Zero Trust (TIC 3.0) Solution

Solution: ZeroTrust(TIC3.0)

ZeroTrust(TIC3.0) Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com
Categories	domains
Version	3.0.3
Author	Microsoft - support@microsoft.com
First Published	2021-10-20
Last Updated	2026-03-12
Solution Folder	ZeroTrust(TIC3.0)
Marketplace	Azure Marketplace · Popularity: ⚪ Very Low (0%)

The Microsoft Sentinel Zero Trust (TIC 3.0) solution provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft and partner ecosystem. This solution enables governance and compliance teams to design, build, monitor, and respond to Zero Trust (TIC 3.0) requirements across 25+ Microsoft and 3rd party products. The solution includes the new Zero Trust (TIC 3.0) Workbook, (1) Analytics Rule, and (3) Playbooks. While only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, the solution is enhanced with numerous Microsoft offerings. This Solution enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud, multi-cloud, hybrid, and on-premise workloads. For more information, see 💡Microsoft Zero Trust Model 💡Trusted Internet Connections: Core Guidance Documents

Microsoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.

Data Connectors
Tables Used
Content Items
Additional Documentation

Data Connectors

This solution does not include data connectors.

This solution may contain other components such as analytics rules, workbooks, hunting queries, or playbooks.

Tables Used

This solution queries 28 table(s) from its content items:

Table	Used By Content
`AWSCloudTrail`	Workbooks
`AWSVPCFlow`	Workbooks
`AuditLogs`	Workbooks
`AzureActivity`	Workbooks
`AzureDiagnostics`	Workbooks
`CarbonBlack_Alerts_CL`	Workbooks
`CommonSecurityLog`	Workbooks
`DeviceRegistryEvents`	Workbooks
`DnsEvents`	Workbooks
`Dynamics365Activity`	Workbooks
`EmailAttachmentInfo`	Workbooks
`EmailEvents`	Workbooks
`EmailUrlInfo`	Workbooks
`GCP_IAM_CL`	Workbooks
`InformationProtectionLogs_CL`	Workbooks
`OfficeActivity`	Workbooks
`Operation`	Workbooks
`QualysHostDetectionV3_CL`	Workbooks
`SecurityBaseline`	Workbooks
`SecurityEvent`	Workbooks
`SecurityRecommendation`	Analytics, Workbooks
`SigninLogs`	Workbooks
`StorageTableLogs`	Workbooks
`Syslog`	Workbooks
`ThreatIntelligenceIndicator`	Workbooks
`Usage`	Workbooks
`VMConnection`	Workbooks
`WindowsFirewall`	Workbooks

Internal Tables

The following 5 table(s) are used internally by this solution's content items:

Table	Used By Content
`AlertEvidence`	Workbooks
`BehaviorAnalytics`	Workbooks
`IdentityInfo`	Workbooks
`SecurityAlert`	Workbooks
`SecurityIncident`	Workbooks

Content Items

This solution includes 5 content item(s):

Content Type	Count
Playbooks	3
Analytic Rules	1
Workbooks	1

Analytic Rules

Name	Severity	Tactics	Tables Used
ZeroTrust(TIC3.0) Control Assessment Posture Change	Medium	Discovery	`SecurityRecommendation`

Workbooks

Name Tables Used

ZeroTrustTIC3 AWSCloudTrail
AWSVPCFlow
AuditLogs
AzureActivity
AzureDiagnostics
CarbonBlack_Alerts_CL
CommonSecurityLog
DeviceRegistryEvents
DnsEvents
Dynamics365Activity
EmailAttachmentInfo
EmailEvents
EmailUrlInfo
GCP_IAM_CL
InformationProtectionLogs_CL
OfficeActivity
Operation
QualysHostDetectionV3_CL
SecurityBaseline
SecurityEvent
SecurityRecommendation
SigninLogs
StorageTableLogs
Syslog
ThreatIntelligenceIndicator
Usage
VMConnection
WindowsFirewall
Internal use:
AlertEvidence
BehaviorAnalytics
IdentityInfo
SecurityAlert
SecurityIncident

Name	Tables Used
ZeroTrustTIC3	`AWSCloudTrail` `AWSVPCFlow` `AuditLogs` `AzureActivity` `AzureDiagnostics` `CarbonBlack_Alerts_CL` `CommonSecurityLog` `DeviceRegistryEvents` `DnsEvents` `Dynamics365Activity` `EmailAttachmentInfo` `EmailEvents` `EmailUrlInfo` `GCP_IAM_CL` `InformationProtectionLogs_CL` `OfficeActivity` `Operation` `QualysHostDetectionV3_CL` `SecurityBaseline` `SecurityEvent` `SecurityRecommendation` `SigninLogs` `StorageTableLogs` `Syslog` `ThreatIntelligenceIndicator` `Usage` `VMConnection` `WindowsFirewall` Internal use: `AlertEvidence` `BehaviorAnalytics` `IdentityInfo` `SecurityAlert` `SecurityIncident`

Playbooks

Name	Description	Tables Used
Create Jira Issue	This playbook will open a Jira Issue when a new incident is opened in Microsoft Sentinel.	-
Create-AzureDevOpsTask	This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details.	-
Notify-GovernanceComplianceTeam	This Security Orchestration, Automation, & Response (SOAR) capability is designed for configuration ...	-

Additional Documentation

📄 Source: ZeroTrust(TIC3.0)/README.md

Overview

The Microsoft Sentinel Zero Trust (TIC 3.0) Solution provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft and partner ecosystem. This solution enables governance and compliance teams to design, build, monitor, and respond to Zero Trust (TIC 3.0) requirements across cloud, multi-cloud, 1st/3rd party workloads. The solution includes the new Zero Trust (TIC 3.0) Workbook, (1) Analytics Rule, and (3) Playbooks. While only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, the solution is enhanced with numerous Microsoft offerings. This Solution enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud, multi-cloud, hybrid, and on-premise workloads. For more information, see 💡Microsoft Zero Trust Model 💡Trusted Internet Connections

Try on Portal

You can deploy the solution by clicking on the buttons below:

Workbook Overview

Getting Started

This solution is designed to augment staffing through automation, machine learning, query/alerting generation, and visualizations. This workbook leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with Zero Trust (TIC 3.0) control requirements. A filter set is available for custom reporting by guides, subscriptions, workspaces, time-filtering, control family, and controls. This offering telemetry from 25+ Microsoft Security and partner offerings, while only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, each offering provides additional enrichment for aligning with control requirements. Each control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads.

[Content truncated...]

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.3	19-01-2026	EOP rebrand (updated minor link and link title changes)
3.0.2	11-09-2025	Removed the network map from the workbook.
3.0.1	31-01-2024	Updated the solution to fix Analytic Rules deployment issue
3.0.0	09-11-2023	Changes for rebranding from Azure Active Directory Identity Protection to Microsoft Entra ID Protection