Continuous Diagnostics& Mitigation

Solution: ContinuousDiagnostics&Mitigation

ContinuousDiagnostics&Mitigation Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com/
Categories	domains
Version	3.0.2
Author	Microsoft - support@microsoft.com
First Published	2022-08-24
Solution Folder	ContinuousDiagnostics&Mitigation
Marketplace	Azure Marketplace · Popularity: ⚪ Very Low (0%)

This solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This solution includes (1) Workbook for build/design/reporting, (1) Analytics rule for monitoring and (1) Hunting query for assessment.

The Cybersecurity and Infrastructure Security Agency (CISA) Continuous Diagnostics and Mitigation (CDM) Program is a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program provides cybersecurity tools, integration services, and dashboards to participating agencies to help them improve their respective security postures by delivering better visibility and awareness of their networks and defending against cyber adversaries.For more information, see Continuous Diagnostics and Mitigation (CDM).

Data Connectors
Tables Used
Content Items
Additional Documentation

Data Connectors

This solution does not include data connectors.

This solution may contain other components such as analytics rules, workbooks, hunting queries, or playbooks.

Tables Used

This solution queries 28 table(s) from its content items:

Table	Used By Content
`AWSCloudTrail`	Workbooks
`AWSVPCFlow`	Workbooks
`AuditLogs`	Workbooks
`AzureActivity`	Workbooks
`AzureDevOpsAuditing`	Workbooks
`AzureDiagnostics`	Workbooks
`CarbonBlack_Alerts_CL`	Workbooks
`CommonSecurityLog`	Workbooks
`ConfigurationData`	Workbooks
`DeviceEvents`	Workbooks
`DeviceFileEvents`	Workbooks
`DeviceLogonEvents`	Workbooks
`DnsEvents`	Workbooks
`Dynamics365Activity`	Workbooks
`GCP_IAM_CL`	Workbooks
`GitHubAuditLogPolling_CL`	Workbooks
`InformationProtectionLogs_CL`	Workbooks
`OfficeActivity`	Workbooks
`QualysHostDetectionV3_CL`	Workbooks
`SecurityBaseline`	Workbooks
`SecurityEvent`	Workbooks
`SecurityNestedRecommendation`	Workbooks
`SecurityRecommendation`	Analytics, Hunting, Workbooks
`SigninLogs`	Workbooks
`StorageBlobLogs`	Workbooks
`Syslog`	Workbooks
`ThreatIntelligenceIndicator`	Workbooks
`WindowsFirewall`	Workbooks

Internal Tables

The following 4 table(s) are used internally by this solution's content items:

Table	Used By Content
`AlertEvidence`	Workbooks
`IdentityInfo`	Workbooks
`SecurityAlert`	Workbooks
`SecurityIncident`	Workbooks

Content Items

This solution includes 3 content item(s):

Content Type	Count
Analytic Rules	1
Hunting Queries	1
Workbooks	1

Analytic Rules

Name	Severity	Tactics	Tables Used
CDM_ContinuousDiagnostics&Mitigation_PostureChanged	Medium	Discovery	`SecurityRecommendation`

Hunting Queries

Name	Tactics	Tables Used
CDM_ContinuousDiagnostics&Mitigation_Posture	Discovery	`SecurityRecommendation`

Workbooks

Name Tables Used

ContinuousDiagnostics&Mitigation AWSCloudTrail
AWSVPCFlow
AuditLogs
AzureActivity
AzureDevOpsAuditing
AzureDiagnostics
CarbonBlack_Alerts_CL
CommonSecurityLog
ConfigurationData
DeviceEvents
DeviceFileEvents
DeviceLogonEvents
DnsEvents
Dynamics365Activity
GCP_IAM_CL
GitHubAuditLogPolling_CL
InformationProtectionLogs_CL
OfficeActivity
QualysHostDetectionV3_CL
SecurityBaseline
SecurityEvent
SecurityNestedRecommendation
SecurityRecommendation
SigninLogs
StorageBlobLogs
Syslog
ThreatIntelligenceIndicator
WindowsFirewall
Internal use:
AlertEvidence
IdentityInfo
SecurityAlert
SecurityIncident

Name	Tables Used
ContinuousDiagnostics&Mitigation	`AWSCloudTrail` `AWSVPCFlow` `AuditLogs` `AzureActivity` `AzureDevOpsAuditing` `AzureDiagnostics` `CarbonBlack_Alerts_CL` `CommonSecurityLog` `ConfigurationData` `DeviceEvents` `DeviceFileEvents` `DeviceLogonEvents` `DnsEvents` `Dynamics365Activity` `GCP_IAM_CL` `GitHubAuditLogPolling_CL` `InformationProtectionLogs_CL` `OfficeActivity` `QualysHostDetectionV3_CL` `SecurityBaseline` `SecurityEvent` `SecurityNestedRecommendation` `SecurityRecommendation` `SigninLogs` `StorageBlobLogs` `Syslog` `ThreatIntelligenceIndicator` `WindowsFirewall` Internal use: `AlertEvidence` `IdentityInfo` `SecurityAlert` `SecurityIncident`

Additional Documentation

📄 Source: ContinuousDiagnostics&Mitigation/README.md

Overview

Microsoft Sentinel: Continuous Diagnostics & Mitigation (CDM) Solution

This Solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This solution includes (1) Workbook for build/design/reporting, (1) Analytics rule for monitoring and (1) Hunting query for assessment. "The Cybersecurity and Infrastructure Security Agency (CISA) Continuous Diagnostics and Mitigation (CDM) Program is a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program provides cybersecurity tools, integration services, and dashboards to participating agencies to help them improve their respective security postures by delivering better visibility and awareness of their networks and defending against cyber adversaries." For more information, see 💡Continuous Diagnostics and Mitigation (CDM).

Try on Portal

You can deploy the solution by clicking on the buttons below:

Workbook Overview

Getting Started

This Solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This Solution demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. All CDM requirements, validations, and controls are governed by the 💡Cybersecurity & Infrastructure Security Agency. This solution provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer.

[Content truncated...]

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.2	29-09-2025	Updated the broken metrics in the workbook
3.0.1	29-01-2024	Updated the solution to fix Analytic Rules deployment issue
3.0.0	09-11-2023	Changes for rebranding from Azure Active Directory Identity Protection to Microsoft Entra ID Protection