By TJBanasik and Azure Sentinel News
The Azure Sentinel CMMC Workbook provides a mechanism for viewing log queries aligned to CMMC controls across the Azure cloud including Microsoft security offerings, Office 365, Teams, Intune, Windows Virtual Desktop and many more. This workbook enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective CMMC requirements and practices. The workbook features 250+ control cards aligned to the 17 CMMC control families across all 5 maturity levels with selectable GUI buttons for navigation.
The workbook helps you to gain better visibility into your cloud architecture from security perspective while reinforcing CMMC principles for building cybersecurity critical thinking skills. The workbook consolidates multiple log sources from your Azure environment:
- Azure Active Directory
- Azure Active Directory Identity Protection
- Azure Activity
- Azure DDoS Protection
- Azure Firewall
- Azure Information Protection
- Azure Security Center
- Common Event Format
- Microsoft 365 Defender
- Microsoft Cloud App Security
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity
- Office 365
- Security Events
- Threat Intelligence Platforms
- Windows Firewall
- User Entity Behavior Analytics
- Windows Virtual Desktop
Deploying the Workbook
It is recommended that you have the log sources listed above to get the full benefit of the CMMC Workbook, but the workbook will deploy regardless of your available log sources. Follow the steps below to enable the workbook:
Requirements: Azure Sentinel Workspace and Security Reader rights.
1) From the Azure portal, navigate to Azure Sentinel
2) Select Workbooks > Templates
3) Search CMMC and select Save to add to My Workbooks
Navigating the Workbook
The Legend Panel provides a helpful reference for navigating the workbook with respective colors, features, and reference indicators.
The Guide Toggle is available in the top left of the workbook. This toggle allows you to view panels such as architectural recommendations and guides which will be helpful when you first access the workbook but can be hidden once you’ve grasped respective concepts.
The Control Family Ribbon provides a mechanism for navigating to the desired control family. Selecting a control family will display Control Cards in the respective Control Family. The Maturity Level Ribbon drills down further to the desired control maturity level. You can view an index of controls in the workbook if you have the Guide Toggle enabled.
There are several use cases for the Azure Sentinel CMMC Workbook depending on user roles and requirements. The graphic below shows how a cloud security architect can leverage the workbook to review requirements, reference documentation, make configurations, and export artifacts. There are also several additional use cases where this workbook will be helpful:
- Security Architect: Build/design a cloud security architecture to compliance requirements.
- SecOps Analyst: Review activity in query, configure alerts, deploy SOAR automation.
- IT Pro: Identify performance issues, investigate issues, set alerts for remediation monitoring.
- Security Engineer: Assess security controls, review alerting thresholds, adjust configurations.
- Security Manager: Review requirements, analyze reporting, evaluate capabilities, adjust accordingly.
Configurations & Troubleshooting
It’s important to note that this workbook provides visibility and situational awareness for control requirements delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations and query modification for operation. It’s unlikely that all 250+ panels will populate data, but this is expected as panels without data highlight respective areas for evaluation in maturing cybersecurity capabilities. Control Cards without data will display the custom error message below. Most issues are resolved by confirming licensing/availability/health of the log source, confirming the log source is connected to the Sentinel workspace, and adjusting time thresholds for larger data sets. Ultimately this workbook is customer-controlled content, so panels are configurable per customer requirements. You can edit/adjust Control Card queries as follows:
- CMMC Workbook > Edit > Edit Panel > Adjust Panel KQL Query > Save
Microsoft Blog Posts on CMMC
Below are additional resources for learning more about CMMC in the cloud with Microsoft. Let us know if there are additional government compliance frameworks we can help with. Bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity or visit our website for the latest news and updates on cybersecurity.
- Microsoft CMMC Acceleration Program Update
- Microsoft Public Sector Blog: Azure Sentinel CMMC Workbook
The Azure Sentinel CMMC Workbook demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. All accreditation requirements and decisions are governed by the CMMC Accreditation Body. This workbook provides visibility and situational awareness for control requirements delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations and query modification for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective control requirements.