docs.microsoft.com/microsoft-365/compliance/define-mail-flow-rules-to-encrypt-email)<br>\\r\\n💡 [Setup New Message Encryption Capabilities](https://docs.microsoft.com/microsoft-365/compliance/set-up-new-message-encryption-capabilities)<br>\\r\\n💡 [Define Mail Flow Rules to Encrypt Email Messages](https://docs.microsoft.com/microsoft-365/compliance/define-mail-flow-rules-to-encrypt-email)<br>\\r\\n💡 [Manage Office 365 Message Encryption](https://docs.microsoft.com/microsoft-365/compliance/manage-office-365-message-encryption)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/)<br> 🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>  🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"encrypt\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information.\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEncryptionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Encryption for Email Transmission\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Malicious URL Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMalicious URL protections detect malicious URLs in emails and prevent users from accessing them.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents)  ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Safe Links in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-links)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\r\\n| where DetectionMethods contains \\\"url\\\"\\r\\n| join (EmailUrlInfo) on NetworkMessageId\\r\\n| project RecipientEmailAddress, DeliveryAction, Url, UrlDomain, EmailDirection, ConfidenceLevel, DetectionMethods, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"SafeLinks Email Protections\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DeliveryAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Url\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isMaliciousVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Malicious URL Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [URL Click-Through Protection](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nURL click-through protections ensure that when a URL from an email is clicked, the requester is directed to a protection that verifies the security of the URL destination before permitting access.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Safe Links in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-links)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"url\\\" or Title contains \\\"url\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Urls\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isUrlVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"URL Click-Through Protection\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Email Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Web](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nWeb-based protections including break/inspect, active content mitigation, certificate blacklisting/consensus, content filtering, authenticated proxy, data loss prevention, DNS-over-HTTPS filtering, RFC compliance enforcement, domain category filtering, domain reputation filtering, bandwidth control, malicious content filtering, and access control.\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Web Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 108\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Break and Inspect\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Break\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Active Content Mitigation\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Active\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Certificate Denylisting\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Certificate\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Content Filtering\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Content\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Authenticated Proxy\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Authenticated\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data Loss Prevention\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DNS-over-HTTPS Filtering\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DNS\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a30d01d0-38f1-4a91-9cf6-cdb181d676b5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isBreakVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Break\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isActiveVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Active\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b2b0b9d3-128b-4ec7-a1e8-287df84633da\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCertificateVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Certificate\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"508474da-365f-43db-9c42-4331e8648144\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isContentVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Content\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"68f6fab3-9f4c-4ea8-ac17-064809f6740e\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAuthenticatedVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Authenticated\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a539291a-2744-47ef-9558-f15986ecf508\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"bd2ce9fe-9e44-4bcf-9f00-83a04c86e456\"},{\"id\":\"5cb17a08-31fb-4eee-87d8-abef7ecbb7e2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDNSVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DNS\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"RFC Compliance Enforcement\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"RFC\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Domain Category Filtering\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Category\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Domain Reputation Filter\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Reputation\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Bandwidth Control\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Bandwidth\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Malicious Content Filtering\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Malicious\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Access Control\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Access\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0114faf6-043c-452c-9249-34899d8965a1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRFCVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"RFC\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCategoryVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Category\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"35f239a8-a4dc-4e7f-8b70-dd4c876151db\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isReputationVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Reputation\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"57218915-069e-4559-94ff-29144252c397\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isBandwidthVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Bandwidth\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"d77f49a8-0e58-46c3-b705-5a61736b41ea\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMaliciousVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Malicious\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a11bbfd4-4c45-4527-b1d2-6cab517590cb\"},{\"id\":\"a1bdb4f4-7f9d-48f8-8deb-e979a7e203a6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAccessVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Access\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Break and Inspect](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nBreak-and-Inspect systems, or encryption proxies, terminate encrypted traffic, logging or performing policy enforcement against the plaintext, and re-encrypting the traffic, if applicable, before transmitting to the final destination.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Firewall Premium](https://azure.microsoft.com/services/azure-firewall/) ✳️ [Network Watcher](https://azure.microsoft.com/services/network-watcher/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Firewall Premium Features](https://docs.microsoft.com/azure/firewall/premium-features) <br>\\r\\n💡 [Inspect Traffic with Azure Firewall](https://docs.microsoft.com/azure/private-link/inspect-traffic-with-azure-firewall) <br>\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal) <br>\\r\\n💡 [Create an Azure Network Watcher instance](https://docs.microsoft.com/azure/network-watcher/network-watcher-create) <br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)  <br>\\r\\n🔀 [Network Watcher](https://portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/overview)  <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"protected by Azure Firewall\\\" or RecommendationDisplayName contains \\\"watcher\\\" or RecommendationDisplayName contains \\\"proxy\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"azurefirewalls\\\" or type contains \\\"firewallpolicies\\\" or type contains \\\"networkwatchers\\\" or type contains \\\"webapplicationfirewall\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Break & Inspect Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isBreakVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Break and Inspect\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Active Content Mitigation](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nActive content mitigation protections detect the presence of unapproved active content and facilitate its removal.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) 🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)\\r\\n\\r\\n\\r\\n### Implementation \\r\\n💡[What is Azure Web Application Firewall on Azure Application Gateway?](https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview)<br>\\r\\n💡[Azure Web Application Firewall on Azure Front Door](https://docs.microsoft.com/azure/web-application-firewall/afds/afds-overview)<br>\\r\\n💡[Connect data from Microsoft 365 Defender to Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender?tabs=MDE)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)  <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"endpoint protection\\\" or RecommendationDisplayName contains \\\"Web Application Firewall\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"webapplicationfirewall\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Content Mitigation Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message: string, ruleName_s: string, clientIp_s: string, clientIP_s: string, action_s: string, transactionId_s: string, trackingReference_s: string) [\\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\"]);\\r\\nFakeData\\r\\n| union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"Application Gateway\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"Application Gateway\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"Application Gateway\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"Application Gateway\\\" contains \\\"cdn\\\")) and (\\\"SOC-NS-AG-WAFV2 - 1129440\\\" == \\\"All\\\" or Resource in ('SOC-NS-AG-WAFV2'))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '*' == Action or '*' == \\\"*\\\" \\r\\n| where '*' == requestUri_s or '*' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Rule= iif(Rule contains \\\"Mandatory rule. Cannot be disabled.\\\", strcat_array(split(Rule, \\\"Mandatory rule. Cannot be disabled. Inbound \\\", 1), \\\"\\\"), Rule) // Removes initial component for mandatory rule \\r\\n| extend Rule = iif(Rule contains \\\"Total Inbound Score\\\", strcat_array(array_concat(split(Rule, \\\" - SQLI=\\\", 0), parse_json('[\\\") -\\\"]'), split(Rule, \\\"):\\\", 1)), \\\"\\\"), Rule) // Removes smaller information if more info is available for anomaly score\\r\\n| summarize count() by Rule\\r\\n| top 50 by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure WAF Events\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Rule\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redDark\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isActiveVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Active Content Mitigation\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Certificate Denylisting](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCertificate denylisting protections prevent communication with entities that use a set of known bad certificates.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) 🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation\\r\\n💡 [Certificates Used by Azure Firewall Premium](https://docs.microsoft.com/azure/firewall/premium-certificates)<br>\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal)<br>\\r\\n💡 [Quickstart: Create a Key Vault using the Azure Portal](https://docs.microsoft.com/azure/key-vault/general/quick-create-portal)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)<br>\\r\\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"certificate\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"cert\\\" \\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"cert\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"cert\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCertificateVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Certificate Denylisting\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Content Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nContent filtering protections detect the presence of unapproved content and facilitate its removal or denial of access.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/)\\r\\n\\r\\n### Implementation\\r\\n💡 [Azure Firewall Web Categories](https://docs.microsoft.com/azure/firewall/web-categories)<br>\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal)<br>\\r\\n💡 [Web Content Filtering](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/web-content-filtering)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)<br>\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)<br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\n    materialize(\\r\\n    AzureDiagnostics\\r\\n    | where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n    | project msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s has \\\". Url\\\"\\r\\n        and msg_s has \\\". No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s has \\\". No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\" Reason: \\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\"TLS extension was missing\\\"\\r\\n    | where msg_s has \\\" Reason:\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"TLS extension was missing\\\"\\r\\n        and msg_s !has \\\"No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\" Reason: \\\"\\r\\n    | where msg_s has \\\"Rule Collection Group\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n    )\\r\\n| summarize Count = count(), last_log = datetime_diff(\\\"second\\\", now(), max(TimeGenerated)) by RuleCollection, Rule, WebCategory\",\"size\":1,\"showAnalytics\":true,\"title\":\"Azure Firewall: Content Enforcement\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"last_log\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_heatmap_last_log_4\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_heatmap_last_log_4\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 36\"}]},\"conditionalVisibility\":{\"parameterName\":\"isContentVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Content Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Authenticated Proxy](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAuthenticated proxies require entities to authenticate with the proxy before making use of it, enabling user, group, and location-aware security controls.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Plan an Azure AD Application Proxy Deployment](https://learn.microsoft.com/en-us/entra/identity/app-proxy/conceptual-deployment-plan)<br>\\r\\n💡 [Configure Real-Time Application Access Monitoring with Microsoft Defender for Cloud Apps and Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-integrate-with-microsoft-cloud-application-security)<br>\\r\\n💡 [Protect Apps with Microsoft Defender for Cloud Apps Conditional Access App Control](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| mv-expand ConditionalAccessPolicies\\r\\n| extend ConditionalAccessPolicy = tostring(ConditionalAccessPolicies.displayName)\\r\\n| summarize count() by ConditionalAccessPolicy\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Conditional Access Policies\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ConditionalAccessPolicy\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAuthenticatedVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Authenticated Proxy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Microsoft Defender for Cloud Apps: File Policies](https://docs.microsoft.com/cloud-app-security/data-protection-policies)<br>\\r\\n💡 [Content Inspection for Protected Files](https://docs.microsoft.com/cloud-app-security/content-inspection)<br>\\r\\n💡 [How to Configure a Label for Rights Management Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-protection)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Microsoft Defender for Identity Portal](https://security.microsoft.com/settings/identities) <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) <br>\\r\\n🔀 [Office 365 Security & Compliance Center](https://protection.office.com/) <br>\\r\\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Tactics contains \\\"exfil\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Data Exfiltration\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDataVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention_W\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNS-over-HTTPS Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNS-over-HTTPS filtering prevents entities from using the DNS-over-HTTPS protocol, possibly evading DNS-based protections.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Microsoft Defender for DNS](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-dns-introduction)<br>\\r\\n💡 [Azure Firewall DNS settings](https://docs.microsoft.com/azure/firewall/dns-settings)<br>\\r\\n💡 [Web Content Filtering](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Workload Protections](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/26)<br>\\r\\n🔀 [Azure Firewall](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls) <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"dns\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNS-over-HTTPS Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [RFC Compliance Enforcement](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nRFC compliant enforcement technologies ensure that traffic complies with protocol definitions.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Implementation\\r\\n💡[What is Azure Web Application Firewall on Azure Application Gateway?](https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview)<br>\\r\\n💡[Tutorial: Create an Application Gateway with a Web Application Firewall using the Azure Portal](https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-web-application-firewall-portal)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers) <br> \\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics \\r\\n| where Category == \\\"ApplicationGatewayFirewallLog\\\"\\r\\n| where details_file_s contains \\\"rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\\\"\\r\\n| summarize count() by ResourceId, Message\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Web Protocol Enforcement Alerts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isRFCVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"RFC Compliance Enforcement\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Domain Category Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDomain category filtering technologies allow for classes of domains (e.g. banking, medical) to receive a different set of security protections.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Firewall: Web Categories](https://docs.microsoft.com/azure/firewall/premium-deploy#web-categories-testing) <br> \\r\\n💡 [Use FQDN Filtering in Network Rules](https://docs.microsoft.com/azure/firewall/fqdn-filtering-network-rules) <br> \\r\\n💡 [Azure Firewall Premium Features](https://docs.microsoft.com/azure/firewall/premium-features) <br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)<br> \\r\\n🔀 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) <br>\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)\\t<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\n    materialize(\\r\\n    AzureDiagnostics\\r\\n    | where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n    | project msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s has \\\". Url\\\"\\r\\n        and msg_s has \\\". No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s has \\\". No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\" Reason: \\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\"TLS extension was missing\\\"\\r\\n    | where msg_s has \\\" Reason:\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"TLS extension was missing\\\"\\r\\n        and msg_s !has \\\"No rule matched\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n    ),\\r\\n    (\\r\\n    materializedData\\r\\n    | where msg_s !has \\\"Web Category:\\\"\\r\\n        and msg_s !has \\\". Url\\\"\\r\\n        and msg_s !has \\\"Rule Collection\\\"\\r\\n        and msg_s !has \\\" Reason: \\\"\\r\\n    | where msg_s has \\\"Rule Collection Group\\\"\\r\\n    | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n    )\\r\\n| where Action == \\\"Deny\\\"\\r\\n| where '*' == SourceIP or '*' == \\\"*\\\"  \\r\\n| summarize count() by FQDN\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Domain & Category Filtering\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FQDN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Diagnostics\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isCategoryVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Domain Category Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Domain Reputation Filter](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDomain reputation filtering protections are a form of domain denylisting based on a domain’s reputation, as defined by either the agency or an external entity.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Firewall Threat Intelligence-Based Filtering](https://docs.microsoft.com/azure/firewall/threat-intel)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls) <br>\\r\\n🔀 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\r\\n| where OperationName == \\\"AzureFirewallThreatIntelLog\\\"\\r\\n| where msg_s <> \\\" request from  to . Action: . ThreatIntel: \\\"\\r\\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url: \\\" Url \\\". Action: \\\" Action \\\". ThreatIntel: \\\" ThreatIntelMsg\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". ThreatIntel: \\\" ThreatIntelMsg\\r\\n)\\r\\n| summarize by ThreatIntelMsg, Url, FQDN, Action, Protocol, SourceIP, SourcePort, DestinationPort,  TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewall: Threat Intelligence URL Blocks\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Url\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Diagnostics\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Action\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"FQDN\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"FQDN\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isReputationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Domain Reputation Filter\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Bandwidth Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nBandwidth control technologies allow for limiting the amount of bandwidth used by different classes of domains.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Metrics](https://docs.microsoft.com/azure/azure-monitor/essentials/data-platform-metrics) ✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/)\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Monitor Metrics Overview](https://docs.microsoft.com/azure/azure-monitor/essentials/data-platform-metrics)<br>\\r\\n💡 [Monitor Azure Firewall Logs and Metrics](https://docs.microsoft.com/azure/firewall/firewall-diagnostics)  \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls) <br>\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"Bandwidth Control\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"40\",\"name\":\"Control Smartcard\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5084e141-6c56-4d7f-bd8a-09f7ef9af1bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Resource\",\"label\":\"Azure Firewalls\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"where type =~ 'Microsoft.Network/azureFirewalls'\\r\\n| project id, name\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"parameters - 1\"},{\"type\":10,\"content\":{\"chartId\":\"workbook76864ed5-dd34-42d0-ae35-f3db9f9e8f15\",\"version\":\"MetricsItem/2.0\",\"size\":0,\"chartType\":2,\"resourceType\":\"microsoft.network/azurefirewalls\",\"metricScope\":0,\"resourceParameter\":\"Resource\",\"resourceIds\":[\"{Resource}\"],\"timeContextFromParameter\":\"TimeRange\",\"timeContext\":{\"durationMs\":604800000},\"metrics\":[{\"namespace\":\"microsoft.network/azurefirewalls\",\"metric\":\"microsoft.network/azurefirewalls--Throughput\",\"aggregation\":4,\"columnName\":\"All Firewall Throughput Average\"}],\"title\":\"Average Throughput of Firewall Traffic\",\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"metric - 25\"}]},\"conditionalVisibility\":{\"parameterName\":\"isBandwidthVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Bandwidth Control\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Malicious Content Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMalicious content filtering protections detect the presence of malicious content and facilitate its removal.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/)  ✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)\\r\\n\\r\\n### Implementation \\r\\n💡 [Microsoft Defender for Cloud's enhanced security features](https://docs.microsoft.com/azure/defender-for-cloud/enhanced-security-features-overview)<br>\\r\\n💡 [What is Azure Web Application Firewall on Azure Application Gateway?](https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview)<br>\\r\\n💡 [Azure Web Application Firewall on Azure Front Door](https://docs.microsoft.com/azure/web-application-firewall/afds/afds-overview)<br>\\r\\n💡 [Azure Firewall Premium Features](https://docs.microsoft.com/azure/firewall/premium-features)  <br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)<br>\\r\\n🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS, PR.PT, PR.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"firewall\\\" or RecommendationDisplayName contains \\\"defender\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"mal\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Malicious Content\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| project Category, ResourceType, OperationName);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n    | where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n    | summarize Volume=count() by OperationName\\r\\n    | project Category=OperationName, Volume\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n    | where OperationName == \\\"AzureFirewallThreatIntelLog\\\"\\r\\n    | summarize Volume=count() by OperationName\\r\\n    | project Category=OperationName, Volume\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n    | where OperationName <> \\\"AzureFirewallThreatIntelLog\\\"\\r\\n    | where OperationName <> \\\"AzureFirewallIDSLog\\\"\\r\\n    | summarize Volume=count() by Category\\r\\n)\\r\\n| sort by Volume desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Web Protections by Rule Category\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"noDataMessageStyle\":4,\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Category\",\"exportParameterName\":\"SelectedCategory\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Volume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Category\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Volume\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isMaliciousVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Malicious Content Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAccess control technologies allow an agency to define policies limiting what actions may be performed by connected users and entities.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Overview of Role-Based Access Control in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/roles/custom-overview)<br>\\r\\n💡 [What is Azure AD Privileged Identity Management?](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\\r\\n💡 [Secure Your Management Ports With Just-In-Time Access](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"Just\\\" or RecommendationDisplayName contains \\\"privilege\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAccessVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Access Control\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Web Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Networking](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nNetwork-based protections including network access controls, IP denylisting, host containment, network segmentation, and microsegmentation. \\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Networking Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 109\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Access Control\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Access\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"IP Denylisting\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"IP\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Host Containment\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Host\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Network Segmentation\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Network\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Microsegmentation\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Micro\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAccessVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Access\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIPVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"IP\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"50ab20f8-9e71-4938-a67c-fc3cddda9d3e\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isHostVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Host\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"297ab54c-7fb4-4d69-b331-d06b5848b0c2\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isNetworkVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Network\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4c49d950-1bd2-45c1-8a98-4f17abff2088\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isMicroVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Micro\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"cf2d16a5-def7-4887-87ff-188258574464\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAccess control protections prevent the ingest, egress, or transiting of unauthorized network traffic.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n✳️ [Virtual Network](https://azure.microsoft.com/services/virtual-network/)\\r\\n✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)\\r\\n\\r\\n### Implementation \\r\\n💡 [Security Recommendations in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-recommendations)<br>\\r\\n💡 [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview)<br>\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal)<br>\\r\\n💡 [Tutorial: Create an Application Gateway with a Web Application Firewall using the Azure Portal](https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-web-application-firewall-portal)<br>\\r\\n💡 [Tutorial: Create and Manage a VPN Gateway using Azure Portal]( https://docs.microsoft.com/azure/vpn-gateway/tutorial-create-gateway-portal)<br>\\r\\n💡 [What is Azure ExpressRoute?](https://docs.microsoft.com/azure/expressroute/expressroute-introduction)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br> 🔀 [Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)<br> 🔀 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls) <br>🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers) <br>🔀 [Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways)<br> 🔀 [ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits)  \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"network access\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"network\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Networking Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where OperationName == \\\"NetworkSecurityGroupEvents\\\"\\r\\n| summarize count() by ruleName_s\\r\\n| project NetworkSecurityGroupRule=ruleName_s, FlowCount=count_\\r\\n| sort by FlowCount desc \",\"size\":0,\"showAnalytics\":true,\"title\":\"Flow Counts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"NetworkSecurityGroupRule\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Lateral_Movement\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"FlowCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAccessVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Access Control\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [IP Denylisting](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIP denylisting protections prevent the ingest or transiting of traffic received from or destined to a denylisted IP address.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [ThreatIntelligenceIndicator](https://docs.microsoft.com/azure/azure-monitor/reference/tables/threatintelligenceindicator) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)<br>\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Connect Data from Threat Intelligence Providers](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence)<br>\\r\\n💡 [Azure Firewall Threat Intelligence Configuration](https://docs.microsoft.com/azure/firewall-Manager/threat-intelligence-settings)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n\\t    iff(isnotempty(Url), \\\"URL\\\",\\r\\n\\t    iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n\\t    iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n\\t    iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n\\t    \\\"Other\\\")))))\\r\\n| where IndicatorType == \\\"IP\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by IndicatorType\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsoft Sentinel: Threat Intelligence IP Indicators Ingested\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"VMConnection\\r\\n| extend NetworkSourceIP=RemoteIp\\r\\n| where NetworkSourceIP <> \\\"\\\"\\r\\n| extend FirewallManager=strcat(\\\"FirewallManager\\\")\\r\\n| join (ThreatIntelligenceIndicator) on NetworkSourceIP\\r\\n| extend Indicator = strcat(NetworkSourceIP, FileHashValue, NetworkIP, NetworkDestinationIP, Url, EmailSourceIpAddress, EmailSenderAddress, DomainName)\\r\\n| extend Source=SourceSystem1\\r\\n| summarize count () by ThreatType, Action, Indicator, Direction, _ResourceId, FirewallManager, RemoteCountry, RemoteIp, Source\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence: IP Denylisting\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"FirewallManager\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Go to Firewall Manager >>\",\"bladeOpenContext\":{\"bladeName\":\"FirewallManagerMenuBlade\",\"extensionName\":\"Microsoft_Azure_HybridNetworking\"}}},{\"columnMatch\":\"RemoteCountry\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"RiskIQ_Lookup\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"RiskIQ Lookup >\"}},{\"columnMatch\":\"VirusTotalURL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"VirusTotal Lookup >\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"RemoteCountry\",\"latitude\":\"RemoteLatitude\",\"longitude\":\"RemoteLongitude\",\"sizeSettings\":\"RemoteCountry\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"RemoteCountry\",\"legendMetric\":\"RemoteCountry\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"RemoteIp\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"redBright\"}]}}},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Threat Intelligence: IP Denylisting\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIPVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IP Denylisting\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Host Containment](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nHost containment protections enable a network to revoke or quarantine a host’s access to the network.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)  ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Security Orchestration, Automation, and Response (SOAR) in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/automation-in-azure-sentinel)<br>\\r\\n💡 [How to Isolate an Azure VM Using Microsoft Defender for Cloud’s Workflow Automation](https://techcommunity.microsoft.com/t5/azure-security-center/how-to-isolate-an-azure-vm-using-azure-security-center-s/ba-p/1250985)<br>\\r\\n💡 [Isolate Endpoints from the Network](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#isolate-endpoints-from-the-network)<br>\\r\\n\\r\\n### Microsoft Portals \\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"logic\\\"\\r\\n| where id contains \\\"block\\\" or id contains \\\"isolate\\\" or id contains \\\"lock\\\" or id contains \\\"revoke\\\" or id contains \\\"quarantine\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Containment Automations Configured\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isHostVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Host Containment\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Network Segmentation](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nNetwork segmentation separates a given network into subnetworks, facilitating security controls between the subnetworks, and decreasing the attack surface of the network.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)  ✳️ [Virtual Network](https://azure.microsoft.com/services/virtual-network/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Implement Network Segmentation Patterns on Azure](https://docs.microsoft.com/azure/architecture/framework/security/design-network-segmentation)<br>\\r\\n💡 [What is Azure Virtual Network?](https://docs.microsoft.com/azure/virtual-network/virtual-networks-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"segment\\\" or RecommendationDisplayName contains \\\"network security group\\\" or RecommendationDisplayName contains \\\"subnet\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"networksecuritygroups\\\" or type contains \\\"virtualnetworks\\\" or type contains \\\"tables\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Segmentation Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isNetworkVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Network Segmentation\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Microsegmentation](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMicrosegmentation divides the network, either physically or virtually, according to the communication needs of application and data workflows, facilitating security controls to protect the data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)  ✳️ [Virtual Network](https://azure.microsoft.com/services/virtual-network/)\\r\\n✳️ [Application Gateway](https://azure.microsoft.com/services/application-gateway/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Network Security & Containment](https://docs.microsoft.com/azure/virtual-network/virtual-networks-overview)<br>\\r\\n💡 [What is Azure Virtual Network?](https://docs.microsoft.com/azure/virtual-network/virtual-networks-overview)<br>\\r\\n💡 [Implement network segmentation patterns on Azure](https://docs.microsoft.com/azure/architecture/framework/security/design-network-segmentation)<br>\\r\\n💡 [Application Security Groups](https://docs.microsoft.com/azure/virtual-network/application-security-groups)<br>\\r\\n💡 [Tutorial: Filter Network Traffic with a Network Security Group using the Azure portal](https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Application Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks) <br>\\r\\n🔀 [Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.DS, PR.IP, PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"application gateway\\\" or RecommendationDisplayName contains \\\"security group\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"applicationgateway\\\" or type contains \\\"securitygroup\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsegementation Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isMicroVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Microsegmentation\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Networking Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Resiliency](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nResiliency measures including DDoS protections, elastic expansion, and regional delivery.\\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Resiliency Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 110\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DDoS Protections\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DDoS\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Elastic Expansion\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Elastic\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Regional Delivery\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Regional\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDDoSVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DDoS\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isElasticVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Elastic\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"c6997d7f-b3e5-431c-b747-ea5a75b533e0\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRegionalVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Regional\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"250d293f-5d5f-4944-8cd4-5ec0183b9053\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DDoS Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDDoS protections mitigate the effects of distributed denial of service attacks.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) 🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure DDoS Protection]( https://azure.microsoft.com/services/ddos-protection/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure DDoS Protection Standard Overview](https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [DDoS Protection Plans](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FddosProtectionPlans) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"dos\\\" or Title contains \\\"denial\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: DDoS\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Resources\\r\\n| where type contains \\\"microsoft.network/ddosprotectionplans\\\"\\r\\n| extend RG = substring(id, 0, indexof(id, '/providers'))\\r\\n| extend virtualNetworks = properties.virtualNetworks\\r\\n| mvexpand bagexpansion=array virtualNetworks\\r\\n| extend VNETid = virtualNetworks.id\\r\\n| project-away kind, managedBy, sku, plan, identity, zones, extendedLocation, name, tenantId, properties, tags, virtualNetworks, resourceGroup\",\"size\":0,\"showAnalytics\":true,\"title\":\"DDoS Protection Plans\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"type\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"location\",\"formatter\":17},{\"columnMatch\":\"subscriptionId\",\"formatter\":15,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"VNETid\",\"formatter\":13,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"id\",\"label\":\"Name\"},{\"columnId\":\"type\",\"label\":\"Type\"},{\"columnId\":\"location\",\"label\":\"Region\"},{\"columnId\":\"subscriptionId\",\"label\":\"Subscription\"},{\"columnId\":\"VNETid\",\"label\":\"Virtual Networks\"}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DDoSPlans\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"DDoSMitigationReports\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| extend TopAttackVector = tostring(parse_json(AttackVectors_s)[0]) \\r\\n| extend Total_packets_ = tostring(parse_json(TrafficOverview_s).Total_packets) \\r\\n| extend Total_packets_dropped_ = todouble(parse_json(TrafficOverview_s).Total_packets_dropped)\\r\\n| extend TotalPackets =todouble(Total_packets_)\\r\\n| where TotalPackets > 0\\r\\n| where TopAttackVector <> \\\"\\\"\\r\\n| project TopAttackVector, TotalPackets, TotalPacketsDropped = Total_packets_dropped_ , ResourceId , SourceIP=IPAddress, Resource, TimeGenerated\\r\\n| sort by TotalPacketsDropped desc\\r\\n| limit 100\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"DDoS Mitigation Activity\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"IPAddress\",\"parameterName\":\"IPAddress\",\"parameterType\":1},{\"fieldName\":\"ResourceId\",\"parameterName\":\"ResourceId\",\"parameterType\":1,\"defaultValue\":\"ResourceId\"},{\"fieldName\":\"Resource\",\"parameterName\":\"AttackReport\",\"parameterType\":1,\"defaultValue\":\"/\"}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TopAttackVector\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"TotalPackets\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"TotalPacketsDropped\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Resource\",\"formatter\":5},{\"columnMatch\":\"Total_packets_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"Total_packets_dropped_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumSignificantDigits\":4}}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"IPAddress\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"subtitleContent\":{\"columnMatch\":\"TopAttackVector\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Resource\"},\"rightContent\":{\"columnMatch\":\"TimeGenerated\"},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"50\",\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDDoSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DDoS Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Elastic Expansion](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nElastic expansion enables agencies to dynamically expand the resources available for services as conditions require.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Virtual Machine Scale Sets](https://azure.microsoft.com/services/virtual-machine-scale-sets/) ✳️ [Traffic Manager]( https://azure.microsoft.com/services/traffic-manager/) ✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) ✳️ [Azure Availability Zones]( https://azure.microsoft.com/global-infrastructure/availability-zones/)\\r\\n\\r\\n### Implementation \\r\\n💡 [What are Virtual Machine Scale Sets?](https://docs.microsoft.com/azure/virtual-machine-scale-sets/overview) <br>\\r\\n💡 [Elastic Pools Help You Manage and Scale Multiple Databases in Azure SQL Database](https://www.cisa.gov/trusted-internet-connections)<br>\\r\\n💡 [What is Azure Load Balancer?](https://docs.microsoft.com/azure/load-balancer/load-balancer-overview)<br>\\r\\n💡 [What is Traffic Manager?](https://docs.microsoft.com/azure/traffic-Manager/traffic-Manager-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Virtual Machine Scale Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Compute%2FvirtualMachineScaleSets)<br> 🔀 [Azure SQL](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Sql%2Fazuresql)<br> 🔀 [Load Balancer](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)<br> 🔀 [Traffic Manager Profiles](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2Ftrafficmanagerprofiles)<br> 🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"load\\\" or Description contains \\\"scale\\\" or Description contains \\\"front\\\" or Description contains \\\"traffic manager\\\" or Description contains \\\"pool\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":12531600000,\"endTime\":\"2022-02-23T15:45:00Z\"},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"scale\\\" or type contains \\\"traffic\\\" or type contains \\\"load\\\" or type contains \\\"balance\\\" or type contains \\\"pool\\\" or type contains \\\"set\\\" or type contains \\\"manager\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Elastic Expansion Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isElasticVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Elastic Expansion\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Regional Delivery](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nRegional delivery technologies enable the deployment of agency services across geographically diverse locations.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)\\r\\n\\r\\n### Implementation \\r\\n💡 [Building Solutions for High Availability Using Availability Zones](https://docs.microsoft.com/azure/architecture/high-availability/building-solutions-for-high-availability)<br> \\r\\n💡 [Azure Infrastructure Availability](https://docs.microsoft.com/azure/security/fundamentals/infrastructure-availability) <br>\\r\\n💡 [Data residency in Azure](https://azure.microsoft.com/global-infrastructure/data-residency/#overview) <br>\\r\\n💡 [Regions and availability zones](https://docs.microsoft.com/azure/availability-zones/az-overview) <br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Availability Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FavailabilitySets) <br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"disaster\\\" or RecommendationDisplayName contains \\\"region\\\" or RecommendationDisplayName contains \\\"redundant\\\" or RecommendationDisplayName contains \\\"geo\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":12531600000,\"endTime\":\"2022-02-23T15:45:00Z\"},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where ResultType == 0\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sign-Ins By Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"Location\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| project id,type,location,resourceGroup\\r\\n| summarize count() by location\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets by Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"location\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isRegionalVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Regional Delivery\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Resiliency Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNS](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nDNS measures including DNS blackholing, DNSSEC for clients, and DNSSEC for domains. \\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNS Capability Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 111\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DNS Sinkholing\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Sink\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DNSSEC for Agency Clients\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Clients\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"DNSSEC for Agency Domains\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Domains\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSinkVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Sink\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"aaf5f338-70e7-4910-8b24-0256c3e819ab\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isClientsVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Clients\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDomainsVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Domains\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b454a300-8718-4f34-a5e9-722b582dc95d\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNS Sinkholing](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNS sinkholing protections are a form of denylisting that protect clients from accessing malicious domains by responding to DNS queries for those domains.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure DNS](https://azure.microsoft.com/services/dns/) \\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [What is Azure DNS?](https://docs.microsoft.com/azure/dns/dns-overview)<br>\\r\\n💡 [How to protect DNS zones and records](https://docs.microsoft.com/azure/dns/dns-protect-zones-recordsets)<br>\\r\\n💡 [Microsoft Defender for DNS](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-dns-introduction)<br>\\r\\n💡 [Azure Firewall DNS settings](https://docs.microsoft.com/azure/firewall/dns-settings)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones)<br> 🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)<br>🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"domain\\\" or type contains \\\"dns\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"dns\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: DNS\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSinkVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNS Sinkholing\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNSSEC for Agency Clients](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNSSEC protections ensure that domain name lookups from agency clients, whether for internal or external domains, are validated.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaselines](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Implementation \\r\\n💡 [Enabling Central Visibility For DNS Using Azure Firewall Custom DNS and DNS Proxy](https://techcommunity.microsoft.com/t5/azure-network-security/enabling-central-visibility-for-dns-using-azure-firewall-custom/ba-p/2156331)<br>\\r\\n💡 [DANE Support](https://docs.microsoft.com/windows-server/networking/dns/what-s-new-in-dns-server#dane-support)<br>\\r\\n💡 [Support of DANE and DNSSEC in Office 365 Exchange Online](https://techcommunity.microsoft.com/t5/exchange-team-blog/support-of-dane-and-dnssec-in-office-365-exchange-online/ba-p/1275494)<br>\\r\\n💡 [Apply Azure security baselines to machines](https://docs.microsoft.com/azure/defender-for-cloud/apply-security-baseline)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [DNS zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones)<br>\\r\\n🔀 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FailedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"dns\\\"\\r\\n| where AnalyzeResult == \\\"Failed\\\"\\r\\n| summarize FailedAssets = makelist(Computer) by Description;\\r\\nlet PassedAssets=SecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"dns\\\"\\r\\n| where AnalyzeResult == \\\"Passed\\\"\\r\\n| summarize PassedAssets = makelist(Computer) by Description;\\r\\nSecurityBaseline\\r\\n| summarize arg_max(TimeGenerated, *) by _ResourceId, Description\\r\\n| where Description contains \\\"dns\\\"\\r\\n| summarize\\r\\n    Failed = countif(AnalyzeResult == \\\"Failed\\\"),\\r\\n    Passed = countif(AnalyzeResult == \\\"Passed\\\"),\\r\\n    Total = countif(AnalyzeResult == \\\"Failed\\\" or AnalyzeResult == \\\"Passed\\\")\\r\\n    by Description\\r\\n| extend PassedControls = (Passed / todouble(Total)) * 100\\r\\n| join kind=fullouter(FailedAssets) on Description\\r\\n| join kind=fullouter(PassedAssets) on Description\\r\\n| project Description, Total, PassedControls, Passed, Failed, PassedAssets, FailedAssets\\r\\n| sort by Total, Passed desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}},{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"AllServices\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationState\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"thresholdValue\":\"Healthy\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\r\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\r\\n| project-away msg_s\\r\\n| summarize by TimeGenerated, ResourceId, ClientIP, ClientPort, QueryID, Request_Type, Request_Class, Request_Name, Request_Protocol, Request_Size, EDNSO_DO, EDNS0_Buffersize, Responce_Code, Responce_Flags, Responce_Size, Response_Duration, SubscriptionId\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Request_Type\\r\\n| render areachart \",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewall: DNS Proxy Actions over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isClientsVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNSSEC for Agency Clients\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNSSEC for Agency Domains](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNSSEC protections ensure that all agency domain names are secured using DNSSEC, enabling external entities to validate their resolution the domain names.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [What is Azure DNS?](https://docs.microsoft.com/azure/dns/dns-overview)<br>\\r\\n💡 [Security Recommendations in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-recommendations)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones) <br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"dns\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":12531600000,\"endTime\":\"2022-02-23T15:45:00Z\"},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDomainsVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNSSEC for Agency Domains\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNS Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Intrusion Detection](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nIntrusion Detection measures including endpoint detection & response, intrusion protection systems, adaptive access control, deception platforms, and certificate transparency log monitoring.\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Intrusion Detection Capability Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 112\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Endpoint Detection and Response\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Endpoint\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Intrusion Protection Systems (IPS)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Intrusion\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Adaptive Access Control\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Adaptive\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Deception Platforms\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Deception\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Certificate Transparency Log Monitoring\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Certificate\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEndpointVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Endpoint\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIntrusionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Intrusion\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"f683c8d4-894a-4863-a2c6-03d36d6d7819\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAdaptiveVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Adaptive\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"27dcffa8-43ca-4d68-b69d-11dbd33dcbcb\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDeceptionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Deception\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b4f96879-69b4-45b3-b6a6-384a91e9569c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isCertificateVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Certificate\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"51c9fd25-2fa3-4cca-bc9f-bf8b5d0a0e07\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Endpoint Detection and Response](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEndpoint detection and response tools combine endpoint and network event data to aid in the detection of malicious activity.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Overview of Endpoint Detection and Response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/)<br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.AE, DE.CM, RS.AN](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"endpoint protection\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":12531600000,\"endTime\":\"2022-02-23T15:45:00Z\"},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where AdditionalData contains \\\"Microsoft Defender for Endpoint\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Endpoint Detection & Response\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isEndpointVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Endpoint Detection and Response\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Intrusion Protection Systems (IPS)](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIntrusion protection systems detect malicious activity, attempt to stop the activity, and report the activity.\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Firewall Premium: IPS](https://docs.microsoft.com/azure/firewall/premium-features#idps)<br>\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) 🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.AE, DE.CM, DE.DP, RS.AN](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"IPS\\\" or Title contains \\\"IDS\\\" or Title contains \\\"intrusion\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Intrusion Protection System\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\r\\n| where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n| parse msg_s with * \\\"TCP request from \\\" Source \\\" to \\\" Destination \\\". Action: \\\" ActionTaken \\\". Rule: \\\" IDPSSig \\\". IDS: \\\" IDSMessage \\\". Priority: \\\" Priority \\\". Classification: \\\" Classification\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by OperationName\\r\\n| render areachart \",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewall: IDPS Alerts over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"microsoft.network/firewallpolicies\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"IPS Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIntrusionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Intrusion Protection Systems (IPS)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Adaptive Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAdaptive access control technologies factor in additional context, like security risk, operational needs, and other heuristics, when evaluating access control decisions.\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)<br>\\r\\n💡 [Use adaptive application controls to reduce your machines' attack surfaces](https://docs.microsoft.com/Azure/defender-for-cloud/adaptive-application-controls)<br>\\r\\n💡 [Improve your network security posture with adaptive network hardening](https://docs.microsoft.com/Azure/defender-for-cloud/adaptive-application-controls)<br>\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud: Workload Protections](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/26)<br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"adaptive\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Continuous Log Export to this workspace for SecurityRecommendations is enabled. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":12531600000,\"endTime\":\"2022-02-23T15:45:00Z\"},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = SigninLogs\\r\\n    | where AppDisplayName in ('*') or '*' in ('*')\\r\\n    | where UserDisplayName in ('*') or '*' in ('*')\\r\\n    | extend CAStatus = case(ConditionalAccessStatus == \\\"success\\\", \\\"Successful\\\",\\r\\n        ConditionalAccessStatus == \\\"failure\\\", \\\"Failed\\\",                                     \\r\\n        ConditionalAccessStatus == \\\"notApplied\\\", \\\"Not applied\\\",                                     \\r\\n        isempty(ConditionalAccessStatus), \\\"Not applied\\\", \\r\\n        \\\"Disabled\\\")\\r\\n    | mvexpand ConditionalAccessPolicies\\r\\n    | extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n    | extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n        CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n        CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n        CAGrantControlName contains \\\"endpoint\\\", \\\"Require endpoint Compliant\\\", \\r\\n        CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined endpoint\\\", \\r\\n        CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\r\\n        \\\"Other\\\");\\r\\ndata\\r\\n| summarize Count = dcount(Id) by CAStatus\\r\\n| join kind = inner (data\\r\\n    | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range(ago(14d), now(), 6h) by CAStatus\\r\\n    )\\r\\n    on CAStatus\\r\\n| project-away CAStatus1, TimeGenerated\\r\\n| order by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Conditional Access Status\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CAStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isAdaptiveVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Adaptive Access Control\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Deception Platforms](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDeception platform technologies provide decoy environments, from individual machines to entire networks, that can be used to deflect attacks away from the operational systems supporting agency missions/business functions.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/)<br> \\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [Microsoft Sentinel Deception Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-microsoft-sentinel-deception-solution/ba-p/2904945)<br>\\r\\n💡 [Deploy and monitor Azure Key Vault honeytokens with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/monitor-key-vault-honeytokens?tabs=deploy-at-scale)<br>\\r\\n💡 [Manage Sensitive or Honeytoken Accounts](https://docs.microsoft.com/defender-for-identity/manage-sensitive-honeytoken-accounts)<br>\\r\\n\\r\\n### Microsoft Portal\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft Defender for Identity](https://security.microsoft.com/settings/identities) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.AE, RS.AN](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where id contains \\\"deception\\\" or id contains \\\"honey\\\" or id contains \\\"HTDK\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Deception Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Title contains \\\"honeytoken\\\" or Title contains \\\"deception\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Deception\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"honey\\\" or RecommendationDisplayName contains \\\"deception\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDeceptionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Deception Platforms\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Certificate Transparency Log Monitoring](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCertificate transparency log monitoring allows agencies to discover when new certificates are issued for agency domains.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) <br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Get Started with Key Vault Certificates](https://docs.microsoft.com/azure/key-vault/certificates/certificate-scenarios)<br>\\r\\n💡 [Security Recommendations in Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-recommendations)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"cert\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"key\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Key Vault Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Description contains \\\"certificate\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Certificates\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isCertificateVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Certificate Transparency Log Monitoring\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Intrusion Detection Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Enterprise](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nEnterprise-based controls including security orchestration automation & response, shadow IT detection, and virtual private networks. \"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Enterprise Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 113\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Security Orchestration, Automation, and Response\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"SOAR\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Shadow IT Detection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Shadow\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Virtual Private Network (VPN)\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"VPN\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"6a82c6f2-dde9-45d9-acf4-23e96b5b2647\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isSOARVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"SOAR\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isShadowVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Shadow\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"750b4451-0f5d-4e58-95c2-c4b4c8991335\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isVPNVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"VPN\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a2f3d34f-7824-4733-bddc-00efb62da0f2\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Orchestration, Automation, and Response (SOAR)](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nSecurity Orchestration, Automation, and Response (SOAR) tools define, prioritize, and automate the response to security incidents.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Logic Apps](https://azure.microsoft.com/services/logic-apps/) <br>\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)  ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Tutorial: Setup Automated Threat Responses in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.AE, DE.CM, DE.DP, RS.CO, RS.AN, RC.RP](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type == \\\"microsoft.logic/workflows\\\"\\r\\n| extend Connection = parse_json(properties)[\\\"parameters\\\"][\\\"$connections\\\"][\\\"value\\\"]\\r\\n| where Connection has \\\"managedApis/azuresentinel\\\"\\r\\n| project id, type, resourceGroup\",\"size\":0,\"showAnalytics\":true,\"title\":\"SOAR Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"playbook\\\" or RecommendationDisplayName contains \\\"automation\\\" or RecommendationDisplayName contains \\\"logic\\\" or RecommendationDisplayName contains \\\"notification\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| where OperationNameValue startswith \\\"Microsoft.Logic\\\"\\r\\n| where ActivityStatusValue == \\\"Success\\\" or ActivityStatusValue == \\\"Succeeded\\\"\\r\\n| extend scope_ = tostring(Authorization_d.scope)\\r\\n| parse-where scope_ with * 'workflows/' PlaybookName '/' *\\r\\n| where PlaybookName contains \\\"notify\\\" or PlaybookName contains \\\"email\\\" or PlaybookName contains \\\"teams\\\" or PlaybookName contains \\\"ticket\\\" or PlaybookName contains \\\"post\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by PlaybookName\\r\\n| render timechart \",\"size\":0,\"showAnnotations\":true,\"showAnalytics\":true,\"title\":\"Notification SOAR Playbooks (Triggered over Time)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isSOARVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Security Orchestration, Automation, and Response (SOAR)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Shadow IT Detection](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nShadow IT detection systems detect the presence of unauthorized software and systems in use by an agency.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Tutorial: Discover and Manage Shadow IT in Your Network](https://docs.microsoft.com/cloud-app-security/tutorial-shadow-it)<br>\\r\\n💡 [Review Your Security Recommendations](https://docs.microsoft.com/azure/security-center/security-center-recommendations)<br>\\r\\n💡 [Endpoint Discovery - Navigating Your Way Through Unmanaged Devices](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/endpoint-discovery-navigating-your-way-through-unmanaged-devices/ba-p/2248909)<br>\\r\\n💡 [Device Discovery Overview](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/device-discovery)<br>\\r\\n💡 [Welcome to Microsoft Defender for IoT](https://docs.microsoft.com/azure/defender-for-iot/overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud Apps](https://portal.cloudappsecurity.com/) <br>\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)<br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br>\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft Defender for IoT](https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started)<br>  \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.IP, PR.MA, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Description contains \\\"shadow\\\" or Description contains \\\"unauth\\\" or Description contains \\\"rogue\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Shadow IT\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"safe\\\" or RecommendationDisplayName contains \\\"authorized\\\" or RecommendationDisplayName contains \\\"endpoint protection\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| extend Azure_Inventory=location\\r\\n| extend M365_Inventory=strcat(\\\"https://security.microsoft.com/machines\\\")\\r\\n| project AssetID=id,AssetType=type, Azure_Inventory, M365_Inventory\\r\\n| sort by AssetType desc\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Asset Inventory\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Azure_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Azure Inventory >>\",\"bladeOpenContext\":{\"bladeName\":\"InventoryBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"\",\"source\":\"static\",\"value\":\"25\"}]}}},{\"columnMatch\":\"M365_Inventory\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"M365 Inventory >>\"}}],\"rowLimit\":2500,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isShadowVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Shadow IT Detection\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Virtual Private Network (VPN)](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nVirtual private network (VPN) solutions provide a secure communications mechanism between networks that may traverse across unprotected or public networks.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [VPN Gateway]( https://azure.microsoft.com/services/vpn-gateway/)<br>\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [What is VPN Gateway?](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpngateways)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways)<br>\\r\\n🔀 [Microsoft Defender for Cloud: Recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.DS, PR.IP, PR.MA, PR.PT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"private\\\" or RecommendationDisplayName contains \\\"vpn\\\" or RecommendationDisplayName contains \\\"network gateway\\\" or RecommendationDisplayName contains \\\"express\\\" or RecommendationDisplayName contains \\\"VPC\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"gate\\\" or type contains \\\"bastion\\\" or type contains \\\"route\\\" or type contains \\\"privateend\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"VPN Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isVPNVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Virtual Private Network (VPN)\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Enterprise Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Unified Communications & Collaboration](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nUCC measures including identity verification, encrypted communications, connection terminations, and data loss prevention. \\r\\n\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Unified Communications & Collaboration Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 114\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"UCC Identity Verification\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Identity\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"UCC Encrypted Communication\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Encrypted\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"UCC Connection Termination\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Connection\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"UCC Data Loss Prevention\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a206a547-329b-4003-8832-c16daacca6c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIdentityVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Identity\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEncryptedVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Encrypted\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9b640df5-5ec5-41bc-8e78-086304ed742a\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isConnectionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Connection\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"893f0857-1ccf-4c35-8432-abe89d1fcf15\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"767d26fb-524c-448c-9240-40f069a8db45\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Identity Verification](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIdentity verification ensures that access to the virtual meeting is limited to appropriate individuals. Waiting room features, where the meeting host authorizes vetted individuals to join the meeting can also be utilized.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Security and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-security-guide)<br>\\r\\n💡 [Identity Models and Authentication for Microsoft Teams](https://docs.microsoft.com/microsoftteams/identify-models-authentication)<br>\\r\\n💡 [Microsoft Sentinel and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-sentinel-guide)<br>\\r\\n💡 [Microsoft Teams Meeting Attendance Report](https://docs.microsoft.com/microsoftteams/teams-analytics-and-reports/meeting-attendance-report)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/)<br>\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where AppDisplayName has_any (\\\"teams\\\", \\\"webex\\\", \\\"slack\\\", \\\"zoom\\\", \\\"meet\\\", \\\"chat\\\", \\\"goto\\\")\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId, AppDisplayName\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| project UserPrincipalName, AppDisplayName, SignInCount=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"UCC Authentications\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIdentityVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Identity Verification\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Encrypted Communication](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCommunication between virtual meeting participants and any data exchanged is encrypted at rest and in transit. Some UCC offerings support end-to-end encryption, where encryption is performed on the clients and can only be decrypted by the other authenticated participants and cannot be decrypted by the UCC vendor.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [OfficeActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/officeactivity) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)<br> \\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityrecommendation) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [Security and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-security-guide)<br>\\r\\n💡 [Microsoft Sentinel and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-sentinel-guide)<br>\\r\\n💡 [Trustworthy by Default](https://docs.microsoft.com/microsoftteams/teams-security-guide#trustworthy-by-default)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Admin Center](https://admin.microsoft.com/)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where RecordType == \\\"MicrosoftTeams\\\"\\r\\n| extend TeamsMembers = strcat(Members)\\r\\n| distinct Operation, UserId, TeamsMembers, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsoft Teams Logs\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"web apps\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEncryptedVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Encrypted Communication\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Connection Termination](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMechanisms that ensure the meeting host can positively control participation. These can include inactivity timeouts, on-demand prompts, unique access codes for each meeting, host participant eviction, and even meeting duration limits.\\r\\n\\r\\n### Implementation \\r\\n💡 [Manage Meeting Policies in Teams](https://docs.microsoft.com/microsoftteams/meeting-policies-in-teams)<br>\\r\\n💡 [Manage Microsoft Teams Rooms](https://docs.microsoft.com/microsoftteams/rooms/rooms-manage)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Teams Admin Center](https://admin.teams.microsoft.com/)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, PR.AT](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":1,\"content\":{\"json\":\"### ✳️ [Leverage Microsoft Teams for UCC Connection Termination Controls via Meeting Policies](https://docs.microsoft.com/microsoftteams/meeting-policies-in-teams?WT.mc_id=Portal-fx)\\r\\n![Image Name](https://docs.microsoft.com/microsoftteams/media/designated-presenter-role.png) \\r\\n\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isConnectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Connection Termination\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMechanisms for controlling the sharing of information between UCC participants, intentional or incidental. This may be integrated into additional agency data loss prevention technologies and can include keyword matching, attachment file type or existence prohibitions, attachment size limitations, or even audio/visual filters.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Data Loss Prevention and Microsoft Teams](https://docs.microsoft.com/microsoft-365/compliance/dlp-microsoft-teams)<br>\\r\\n💡[Communication Compliance in Microsoft 365](https://docs.microsoft.com/microsoft-365/compliance/communication-compliance-solution-overview)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft 365 Defender](https://security.microsoft.com/) <br>\\r\\n🔀 [Microsoft 365 Compliance Center](https://compliance.microsoft.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| summarize count() by ApplicationName_s, LabelName_s\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sensitive Data Actions by Application\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDataVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Data Loss Prevention\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Protection](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nData protection measures including access control, protections for data at rest, protections for data in transit, data loss prevention, and data access & use telemetry. \"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Protection Capabilities Guide\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 115\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Access Control\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Access\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Protections for Data at Rest\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Rest\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Protections for Data in Transit\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Transit\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data Loss Prevention\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Control\\\\\\\": \\\\\\\"Data Access and Use Telemetry\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Use\\\\\\\" }\\\\r\\\\n]\\\"}\\r\\n\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}]}},\"customWidth\":\"40\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"6a82c6f2-dde9-45d9-acf4-23e96b5b2647\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAccessVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Access\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isRestVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Rest\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"b91d3f98-d0d1-4e31-a63c-d949e61ec08b\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isTransitVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Transit\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"a34338fa-6463-4b8f-866f-2d79396eceb7\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9a520097-2a54-41dd-bf84-7ca039dd1939\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isUseVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Use\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"22c31b63-743c-4b33-924e-26a70aa0fefb\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"10\",\"name\":\"Hidden Parameters Selectors\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAccess control technologies allow an agency to define policies concerning the allowable activities of users and entities to data and resources.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br> \\r\\n\\r\\n### Implementation \\r\\n💡 [How Access Management in Azure AD works](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-manage-groups#how-access-management-in-azure-ad-works)<br> \\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)<br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LastObserved = SigninLogs\\r\\n| where ResultType == 0\\r\\n| summarize arg_max(TimeGenerated, *) by UserPrincipalName\\r\\n| project UserPrincipalName, LastSignIn=TimeGenerated;\\r\\nSigninLogs\\r\\n| extend UserProfile = strcat(\\\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\\\", UserId)\\r\\n| where ResultType == 0\\r\\n| summarize count() by UserPrincipalName, UserProfile, UserId, AppDisplayName\\r\\n| join (LastObserved) on UserPrincipalName\\r\\n| project UserPrincipalName, AppDisplayName, SignInCount=count_, UserProfile, LastSignIn, UserId\\r\\n| sort by SignInCount desc\\r\\n| limit 2500\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Access by Application\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"SignInCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"UserProfile\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"AAD User Profile >>\",\"bladeOpenContext\":{\"bladeName\":\"UserDetailsMenuBlade\",\"extensionName\":\"Microsoft_AAD_IAM\",\"bladeParameters\":[{\"name\":\"userId\",\"source\":\"column\",\"value\":\"UserId\"}]}}},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":2500,\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OperationName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Runs\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"TrendList\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":100,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"}}},\"customWidth\":\"50\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where ResultType == 0\\r\\n| where Location <> \\\"\\\"\\r\\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude)\\r\\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)\\r\\n| extend city_ = tostring(LocationDetails.city)\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"User Sign-Ins by Geolocation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Caller\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OperationName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Runs\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"TrendList\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":10,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"},\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}}},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"showPin\":false,\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAccessVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Access Control\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Protections for Data at Rest](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData protection at rest aims to secure data stored on any endpoint or storage medium.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Data Encryption at Rest](https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest)<br>\\r\\n💡 [About Azure Key Vault](https://docs.microsoft.com/azure/key-vault/general/overview)<br>\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName has_any(\\\"encrypt\\\", \\\"storage\\\", \\\"database\\\", \\\"databases\\\", \\\"SQL\\\", \\\"disk\\\", \\\"disks\\\")\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isRestVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Protections for Data at Rest\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Protections for Data in Transit](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData protection in transit, or data in motion, aims to secure data that is actively moving from one location to another, such as across the internet or through a private enterprise network.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported)  ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)<br>\\r\\n\\r\\n### Implementation \\r\\n💡 [Azure Data Encryption in Transit](https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit)<br>\\r\\n💡 [About Azure Key Vault](https://docs.microsoft.com/azure/key-vault/general/overview)<br>\\r\\n💡 [Use Microsoft Defender for Cloud Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)<br>\\r\\n💡 [Encryption for Data in Transit](https://docs.microsoft.com/compliance/assurance/assurance-encryption-in-transit)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0) <br>\\r\\n🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CustomView = SecurityRecommendation | summarize arg_max(TimeGenerated,*) by RecommendationName| project RecommendationName, RecommendationLink | parse RecommendationLink with * '/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/' assessmentKey '/' *;\\r\\nSecurityRecommendation\\r\\n| where RecommendationDisplayName has_any(\\\"http\\\", \\\"https\\\", \\\"TLS\\\", \\\"transfer\\\", \\\"transit\\\", \\\"Secure Socket\\\", \\\"SSH\\\", \\\"just\\\", \\\"FTP\\\", \\\"server-side\\\")\\r\\n| summarize arg_max(TimeGenerated, *) by AssessedResourceId, RecommendationDisplayName\\r\\n| summarize Failed = countif(RecommendationState == \\\"Unhealthy\\\"), Passed = countif(RecommendationState == \\\"Healthy\\\"), Total = countif(RecommendationState == \\\"Unhealthy\\\" or RecommendationState == \\\"Healthy\\\") by RecommendationName\\r\\n| extend PassedControls = (Passed/todouble(Total))*100\\r\\n| join (CustomView) on RecommendationName\\r\\n| project RecommendationName, Total, PassedControls, Passed, Failed, RecommendationLink, assessmentKey\\r\\n| where Total > 0\\r\\n| sort by Total, Passed desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Recommendations \",\"noDataMessage\":\"Confirm Microsoft Defender for Cloud: Regulatory Compliance Initiative for NIST SP 800-53 R4 is enabled with Microsoft Defender for Cloud Continous Log Export to this workspace. See Getting Started steps in the help tab above for more information\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"Passed\",\"color\":\"green\"},{\"columnName\":\"Failed\",\"color\":\"redBright\"}]}}},{\"columnMatch\":\"PassedControls\",\"formatter\":0,\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Remediate >>\",\"bladeOpenContext\":{\"bladeName\":\"RecommendationsBlade\",\"extensionName\":\"Microsoft_Azure_Security\",\"bladeParameters\":[{\"name\":\"assessmentKey\",\"source\":\"column\",\"value\":\"assessmentKey\"}]}}},{\"columnMatch\":\"assessmentKey\",\"formatter\":5},{\"columnMatch\":\"Family\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isTransitVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Protections for Data in Transit\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br>\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) <br> \\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender) ✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) <br>\\r\\n\\r\\n### Implementation \\r\\n💡 [How to Configure a Label for Rights Management Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-protection)<br>\\r\\n💡 [Hunt for Threats with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/hunting)<br>\\r\\n💡 [Learn about Microsoft 365 Endpoint Data Loss Prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about)<br>\\r\\n💡 [Configure and View Alerts for DLP Polices](https://docs.microsoft.com/microsoft-365/compliance/dlp-configure-view-alerts-policies)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) <br>\\r\\n🔀 [Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)<br> \\r\\n🔀 [Office 365 Security & Compliance Center](https://protection.office.com/) <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = tostring(parse_json(tostring(AdditionalData.tactics)))\\r\\n| where Description contains \\\"data\\\" or Title contains \\\"data\\\" or Description contains \\\"loss\\\" or Title contains \\\"loss\\\" or Description contains \\\"exfil\\\" or Title contains \\\"exfil\\\" or Tactics contains \\\"exfil\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, TimeGenerated desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents: Data Loss\",\"noDataMessage\":\"No Incidents Observed For This Technique Within These Thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| project UserId_s, LabelName_s, Operation_s, Activity_s, IPv4_s, ProtectionOwner_s, ApplicationName_s, ProcessName_s, Platform_s, ContentId_g, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Scan/Monitor for Sensitive Data with Azure Information Protection\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDataVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Access and Use Telemetry](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIdentify agency sensitive data stored, processed, or transmitted, including those located at a service provider. Enforce detailed logging for access or changes to sensitive data.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)<br> \\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/)<br>\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [What is Azure Information Protection?](https://docs.microsoft.com/azure/information-protection/what-is-information-protection)<br>\\r\\n💡 [Tutorial: Discovering Your Sensitive Content with the Azure Information Protection (AIP) scanner](https://docs.microsoft.com/azure/information-protection/tutorial-scan-networks-and-content)<br>\\r\\n💡 [Quickstart: Deploying the Azure Information Protection (AIP) Unified Labeling Client](https://docs.microsoft.com/azure/information-protection/quickstart-deploy-client)<br>\\r\\n💡 [Azure Information Protection (AIP) Labeling, Classification, and Protection](https://docs.microsoft.com/azure/information-protection/aip-classification-and-protection)<br>\\r\\n💡 [Overview of Data Loss Prevention](https://docs.microsoft.com/microsoft-365/compliance/data-loss-prevention-policies)<br>\\r\\n\\r\\n### Microsoft Portals\\r\\n🔀 [Microsoft Entra ID](https://portal.azure.com#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) <br>\\r\\n🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)<br> \\r\\n🔀 [Microsoft 365 Compliance Center](https://compliance.microsoft.com/)  <br>\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS, PR.PT, DE.AE, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\\r\\n### Control Assessment\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"52668f65-b44a-4e14-82d8-c87410e7e5dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationStatus\",\"label\":\"Status\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Not Implemented\\\", \\\"label\\\": \\\"Not Implemented\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"Implemented\\\", \\\"label\\\": \\\"Implemented\\\"},\\r\\n    {\\\"value\\\": \\\"Alternate Implementation\\\", \\\"label\\\": \\\"Alternate Implementation\\\"},\\r\\n    {\\\"value\\\": \\\"Planned\\\", \\\"label\\\": \\\"Planned\\\"},\\r\\n    {\\\"value\\\": \\\"Out of Scope\\\", \\\"label\\\": \\\"Out of Scope\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"578b8620-30b9-4b92-abc6-997998bc8156\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ImplementationDate\",\"label\":\"Date\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Notes\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":86400000},\"id\":\"7bd0d384-d3c3-4c77-9dae-d75e823edfcf\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Status\"},{\"type\":1,\"content\":{\"json\":\"### Notes <br>\\r\\n{Notes}\"},\"name\":\"text - 1\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"50\",\"name\":\"Control Smartcard\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| summarize count() by UserId_s, LabelName_s, ApplicationName_s_s, Operation_s_s, Platform_s_s, Activity_s_s, IPv4_s_s\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Data Access and Use Telemetry\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| extend UserPrincipalName = UserId_s_s\\r\\n| where LabelName_s <> \\\"\\\"\\r\\n| join (SigninLogs) on UserPrincipalName\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| extend State = tostring(LocationDetails.state)\\r\\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Sensitive Data Access by Geolocation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UncommonActionVolume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UncommonAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"FirstTimeUserAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"FirstTimeDeviceLogon\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\"}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"yellow\"}]}}},\"name\":\"query - 12\"}]},\"conditionalVisibility\":{\"parameterName\":\"isUseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Access and Use Telemetry\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Protection Group\"}],\"fromTemplateId\":\"sentinel-ZeroTrust(TIC3.0)\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
diff --git a/Solutions/ZeroTrust(TIC3.0)/Workbooks/ZeroTrustTIC3.json b/Solutions/ZeroTrust(TIC3.0)/Workbooks/ZeroTrustTIC3.json
index 9994e9ea7c1..909c0ed0b24 100644
--- a/Solutions/ZeroTrust(TIC3.0)/Workbooks/ZeroTrustTIC3.json
+++ b/Solutions/ZeroTrust(TIC3.0)/Workbooks/ZeroTrustTIC3.json
@@ -15867,7 +15867,7 @@
                       {
                         "type": 1,
                         "content": {
-                          "json": "# [Anti-SPAM Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nAnti-SPAM protections detect and quarantine instances of SPAM.\r\n\r\n### Recommended Logs\r\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents)  ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\r\n\r\n### Microsoft Reference \r\n💡 [Anti-Spam protection in Exchange Online Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/anti-spam-protection)<br>\r\n💡 [Configure Anti-Spam Policies in Exchange Online Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-your-spam-filter-policies)<br>\r\n\r\n### Microsoft Portals\r\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
+                          "json": "# [Anti-SPAM Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\r\nAnti-SPAM protections detect and quarantine instances of SPAM.\r\n\r\n### Recommended Logs\r\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents)  ✳️ [Microsoft Defender for Office 365](https://learn.microsoft.com/defender-office-365/mdo-about)<br>\r\n\r\n### Microsoft Reference \r\n💡 [Anti-spam protection in cloud organizations](https://learn.microsoft.com/defender-office-365/anti-spam-protection-about)<br>\r\n💡 [Configure anti-spam policies for cloud mailboxes](https://learn.microsoft.com/defender-office-365/anti-spam-policies-configure)<br>\r\n\r\n### Microsoft Portals\r\n🔀 [Microsoft 365 Defender](https://security.microsoft.com)<br>\r\n\r\n### NIST Cybersecurity Framework Mapping\r\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\r\n\r\n### Control Assessment"
                         },
                         "name": "text - 3"
                       },