What Changed
Azure Security Benchmark solution updated from v3.0.4 to v3.0.5 based on Content Doctor recommendations, focusing on detection logic improvements and operational enhancement.
Detection Logic
Updated Analytic Rule “Azure Security Benchmark Posture Changed”:
- Primary data source: SecurityRecommendation and SecurityRegulatoryCompliance tables
- Core logic: joins compliance data to identify domains where policy compliance falls below 70% within 7 days, with improved percentage calculation handling zero-division scenarios
- Entity types mapped: URL (remediation portal link)
- Enhanced with proper data connector declarations (AzureSecurityCenter for SecurityRecommendation and SecurityRegulatoryCompliance data)
Query Improvements
- Added safeguard against zero-division in percentage calculations using iff() and todouble()
- Improved variable naming (Last_Evaluated → ComplianceDomainLookup)
- Enhanced sort logic and string handling
- Added proper requiredDataConnectors section (was previously empty)
Incident Enrichment
New alertDetailsOverride and customDetails provide immediate context:
- Alert Title: “Azure Security Benchmark posture below threshold for {ComplianceDomain}”
- Custom Fields: ComplianceDomain, TotalControls, PassedControls, FailedControls
- Entity Mapping: Direct portal remediation link
MITRE Mapping
- T1082: System Information Discovery (compliance posture reconnaissance)
Operational Impact
The enhanced logic provides better reliability for compliance monitoring and reduces triage time with enriched incident details. Rule version bumped from 1.0.1 to 1.0.2 reflecting the logic improvements.
Affected Files
Solutions/AzureSecurityBenchmark/Analytic Rules/AzureSecurityBenchmarkPostureChanged.yaml
Solutions/AzureSecurityBenchmark/Workbooks/AzureSecurityBenchmark.json
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.0.5.zip, ReleaseNotes.md, createUiDefinition.json, mainTemplate.json)