ACSC Essential 8 – Health Report in Microsoft Sentinel

Purpose 

Maintaining compliance with security frameworks and standards can be challenging and difficult. This is due to several reasons such as increasing number and complexity of requirements, dealing with limited skills and resources, and working with multiple teams responsible for maintaining compliance who do not share the same compliance expertise (e.g. compliance/audit, engineering/operations).

A traditional approach to monitoring compliance using limited point-in-time assessments is neither scalable nor effective. This approach involves wasted resources on manual activities (interviews, sample audits, information gathering), can provide a narrow and an inaccurate view of compliance, and can be difficult to maintain and report on.

In this blog post, we are proposing an approach to compliance by creating a dashboard and monitoring the implementation of compliance requirements in real-time. This dashboard will be created in Microsoft Sentinel since the data sources are usually already collected and monitored by SecOps teams. By leveraging Sentinel Workbooks, we can create custom dashboards, combine multiple data sources, and interact with rich visual reports.

Using one solution for different teams offers several benefits such as saving time on manual efforts, consistency in governing and prioritising security controls, and rapid reporting with accurate information. This can be useful for engineers and administrators responsible for monitoring and implementing specific controls regularly, as well as for management and compliance/audit teams.

In order to demonstrate this approach, we considered the requirements by the Australian Cyber Security Centre (ACSC) Essential 8 mitigation strategies. We are excited to share an Azure Workbook, ACSC Essential 8 – Health Report, that provides a view of Azure resources' health against these requirements.  The screenshot below shows the first tab in this workbook, presenting an overview of the health status for the different Essential 8 strategies.

Essential 8 Overview.jpg

Structure

The ACSC Essential 8 – Health report is a custom workbook that can be imported into Microsoft Sentinel. It provides insights on the health state of Azure resources against requirements by the ACSC Essential 8. This is achieved by querying logs from the Log Analytics Workspace or querying resources using Azure Resource Graph to monitor for specific controls and configurations on the resources in alignment with the Essential 8 requirements. Recognising that the Essential 8 strategies are designed to protect infrastructure resources, the current scope of this workbook is Azure (Windows and ) and Azure Subscriptions (where relevant and required).

The workbook includes 9 tabs: a General tab, providing an executive summary, and one tab for each Essential 8 strategy. The Essential 8 tabs include (1) guidance on what controls/configurations are monitored and how resources are interpreted as healthy/not healthy, (2) chart indicating a percentage of healthy resources and (3) additional details on the resources in scope. Note: Application control tab is currently not yet implemented and will be updated soon.

While automating monitoring for all controls in Essential 8 is not possible, a subset of controls within Essential 8 Maturity Level 2 are targeted in this workbook. Organisations can review these controls and customise as required.

The below screenshot shows an example of one Essential 8 control: Patch applications. This view includes a health legend, summary health chart, and details on the health of resources.

Essential 8 - patch.png

The report can be shared via link, printed, or saved as PDF.

Setup

Pre-requisites:

1. Azure Subscription

2. Log Analytics Workspace and Sentinel enabled.

Data sources:

1. Sentinel data connector: Microsoft 365

2. Default security initiative in Microsoft for Cloud needs to be enabled for all subscriptions to be monitored by the workbook

3. for Servers P1/P2 needs to be enabled on all subscriptions and servers to be monitored by the workbook.

Note: Workbook will not show data for controls if the relevant data sources are not configured/enabled. Some strategies rely on data only available through a Microsoft Sentinel private preview feature. To see these strategies, and to provide feedback for this and other private previews for Microsoft Sentinel and other Microsoft security products, join our Customer Connection Program and learn more here.

Please see the below list for more information on data sources required for each Essential 8 Strategy:

Data source Required for
Microsoft 365 Defender connector ·       Configure macro settings

·       User application hardening

Default security initiative in Microsoft Defender for Cloud ·      

·       Regular Backups

·       Restrict admin privileges (subscription controls)

Defender for Servers P1 ·       Patch applications

·       Patch OS

Defender for Servers P2 ·       Restrict admin privileges ( controls)

Permissions:

To create and delete a Microsoft Sentinel workbook, the user needs either the Microsoft Sentinel Contributor role or a lesser Microsoft Sentinel role, together with the Workbook Contributor role. This role isn't necessary for using workbooks, only for creating and deleting.

Deployment:

  1. Import “ACSC Essential 8 – Health Report” published template from:
    Azure-Sentinel/AcscEssential8.json at master · Azure/Azure-Sentinel · GitHub by copying all Raw text
  2. Open Azure Portal, go to Workbooks, and select Add workbook
  3. Click Edit button and then click on the Advanced Editor button
  4. Delete all current JSON text and Paste copied text and click Apply then Save
  5. Give the workbook a title and choose the location to save it.
     

Additional guidance          

Customisations:

This workbook is a demonstration of an approach to compliance that can be customised to include additional scopes, new controls, information/logs from third-party solutions, or different visuals.  More instructions on working with workbooks can be found here.

Filtering:

The scope of compliance reporting is extremely critical, whether it is for internal decision making or external reporting. You can leverage filters to include or exclude specific data from the report. For example, you may need to report on subscriptions that are classified as confidential/protected or subscriptions that are production and not dev/test environments.

This workbook and other additional guidance on Essential 8 from Microsoft:

Microsoft has also released additional guidance to comply with the ACSC Essential 8 requirements. This guidance can be found here. While this guidance offers in-depth details to design and implement specific security controls across end-user environments, this workbook is an automated monitoring capability for these controls (where possible) and cover infrastructure resources.

This workbook and Compliance Manager:

Microsoft Purview Compliance Manager helps teams manage the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors. While compliance manager offers a way to establish a compliance process for various regional standards and regulations, create workflows and govern required actions, this workbook is an automated monitoring capability for some of these controls and limited to Azure resources and ACSC Essential 8 requirements. We recommend using Compliance Manager to maintain a compliance process for all your different standards and frameworks.

Disclaimer:

The ACSC Essential 8 – Health Report workbook demonstrates guidance, but Microsoft does not guarantee nor imply compliance. All requirements, validations, and controls are governed by the ACSC. This workbook provides visibility and situational awareness for control requirements delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user, and some panels may require additional configurations and query modification for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective control requirements.

This workbook is not an official product by Microsoft and therefore is not supported. Fixing issues and adding new features will be prioritised on best effort basis. The community is encouraged to contribute to this workbook.

 

This article was originally published by Microsoft's Sentinel Blog. You can find the original article here.