NIST SP 800-53

Solution: NISTSP80053

NISTSP80053 Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com
Categories	domains
Version	3.0.3
Author	Microsoft - support@microsoft.com
First Published	2022-02-24
Last Updated	2026-01-22
Solution Folder	NISTSP80053
Marketplace	Azure Marketplace · Popularity: 🔵 Medium (74%)

This solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This workbook is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. The Microsoft Sentinel: NIST SP 800-53 R4 solution demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. All requirements, validations, and controls are governed by the 💡National Institute of Standards and Technology (NIST). This workbook provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective requirements. This workbook does not address all controls within the framework. It should be considered a supplemental tool to gain visibility of technical controls within cloud, multi-cloud, and hybrid networks. For the full listing of respective controls, see the💡Microsoft Cloud Service Trust Portal

Data Connectors
Tables Used
Content Items
Additional Documentation

Data Connectors

This solution does not include data connectors.

This solution may contain other components such as analytics rules, workbooks, hunting queries, or playbooks.

Tables Used

This solution queries 29 table(s) from its content items:

Table	Used By Content
`AADUserRiskEvents`	Workbooks
`AWSCloudTrail`	Workbooks
`AWSVPCFlow`	Workbooks
`AuditLogs`	Workbooks
`AzureActivity`	Workbooks
`AzureDiagnostics`	Workbooks
`CarbonBlack_Alerts_CL`	Workbooks
`CommonSecurityLog`	Workbooks
`ConfigurationChange`	Workbooks
`DeviceFileEvents`	Workbooks
`DnsEvents`	Workbooks
`Dynamics365Activity`	Workbooks
`EmailEvents`	Workbooks
`GCP_IAM_CL`	Workbooks
`Heartbeat`	Workbooks
`OfficeActivity`	Workbooks
`Operation`	Workbooks
`QualysHostDetectionV3_CL`	Workbooks
`SecureScores`	Workbooks
`SecurityBaseline`	Workbooks
`SecurityEvent`	Workbooks
`SecurityRecommendation`	Analytics, Workbooks
`SecurityRegulatoryCompliance`	Analytics, Workbooks
`SigninLogs`	Workbooks
`StorageBlobLogs`	Workbooks
`Syslog`	Workbooks
`ThreatIntelligenceIndicator`	Workbooks
`Usage`	Workbooks
`WindowsFirewall`	Workbooks

Internal Tables

The following 4 table(s) are used internally by this solution's content items:

Table	Used By Content
`AlertEvidence`	Workbooks
`IdentityInfo`	Workbooks
`SecurityAlert`	Workbooks
`SecurityIncident`	Workbooks

Content Items

This solution includes 5 content item(s):

Content Type	Count
Playbooks	3
Analytic Rules	1
Workbooks	1

Analytic Rules

Name	Severity	Tactics	Tables Used
NIST SP 800-53 Posture Changed	Medium	Discovery	`SecurityRecommendation` `SecurityRegulatoryCompliance`

Workbooks

Name Tables Used

NISTSP80053 AADUserRiskEvents
AWSCloudTrail
AWSVPCFlow
AuditLogs
AzureActivity
AzureDiagnostics
CarbonBlack_Alerts_CL
CommonSecurityLog
ConfigurationChange
DeviceFileEvents
DnsEvents
Dynamics365Activity
EmailEvents
GCP_IAM_CL
Heartbeat
OfficeActivity
Operation
QualysHostDetectionV3_CL
SecureScores
SecurityBaseline
SecurityEvent
SecurityRecommendation
SecurityRegulatoryCompliance
SigninLogs
StorageBlobLogs
Syslog
ThreatIntelligenceIndicator
Usage
WindowsFirewall
Internal use:
AlertEvidence
IdentityInfo
SecurityAlert
SecurityIncident

Name	Tables Used
NISTSP80053	`AADUserRiskEvents` `AWSCloudTrail` `AWSVPCFlow` `AuditLogs` `AzureActivity` `AzureDiagnostics` `CarbonBlack_Alerts_CL` `CommonSecurityLog` `ConfigurationChange` `DeviceFileEvents` `DnsEvents` `Dynamics365Activity` `EmailEvents` `GCP_IAM_CL` `Heartbeat` `OfficeActivity` `Operation` `QualysHostDetectionV3_CL` `SecureScores` `SecurityBaseline` `SecurityEvent` `SecurityRecommendation` `SecurityRegulatoryCompliance` `SigninLogs` `StorageBlobLogs` `Syslog` `ThreatIntelligenceIndicator` `Usage` `WindowsFirewall` Internal use: `AlertEvidence` `IdentityInfo` `SecurityAlert` `SecurityIncident`

Playbooks

Name	Description	Tables Used
Create Jira Issue	This playbook will open a Jira Issue when a new incident is opened in Microsoft Sentinel.	-
Create-AzureDevOpsTask	This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details.	-
Notify_GovernanceComplianceTeam	This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details.	-

Additional Documentation

📄 Source: NISTSP80053/README.md

Overview

Microsoft Sentinel: NIST SP 800-53 Solution

This Solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This Solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. The Microsoft Sentinel: NIST SP 800-53 Solution demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. All requirements, validations, and controls are governed by the 💡National Institute of Standards and Technology (NIST)

Try on Portal

You can deploy the solution by clicking on the buttons below:

Workbook Overview

Getting Started

This solution is designed to augment staffing through automation, machine learning, query/alerting generation, and visualizations. This workbook leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with NIST SP 800-53 control requirements. A filter set is available for custom reporting by guides, subscriptions, workspaces, time-filtering, control family, and controls. This offering telemetry from 25+ Microsoft Security products (1P/3P/Multi-Cloud/Hybrid/On-Premises), while only Microsoft Sentinel/Microsoft Defender for Cloud are required to get started, each offering provides additional enrichment for aligning with control requirements. Each NIST SP 800-53 control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads.

Recommended Microsoft Sentinel Roles / Recommended Microsoft Defender for Cloud Roles

Roles	Rights
Security Reader	View Workbooks, Analytics, Hunting, Security Recommendations
Security Contributor	Deploy/Modify Workbooks, Analytics, Hunting Queries, Apply Security Recommendations
Automation Contributor	Deploy/Modify Playbooks & Automation Rules

[Content truncated...]

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.3	19-01-2026	EOP rebrand (updated minor link and link title changes)
3.0.2	23-09-2025	Updated the workbook with new links and fixed broken metrics.
3.0.1	31-01-2024	Updated the solution to fix Analytic Rules deployment issue
3.0.0	09-11-2023	Changes for rebranding from Azure Active Directory Identity Protection to Microsoft Entra ID Protection