{"id":19772,"date":"2020-05-28T07:00:11","date_gmt":"2020-05-28T14:00:11","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/azuregov\/?p=19772"},"modified":"2020-06-01T10:20:51","modified_gmt":"2020-06-01T17:20:51","slug":"cmmc-with-microsoft-azure-system-information-integrity-10-of-10","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/azuregov\/cmmc-with-microsoft-azure-system-information-integrity-10-of-10\/","title":{"rendered":"CMMC with Microsoft Azure: System &#038; Information Integrity (10 of 10)"},"content":{"rendered":"<p><em>This is the last in a ten-part blog series where we\u2019ll demonstrate principles of the Cybersecurity Maturity Model Certification aligned with Microsoft Azure. In previous blogs in the series we\u2019ve explored access control, audit &amp; accountability maturity, asset &amp; configuration management, identification &amp; authentication, incident response, maintenance &amp; media protection, recovery &amp; risk management, security assessment &amp; risk management and system &amp; communications protection. In this last blog of the series we will explore how to leverage Microsoft Azure for system &amp; information integrity.<\/em><\/p>\n<p><em>Please note that the information cutoff date for this post is October 2020, and that as of the date of this writing, CMMC developments and guidance are in progress. Additionally, as of the date of this writing, the CMMC Accreditation Body has not certified any the third-party assessors and guidance on the formal assessment process is still under development.\u00a0 As a result, the information herein, including our CMMC related offerings, may be enhanced in the future to align with future guidance from the DoD and CMMC Accreditation Body. Microsoft is closely tracking developments related to the CMMC.<\/em><\/p>\n<p><strong>Stay tuned for the upcoming CMMC blogs in the series:<\/strong><\/p>\n<ol>\n<li><a href=\"https:\/\/devblogs.microsoft.com\/azuregov\/cmmc-with-microsoft-azure-access-control-1-of-10\">Access Control Maturity<\/a>\u00a0\u2013 live<\/li>\n<li><a href=\"https:\/\/devblogs.microsoft.com\/azuregov\/cmmc-with-microsoft-azure-audit-accountability-management-2-of-10\">Audit &amp; Accountability Maturity<\/a>\u00a0\u2013 live<\/li>\n<li><a href=\"https:\/\/devblogs.microsoft.com\/azuregov\/cmmc-with-microsoft-azure-asset-configuration-management-3-of-10\/\">Asset &amp; Configuration Management Maturity<\/a>\u00a0\u2013 live<\/li>\n<li><a href=\"https:\/\/devblogs.microsoft.com\/azuregov\/cmmc-with-microsoft-azure-identification-authentication-maturity-4-of-10\">Identification &amp; Authentication Maturity<\/a>\u00a0\u2013 live<\/li>\n<li><a href=\"https:\/\/devblogs.microsoft.com\/azuregov\/cmmc-with-microsoft-azure-incident-response-maturity-5-of-10\">Incident Response Maturity<\/a>\u00a0\u2013 live<\/li>\n<li><a href=\"https:\/\/devblogs.microsoft.com\/azuregov\/cmmc-with-microsoft-azure-maintenance-media-protection-6-of-10\">Maintenance &amp; Media Protection Maturity<\/a>\u00a0\u2013 live<\/li>\n<li><a href=\"https:\/\/devblogs.microsoft.com\/azuregov\/cmmc-with-microsoft-azure-recovery-risk-management-7-of-10\/\">Recovery &amp; Risk Management Maturity<\/a> &#8211; live<\/li>\n<li><a href=\"https:\/\/devblogs.microsoft.com\/azuregov\/cmmc-with-microsoft-azure-security-assessment-situational-awareness-8-of-10\/\">Security Assessment &amp; Situational Awareness Maturity<\/a> &#8211; live<\/li>\n<li><a href=\"https:\/\/devblogs.microsoft.com\/azuregov\/cmmc-with-microsoft-azure-system-communications-protection-9-of-10\">System &amp; Communications Protection Maturity<\/a> \u2013 live<\/li>\n<li><a href=\"https:\/\/devblogs.microsoft.com\/azuregov\/cmmc-with-microsoft-azure-system-information-integrity-10-of-10\">System &amp; Information Integrity Maturity<\/a> &#8211; this blog<\/li>\n<\/ol>\n<h5><strong>What is Cybersecurity Maturity Model Certification (CMMC)?<\/strong><\/h5>\n<p><img decoding=\"async\" class=\"wp-image-19755 alignright\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series9-WhatIsCMMC.png\" alt=\"Image CMMC Series9 WhatIsCMMC\" width=\"450\" height=\"289\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series9-WhatIsCMMC.png 759w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series9-WhatIsCMMC-300x192.png 300w\" sizes=\"(max-width: 450px) 100vw, 450px\" \/><\/p>\n<p>The Defense Industrial Base (DIB) is charged with implementing <a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/compliance\/offering-dfars?view=o365-worldwide\">Defense Federal Acquisition Regulation Supplement (DFARS)<\/a> 252.204-7012. DFARS requires organizations supporting the Department of Defense (DoD) to implement <a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/compliance\/offering-nist-sp-800-171?view=o365-worldwide\">NIST SP 800-171<\/a> and <a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/compliance\/offering-fedramp?view=o365-worldwide\">FedRAMP<\/a> Moderate Impact level controls. DoD has mandated CMMC with periodic assessments in order to strengthen cybersecurity across the DIB. CMMC builds upon DFARS 7012 by verifying an organization\u2019s readiness to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) such as International Traffic in Arms Regulation (ITAR) and Export Administration Regulations (EAR) export-controlled data.<\/p>\n<p>CMMC extends beyond the parent organization into sub-contractors, partners, and suppliers. The framework is intended to enforce critical thinking approaches for comprehensive security. The CMMC framework specifies 5 levels of maturity measurement from Maturity Level 1 (Basic Cyber Hygiene) to Maturity Level 5 (Proactive &amp; Advanced Cyber Practice). The Certification levels will be determined through audits from independent, third-party assessment organizations (C3PAO).<\/p>\n<h5><strong>What preparation is required for CMMC alignment to system &amp; information integrity management?<\/strong><\/h5>\n<p><img decoding=\"async\" class=\"wp-image-19756 alignleft\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series9-Preparation.png\" alt=\"Image CMMC Series9 Preparation\" width=\"243\" height=\"251\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series9-Preparation.png 440w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series9-Preparation-290x300.png 290w\" sizes=\"(max-width: 243px) 100vw, 243px\" \/><\/p>\n<p>It\u2019s important to understand that compliance is a shared responsibility between the customer and the Cloud Services Provider (CSP). The graphic on the left demonstrates the CSP responsibility in respective cloud models (On-Prem, IaaS, PaaS, SaaS) with dark blue aligning with customer responsibility and light blue aligning with CSP responsibility. For example, CMMC requirements such as Physical Protection (PE) for limiting physical access (C028) is managed by the CSP. Establishment of respective policies and procedures are the customer\u2019s responsibility. It\u2019s important to note that this blog series is aligned with setting the foundation of controls for CMMC Maturity Levels 1 &amp; 2. Once C3PAOs are identified by the CMMC Accreditation Body, customers are advised to work with their respective C3PAO for guidance on comprehensive alignment of controls, audit and certification.<\/p>\n<p>The administrative controls for the CMMC System &amp; Information Integrity Maturity (SI-MC) are listed below. These controls fall within the customer\u2019s responsibility. This starts with establishing polices to include system &amp; information integrity (ML2) and progresses to a documented approach across all applicable organizational units (ML5). These controls should be formally created, documented in the System Security Plan (SSP) and implemented within the organization.<\/p>\n<p><strong><img decoding=\"async\" class=\"alignnone wp-image-19806\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-Preparation.png\" alt=\"Image CMMC Series10 Preparation\" width=\"600\" height=\"340\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-Preparation.png 678w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-Preparation-300x170.png 300w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/strong><\/p>\n<h5><strong>Azure Security Controls Aligned to CMMC: System &amp; Information Integrity<\/strong><\/h5>\n<p><strong><img decoding=\"async\" class=\"alignnone wp-image-19807\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-BigTable.png\" alt=\"Image CMMC Series10 BigTable\" width=\"800\" height=\"1167\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-BigTable.png 4733w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-BigTable-206x300.png 206w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-BigTable-702x1024.png 702w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-BigTable-768x1121.png 768w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-BigTable-1052x1536.png 1052w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\u00a0<\/strong><\/p>\n<h5><strong>Azure Security Controls Aligned to CMMC: System &amp; Information Integrity<\/strong><\/h5>\n<p>Microsoft Azure Government has developed a 10-step process to facilitate system &amp; information integrity with the security principles within CMMC, NIST SP 800-53 R4 and NIST SP 800-171 standards. Note this process is a starting point, as CMMC requires alignment of people, processes, policy and technology so refer to organizational requirements and respective standards for implementation. Azure has several offerings to facilitate system &amp; information integrity including <a href=\"https:\/\/azure.microsoft.com\/en-us\/services\/ddos-protection\/\">Azure DDoS Protection<\/a>, <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/governance\/policy\/overview\">Azure Policy<\/a>, <a href=\"https:\/\/azure.microsoft.com\/en-us\/features\/azure-advanced-threat-protection\/\">Azure Advanced Threat Protection<\/a>, <a href=\"https:\/\/azure.microsoft.com\/en-us\/services\/security-center\/\">Azure Security Center<\/a> and <a href=\"https:\/\/azure.microsoft.com\/en-us\/services\/azure-sentinel\/\">Azure Sentinel<\/a>.<\/p>\n<ul>\n<li><strong>Azure DDoS Protection <\/strong>Cover all resources on a virtual network when you enable Azure DDoS Protection via simplified configuration. Always-on traffic monitoring provides near real-time detection of a DDoS attack, with no intervention required.<\/li>\n<li><strong>Azure Policy <\/strong>helps you manage and prevent IT issues with policy definitions that enforce rules and effects for your resources.<\/li>\n<li><strong>Azure Advanced Threat Protection <\/strong>is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.<\/li>\n<li><strong>Azure Security Center<\/strong> is a unified infrastructure security management system that strengthens the security posture of your data centers and provides advanced threat protection across your hybrid workloads in the cloud &#8211; whether they&#8217;re in Azure or not &#8211; as well as on premises.<\/li>\n<li><strong>Azure Sentinel <\/strong>is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution.<\/li>\n<\/ul>\n<h5><strong>10 Steps to CMMC for <\/strong><strong>System &amp; Information Integrity<\/strong><strong> with Microsoft Azure<\/strong><\/h5>\n<p><img decoding=\"async\" class=\"alignnone wp-image-19794\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-10steps.png\" alt=\"Image CMMC Series10 10steps\" width=\"700\" height=\"395\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-10steps.png 1264w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-10steps-300x169.png 300w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-10steps-1024x578.png 1024w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-10steps-768x433.png 768w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/><\/p>\n<p><strong>1) Remediate Vulnerabilities<\/strong><\/p>\n<p>Risk assessment highlights respective vulnerabilities. The severity of risk and it\u2019s assessed impact on your organziation sets a priority list for remediation. Azure Security Center Secure Score highlights vulnerability and rank orders by severity to faciliate remediation. Each recommendation includes detailed remediation steps and respective documenation. Remediating vulnerabilities at scale can be a challenge. What if 1,000 of your virtual machines require a port closed on their host-based firewalls?<\/p>\n<p>In order to simplify remediation of security misconfigurations and to be able to quickly improve your secure score, we are introducing a new capability that allows you to remediate a recommendation on a bulk of resources in a single click. This operation will allow you to select the resources you want to apply the remediation to and launch a remediation action that will configure the setting on your behalf. Single click remediation is available today for preview customers as part of the Security Center recommendations blade. You can look for the 1-click fix label next to the recommendation and click on the recommendation:<\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-19795\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-RemediateVulnerablilities1.png\" alt=\"Image CMMC Series10 RemediateVulnerablilities1\" width=\"800\" height=\"504\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-RemediateVulnerablilities1.png 1248w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-RemediateVulnerablilities1-300x189.png 300w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-RemediateVulnerablilities1-1024x645.png 1024w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-RemediateVulnerablilities1-768x484.png 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/p>\n<p>Single click remediation is part of the Azure Security Center free tier. Single-click remediations include policies to fix common vulnerabilities listed below. For more information, see <a href=\"https:\/\/azure.microsoft.com\/en-gb\/blog\/azure-security-center-single-click-remediation-and-azure-firewall-jit-support\/\">Azure Security Center single click remediation<\/a>.<\/p>\n<ul>\n<li><em>Web Apps, Function Apps, and API Apps should only be accessible over HTTPS<\/em><\/li>\n<li><em>Remote debugging should be turned off for Function Apps, Web Apps, and API Apps<\/em><\/li>\n<li><em>CORS should not allow every resource to access your Function Apps, Web Apps, or API Apps<\/em><\/li>\n<li><em>Secure transfer to storage accounts should be enabled<\/em><\/li>\n<li><em>Transparent data encryption for Azure SQL Database should be enabled<\/em><\/li>\n<li><em>Monitoring agent should be installed on your virtual machines<\/em><\/li>\n<li><em>Diagnostic logs in Azure Key Vault and Azure Service Bus should be enabled<\/em><\/li>\n<li><em>Diagnostic logs in Service Bus should be enabled<\/em><\/li>\n<li><em>Vulnerability assessment should be enabled on your SQL servers<\/em><\/li>\n<li><em>Advanced data security should be enabled on your SQL servers<\/em><\/li>\n<li><em>Vulnerability assessment should be enabled on your SQL managed instances<\/em><\/li>\n<li><em>Advanced data security should be enabled on your SQL managed instances<\/em><\/li>\n<\/ul>\n<p><strong>2) Monitor System Security Alerts<\/strong><\/p>\n<p>Monitoring security alerts is a key function for security operations teams. The security information event management (SIEM) platform is the capability of choice for responders. We\u2019ve covered deployment and various functions of Azure Sentinel in previous blogs in this series. Create custom analytic rules to detect threats via the steps below. For more information, see <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/sentinel\/tutorial-detect-threats-custom\">Tutorial: Create custom analytic rules to detect suspicious threats<\/a>.<\/p>\n<ol>\n<li>In the Azure portal under Azure Sentinel, select <strong>Analytics<\/strong>.<\/li>\n<li>In the top menu bar, select <strong>+Create<\/strong> and select <strong>Scheduled query rule<\/strong>. This opens the <strong>Analytics rule wizard<\/strong>.<\/li>\n<li>In the <strong>General<\/strong> tab, provide a unique <strong>Name<\/strong> and <strong>Description<\/strong>. In the Tactics field, you can choose from among categories of attacks by which to classify the rule. Set the alert <strong>Severity,<\/strong> as necessary.\n<img decoding=\"async\" class=\"alignnone wp-image-19796\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-MonitorSystemSecurityAlerts1.png\" alt=\"Image CMMC Series10 MonitorSystemSecurityAlerts1\" width=\"500\" height=\"461\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-MonitorSystemSecurityAlerts1.png 861w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-MonitorSystemSecurityAlerts1-300x277.png 300w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-MonitorSystemSecurityAlerts1-768x708.png 768w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/li>\n<li>In the <strong>Set rule logic<\/strong> tab, you can either write a query directly in the <strong>Rule query<\/strong> field, or create the query in Log Analytics, and then copy and paste it there.\n<ul style=\"list-style-type: disc;\">\n<li>Evaluate <strong>Results preview<\/strong>, <strong>Alert threshold, Map entities<\/strong>, and<strong> Query Scheduling<\/strong> for quick tuning to your requirements.\n<img decoding=\"async\" class=\"alignnone wp-image-19797\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-MonitorSystemSecurityAlerts2.png\" alt=\"Image CMMC Series10 MonitorSystemSecurityAlerts2\" width=\"500\" height=\"270\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-MonitorSystemSecurityAlerts2.png 876w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-MonitorSystemSecurityAlerts2-300x162.png 300w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-MonitorSystemSecurityAlerts2-768x415.png 768w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/li>\n<\/ul>\n<\/li>\n<li>In the <strong>Incident Settings<\/strong> tab, you can choose whether and how Azure Sentinel turns alerts into actionable incidents.<\/li>\n<li>In the <strong>Automated responses<\/strong> tab, select any playbooks you want to run automatically when an alert is generated by the custom rule.<\/li>\n<li>Select <strong>Review and create<\/strong> to review all the settings for your new alert rule and then select <strong>Create to initialize your alert rule<\/strong>.<\/li>\n<li>After the alert is created, a custom rule is added to the table under <strong>Active rules<\/strong>. From this list you can enable, disable, or delete each rule.<\/li>\n<li>To view the results of the alert rules you create, go to the Incidents page, where you can triage, investigate incidents, and remediate the threats.<\/li>\n<\/ol>\n<p><strong>3) Leverage Threat Intelligence<\/strong><\/p>\n<p>Azure Sentinel lets you import the threat indicators your organization is using, which can enhance your security analysts&#8217; ability to detect and prioritize known threats. Several features from Azure Sentinel then become available or are enhanced:<\/p>\n<ul>\n<li><strong>Analytics<\/strong> includes a set of scheduled rule templates you can enable to generate alerts and incidents based on matches of log events from your threat indicators.<\/li>\n<li><strong>Workbooks<\/strong> provide summarized information about the threat indicators imported into Azure Sentinel and any alerts generated from analytics rules that match your threat indicators.<\/li>\n<li><strong>Hunting queries<\/strong> allow security investigators to use threat indicators within the context of common hunting scenarios.<\/li>\n<li><strong>Notebooks<\/strong> can use threat indicators when you investigate anomalies and hunt for malicious behaviors.<\/li>\n<\/ul>\n<p>You can stream threat indicators to Azure Sentinel by using one of the integrated threat intelligence platform (TIP) products listed in the next section, connecting to TAXII servers, or by using direct integration with the Microsoft Graph Security tiIndicators API:<\/p>\n<ul>\n<li>MISP Open Source Threat Intelligence Platform<\/li>\n<li>Palo Alto Networks MineMeld<\/li>\n<li>ThreatConnect Platform<\/li>\n<\/ul>\n<p>Connect Azure Sentinel to your threat intelligence platform via the following steps. For more information, see <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/sentinel\/connect-threat-intelligence\">Connect data from threat intelligence providers<\/a>.<\/p>\n<ol>\n<li>Register an application in Azure Active Directory to get an application ID, application secret, and Azure Active Directory tenant ID. You need these values for when you configure your integrated TIP product or app that uses direct integration with Microsoft Graph Security tiIndicators API.<\/li>\n<li>Configure API permissions for the registered application: Add the Microsoft Graph Application permission <strong>ThreatIndicators.ReadWrite.OwnedBy<\/strong> to your registered application.<\/li>\n<li>Ask your Azure Active Directory tenant administrator to grant admin consent to the registered application for your organization. From the Azure portal: <strong>Azure Active Directory &gt; App registrations &gt; &lt;app name&gt; &gt; View API Permissions &gt; Grant admin consent for &lt;<em>tenant name<\/em>&gt;<\/strong>.<\/li>\n<li>Configure your TIP product or app that uses direct integration with Microsoft Graph Security tiIndicators API to send indicators to Azure Sentinel by specifying the following:\n<ul style=\"list-style-type: disc;\">\n<li>The values for the registered application&#8217;s ID, secret, and tenant ID.<\/li>\n<li>For the target product, specify Azure Sentinel.<\/li>\n<li>For the action, specify alert.<\/li>\n<\/ul>\n<\/li>\n<li>In the Azure portal, navigate to <strong>Azure Sentinel &gt; Data connectors<\/strong> and then select the <strong>Threat Intelligence Platforms (Preview)<\/strong> connector.\n<img decoding=\"async\" class=\"alignnone wp-image-19798\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-MonitorSystemSecurityAlerts3.png\" alt=\"Image CMMC Series10 MonitorSystemSecurityAlerts3\" width=\"700\" height=\"342\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-MonitorSystemSecurityAlerts3.png 1593w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-MonitorSystemSecurityAlerts3-300x147.png 300w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-MonitorSystemSecurityAlerts3-1024x500.png 1024w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-MonitorSystemSecurityAlerts3-768x375.png 768w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-MonitorSystemSecurityAlerts3-1536x750.png 1536w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/><\/li>\n<li>Select <strong>Open connector page<\/strong>, and then <strong>Connect<\/strong>.<\/li>\n<li>To view the threat indicators imported into Azure Sentinel, navigate to <strong>Azure Sentinel &#8211; Logs &gt; SecurityInsights<\/strong> and then expand <strong>ThreatIntelligenceIndicator<\/strong>.<\/li>\n<\/ol>\n<p><strong>4) Implement Malicious Code Protections<\/strong><\/p>\n<p>Applying malicious code protections requires endpoint detection response platforms. Azure Security Center monitors the status of antimalware protection and reports this under the Endpoint protection issues page. Security Center highlights issues, such as detected threats and insufficient protection, which can make your virtual machines (VMs) and computers vulnerable to antimalware threats. By using the information under Endpoint protection issues, you can identify a plan to address any issues identified:<\/p>\n<ul>\n<li><strong>Endpoint protection not installed on Azure VMs<\/strong>: A supported antimalware solution is not installed on these Azure VMs.<\/li>\n<li><strong>Endpoint protection not installed on non-Azure computers<\/strong>: A supported antimalware is not installed on these non-Azure computers.<\/li>\n<li><strong>Endpoint protection health<\/strong>:\n<ul>\n<li><em>Signature out of date<\/em>: An antimalware solution is installed on these VMs and computers, but the solution does not have the latest antimalware signatures.<\/li>\n<li><em>No real time protection<\/em>: An antimalware solution is installed on these VMs and computers, but it is not configured for real-time protection. The service may be disabled, or Security Center may be unable to obtain the status because the solution is not supported. See partner integration for a list of supported solutions.<\/li>\n<li><em>Not reporting<\/em>: An antimalware solution is installed but not reporting data.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Leverage Azure Security Center to detect gaps and install antimalware via the steps below. For more information, see <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/security-center\/security-center-install-endpoint-protection\">Manage endpoint protection issues with Azure Security Center<\/a>.<\/p>\n<ol>\n<li>Select <strong>Compute &amp; apps<\/strong> under the Security Center main menu or <strong>Overview<\/strong>.<\/li>\n<li>Under <strong>Compute<\/strong>, select <strong>Endpoint protection issues<\/strong>.<\/li>\n<li>Select <strong>Endpoint protection not installed on Azure VMs<\/strong>.<\/li>\n<li>Under <strong>Endpoint protection not installed on Azure VMs<\/strong> is a list of Azure VMs that do not have antimalware installed. You can choose to install antimalware on all VMs in the list or select individual VMs to install antimalware on by clicking on the specific VM.<\/li>\n<li>Under <strong>Select Endpoint protection<\/strong>, select the endpoint protection solution you want to use. In this example, select <strong>Microsoft Antimalware<\/strong>.\n<img decoding=\"async\" class=\"alignnone wp-image-19799\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-ImplementMaliciousCodeProtections.png\" alt=\"Image CMMC Series10 ImplementMaliciousCodeProtections\" width=\"500\" height=\"566\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-ImplementMaliciousCodeProtections.png 692w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-ImplementMaliciousCodeProtections-265x300.png 265w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/li>\n<li>Select <strong>Create<\/strong>.<\/li>\n<\/ol>\n<p><strong>5) Update Malicious Code Signatures<\/strong><\/p>\n<p>Microsoft Antimalware for Azure is a free real-time protection that helps identify and remove viruses, spyware, and other malicious software. It generates alerts when known malicious or unwanted software tries to install itself or run on your Azure systems.<\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-19800\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-UpdateMaliciousCodeSignatures.png\" alt=\"Image CMMC Series10 UpdateMaliciousCodeSignatures\" width=\"600\" height=\"490\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-UpdateMaliciousCodeSignatures.png 985w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-UpdateMaliciousCodeSignatures-300x245.png 300w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-UpdateMaliciousCodeSignatures-768x627.png 768w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/p>\n<p>The solution is built on the same antimalware platform as Microsoft Security Essentials [MSE], Microsoft Forefront Endpoint Protection, Microsoft System Center Endpoint Protection, Windows Intune, and Windows Defender. Microsoft Antimalware for Azure is a single-agent solution for applications and tenant environments, designed to run in the background without human intervention. Protection may be deployed based on the needs of application workloads, with either basic secure-by-default or advanced custom configuration, including antimalware monitoring. Microsoft Antimalware automatically updates malicious code signatures and includes the features below. For more information, see <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/security\/fundamentals\/antimalware\">Microsoft Antimalware for Azure Cloud Services and Virtual Machines<\/a>.<\/p>\n<ul>\n<li><strong>Real-time protection<\/strong>: monitors activity in Cloud Services and on Virtual Machines to detect and block malware execution.<\/li>\n<li><strong>Scheduled scanning<\/strong>: Scans periodically to detect malware, including actively running programs.<\/li>\n<li>Malware remediation &#8211; automatically acts on detected malware, such as deleting or quarantining malicious files and cleaning up malicious registry entries.<\/li>\n<li><strong>Signature updates<\/strong>: automatically installs the latest protection signatures (virus definitions) to ensure protection is up to date on a pre-determined frequency.<\/li>\n<li><strong>Antimalware Engine updates<\/strong>: automatically updates the Microsoft Antimalware engine.<\/li>\n<li><strong>Antimalware Platform updates<\/strong>: automatically updates the Microsoft Antimalware platform.<\/li>\n<li><strong>Active protection<\/strong>: reports telemetry metadata about detected threats and suspicious resources to Microsoft Azure to ensure rapid response to the evolving threat landscape, as well as enabling real-time synchronous signature delivery through the Microsoft Active Protection System (MAPS).<\/li>\n<li><strong>Samples reporting<\/strong>: provides and reports samples to the Microsoft Antimalware service to help refine the service and enable troubleshooting.<\/li>\n<li><strong>Exclusions<\/strong>: allows application and service administrators to configure exclusions for files, processes, and drives.<\/li>\n<li><strong>Antimalware event collection<\/strong>: records the antimalware service health, suspicious activities, and remediation actions taken in the operating system event log and collects them into the customer\u2019s Azure Storage account.<\/li>\n<\/ul>\n<p><strong>6) Perform Periodic Scans<\/strong><\/p>\n<p>Conducting periodic scanning requires full visibility of assets within your environment. Specifically, the policies assigned audit and enforce deployment of the Log Analytics agent and enhanced security settings for SQL databases, storage accounts and network resources.<\/p>\n<ul>\n<li><em>[Preview]: Audit Log Analytics Agent Deployment &#8211; VM Image (OS) unlisted<\/em><\/li>\n<li><em>[Preview]: Audit Log Analytics Agent Deployment in VMSS &#8211; VM Image (OS) unlisted<\/em><\/li>\n<li><em>[Preview]: Audit Log Analytics Workspace for VM &#8211; Report Mismatch<\/em><\/li>\n<li><em>[Preview]: Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)<\/em><\/li>\n<li><em>[Preview]: Deploy Log Analytics Agent for Linux VMs<\/em><\/li>\n<li><em>[Preview]: Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS)<\/em><\/li>\n<li><em>[Preview]: Deploy Log Analytics Agent for Windows VMs<\/em><\/li>\n<li><em>Advanced data security should be enabled on your managed instances<\/em><\/li>\n<li><em>Advanced data security should be enabled on your SQL servers<\/em><\/li>\n<li><em>Deploy Advanced Data Security on SQL servers<\/em><\/li>\n<li><em>Deploy Advanced Threat Protection on Storage Accounts<\/em><\/li>\n<li><em>Deploy Auditing on SQL servers<\/em><\/li>\n<li><em>Deploy network watcher when virtual networks are created<\/em><\/li>\n<li><em>Deploy Threat Detection on SQL servers<\/em><\/li>\n<\/ul>\n<p>These capabilities can help you detect anomalous behavior and indicators of attacks so you can take appropriate action. Apply an Azure Policy for monitoring via the steps below. \u00a0Azure Policy is highly versatile and can be created with the Azure portal, Azure CLI, Powershell and Azure Resource Manager (ARM) templates. Creating an Azure Policy in the portal is accomplished via the steps below. For more information, see <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/governance\/policy\/assign-policy-portal\">Quickstart: Create a policy assignment to identify non-compliant resources<\/a>.<\/p>\n<ol>\n<li>In the <strong>Policy<\/strong> portal, select <strong>Assignments<\/strong><\/li>\n<li>Select <strong>Assign Policy <\/strong>from the top of the Policy &#8211; Assignments page.\n<img decoding=\"async\" class=\"alignnone wp-image-19801\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-PolicyAssignments.png\" alt=\"Image CMMC Series10 PolicyAssignments\" width=\"600\" height=\"393\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-PolicyAssignments.png 760w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-PolicyAssignments-300x197.png 300w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/li>\n<li>On the <strong>Assign Policy<\/strong> page, select the <strong>Scope<\/strong> by clicking the ellipsis and selecting either a management group or subscription.<\/li>\n<li>Select the <strong>Policy definition<\/strong> ellipsis, search for the desired policy definition and click <strong>Select<\/strong>.<\/li>\n<li>Set an <strong>Assignment name<\/strong>, <strong>Description, <\/strong>and set<strong> Policy Enforcement <\/strong>to<strong> Enabled<\/strong>.<\/li>\n<li>Click <strong>Assign<\/strong>.<\/li>\n<\/ol>\n<p><strong>7) Detect &amp; Mitigate Malicious Actions<\/strong><\/p>\n<p>Azure Advanced Threat Protection (ATP) alert evidence provides clear indications when computers have been involved in suspicious activities or when indications exist that a machine is compromised. Azure ATP suggestions help determine the risk to your organization, decide how to remediate and determine the best way to prevent similar attacks in the future. To access the computer profile page, click on the specific computer mentioned in the alert that you wish to investigate. To assist your investigation, alert evidence lists all computers (and users) connected to each suspicious activity. Check and investigate the computer profile in Azure ATP for the following details and activities. For more information, see <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure-advanced-threat-protection\/investigate-a-computer\">Tutorial: Investigate a computer<\/a>.<\/p>\n<ul>\n<li>What happened around the time of the suspicious activity?\n<ol>\n<li>Which user was logged in to the computer?<\/li>\n<li>Does that user normally log into or access the source or destination computer?<\/li>\n<li>Which resources where accessed? By which users?\n<ul>\n<li>If resources were accessed, were they high value resources?<\/li>\n<\/ul>\n<\/li>\n<li>Was the user supposed to access those resources?<\/li>\n<li>Did the user that accessed the computer perform other suspicious activities?<\/li>\n<\/ol>\n<\/li>\n<li>Additional suspicious activities to investigate:\n<ol>\n<li>Were other alerts opened around the same time as this alert in Azure ATP, or in other security tools such as Windows Defender ATP, Azure Security Center and\/or Microsoft CAS?<\/li>\n<li>Were there failed logons?<\/li>\n<\/ol>\n<\/li>\n<li>If Windows Defender ATP integration is enabled, click the Windows Defender ATP badge to further investigate the computer. In Windows Defender ATP you can see which processes and alerts occurred around the same time as the alert.\n<ol>\n<li>Were any new programs deployed or installed?<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<p><strong>8) Detect Network Attacks<\/strong><\/p>\n<p>There are numerous types of network attacks and we\u2019ve covered several methods to detecting network attacks in this blog series. One of the more dangerous types of network attacks is a Distributed Denial of Service (DDoS). DDoS attacks attempt to exhaust an application&#8217;s resources, making the application unavailable to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet. Azure DDoS protection, combined with application design best practices, provide defense against DDoS attacks. Azure DDoS protection provides the following service tiers:<\/p>\n<ul>\n<li><strong>Basic<\/strong>: Automatically enabled as part of the Azure platform. Always-on traffic monitoring, and real-time mitigation of common network-level attacks, provide the same defenses utilized by Microsoft&#8217;s online services.<\/li>\n<li><strong>Standard<\/strong>: DDoS Protection Standard is simple to enable and requires no application changes. Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. Policies are applied to public IP addresses associated to resources deployed in virtual networks, such as Azure Load Balancer, Azure Application Gateway, and Azure Service Fabric instances while featuring comprehensive logging. Enable Azure DDoS Standard for an existing virtual network via the steps below. For more information, see <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/virtual-network\/manage-ddos-protection\">Manage Azure DDoS Protection Standard using the Azure portal<\/a>.<\/li>\n<\/ul>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li>Enter Virtual Network in the <strong>Search resources, services, and docs box<\/strong> at the top of the portal.<\/li>\n<li>Select the name of the virtual network that you want to enable DDoS Protection Standard for. When the name of the virtual network appears in the search results, select it.<\/li>\n<li>Select <strong>DDoS protection<\/strong>, under <strong>Settings<\/strong>.\n<img decoding=\"async\" class=\"alignnone wp-image-19802\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-DetectNetworkAttacks.png\" alt=\"Image CMMC Series10 DetectNetworkAttacks\" width=\"700\" height=\"451\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-DetectNetworkAttacks.png 1266w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-DetectNetworkAttacks-300x193.png 300w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-DetectNetworkAttacks-1024x660.png 1024w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-DetectNetworkAttacks-768x495.png 768w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/><\/li>\n<li>Select <strong>Standard<\/strong>. Under <strong>DDoS protection plan<\/strong>, select an existing DDoS protection plan, or create a new DDoS protection plan and then select <strong>Save<\/strong>.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p><strong>9) Identify Unauthorized Access<\/strong><\/p>\n<p>Controlling system access creates a baseline of user access. Monitoring for changes against this baseline patter can indicate unauthorized access. Azure Security Center Just-in-time (JIT) virtual machine access locks down inbound traffic to Azure virtual machines, reducing exposure to attacks while providing easy access to connect to VMs when needed. All JIT requests to access virtual machines are logged in the Activity Log allowing you to monitor for atypical usage.<\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-19803\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-IdentifyUnauthorizedAccess.png\" alt=\"Image CMMC Series10 IdentifyUnauthorizedAccess\" width=\"799\" height=\"208\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-IdentifyUnauthorizedAccess.png 991w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-IdentifyUnauthorizedAccess-300x78.png 300w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-IdentifyUnauthorizedAccess-768x200.png 768w\" sizes=\"(max-width: 799px) 100vw, 799px\" \/><\/p>\n<p>When just-in-time is enabled, Security Center locks down inbound traffic to your Azure VMs by creating an NSG rule. You select the ports on the VM to which inbound traffic will be locked down. These ports are controlled by the just-in-time solution.<\/p>\n<p>When a user requests access to a VM, Security Center checks that the user has Role-Based Access Control (RBAC) permissions for that VM. If the request is approved, Security Center automatically configures the Network Security Groups (NSGs) and Azure Firewall to allow inbound traffic to the selected ports and requested source IP addresses or ranges, for the amount of time that was specified. After the time has expired, Security Center restores the NSGs to their previous states. Those connections that are already established are not being interrupted, however. Configure JIT via the steps below. For more information see, <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/security-center\/security-center-just-in-time\">Secure your management ports with just-in-time access<\/a>.<\/p>\n<ol>\n<li>Open the <strong>Security Center<\/strong> dashboard.<\/li>\n<li>In the left pane, select <strong>Just-in-time VM access<\/strong>.<\/li>\n<li>Select the <strong>Recommended tab<\/strong>.<\/li>\n<li>Select the VMs from your list which you wish to enable JIT access to.<\/li>\n<li>Click <strong>Enable JIT on VMs<\/strong>.<\/li>\n<li>Select one of the default ports or configure custom ports:\n<ul style=\"list-style-type: disc;\">\n<li><em>22: SSH<\/em><\/li>\n<li><em>3389: RDP<\/em><\/li>\n<li><em>5985: WinRM<\/em><\/li>\n<li><em>5986: WinRM<\/em><\/li>\n<\/ul>\n<\/li>\n<li>Configure <em>My IP<\/em> or specify a source <em>IP Range<\/em> and specify a <em>Time Range<\/em> in hours.\n<img decoding=\"async\" class=\"alignnone wp-image-19804\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-IdentifyUnauthorizedAccess2.png\" alt=\"Image CMMC Series10 IdentifyUnauthorizedAccess2\" width=\"699\" height=\"190\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-IdentifyUnauthorizedAccess2.png 1634w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-IdentifyUnauthorizedAccess2-300x82.png 300w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-IdentifyUnauthorizedAccess2-1024x278.png 1024w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-IdentifyUnauthorizedAccess2-768x209.png 768w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-IdentifyUnauthorizedAccess2-1536x417.png 1536w\" sizes=\"(max-width: 699px) 100vw, 699px\" \/><\/li>\n<li>Click <strong>Open ports<\/strong>.<\/li>\n<\/ol>\n<p><strong>10) Monitor Individuals<\/strong><\/p>\n<p>Azure Advanced Threat Protection (ATP) monitors and analyzes user activities and information across your network. Azure ATP identifies anomalies with adaptive built-in intelligence providing insights into suspicious activities and events. Azure ATP\u2019s proprietary sensors monitor organizational domain controllers, providing a comprehensive view for all user activities from every device. Azure ATP also enables SecOps analysts and security professionals struggling to detect advanced attacks in hybrid environments to:<\/p>\n<ul>\n<li>Protect user identities and credentials stored in Active Directory<\/li>\n<li>Identify and investigate suspicious user activities and advanced attacks throughout the kill chain<\/li>\n<li>Provide clear incident information on a simple timeline for fast triage<\/li>\n<\/ul>\n<p>Enabling Azure ATP requires the following high-level steps:<\/p>\n<ol>\n<li>Create your ATP instance<\/li>\n<li>Connect to Active Directory<\/li>\n<li>Download the Azure ATP sensor package<\/li>\n<li>Install the ATP sensor<\/li>\n<\/ol>\n<p>To get started with creating an Azure ATP instance follow the steps below. Note that GCC High customers must use the <a href=\"http:\/\/portal.atp.azure.us\/\">Azure ATP GCC High<\/a> portal. For more information, see <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure-advanced-threat-protection\/what-is-atp\">What is Azure Advanced Threat Protection?<\/a> and <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure-advanced-threat-protection\/install-atp-step1\">Quickstart: Create your Azure ATP instance<\/a>.<\/p>\n<ol>\n<li>Click <strong>Create instance<\/strong>.<\/li>\n<li>Your Azure ATP instance is automatically named with the Azure AD initial domain name and created in the data center located closest to your Azure AD.\n<img decoding=\"async\" class=\"alignnone wp-image-19805\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-CreateInstance.png\" alt=\"Image CMMC Series10 CreateInstance\" width=\"600\" height=\"267\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-CreateInstance.png 750w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/05\/CMMC-Series10-CreateInstance-300x134.png 300w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/li>\n<li>Click <strong>Configuration<\/strong>, <strong>Manage role groups<\/strong> and use the <a href=\"https:\/\/docs.microsoft.com\/azure\/active-directory\/active-directory-assign-admin-roles-azure-portal\">Azure AD Admin Center<\/a> link to manage your role groups.<\/li>\n<li>Complete the process by following the deployment guide for Azure AD connection and the Azure ATP Sensor Download\/Installation.<\/li>\n<\/ol>\n<h5><strong>Learn more about CMMC with Microsoft <\/strong><\/h5>\n<p>Here are some of the best resource to learn more about CMMC in the cloud with Microsoft:<\/p>\n<ul>\n<li><a href=\"https:\/\/aka.ms\/CMMCResponse\">Accelerating CMMC compliance for Microsoft cloud (in depth review)<\/a><\/li>\n<li>\n<div><a href=\"https:\/\/www.youtube.com\/watch?v=sey4aWuqtvk\">CMMC-AB Standards with Regan Edens &#8211; National Conversation<\/a><\/div>\n<\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/compliance\/offering-dfars?view=o365-worldwide\">Defense Federal Acquisition Regulation Supplement (DFARS)<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/compliance\/offering-itar?view=o365-worldwide\">International Traffic in Arms Regulations (ITAR)<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/compliance\/offering-fedramp?view=o365-worldwide\">Federal Risk and Authorization Management Program (FedRAMP)<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/compliance\/offering-ear?view=o365-worldwide\">US Export Administration Regulations (EAR)<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/compliance\/offering-nist-sp-800-171?view=o365-worldwide\">NIST SP 800-171 Compliance<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/governance\/blueprints\/samples\/nist-sp-800-53-rev4\/\">Overview of the NIST SP 800-53 R4 blueprint sample<\/a><\/li>\n<\/ul>\n<p>Bookmark the <a href=\"https:\/\/www.microsoft.com\/security\/blog\/\">Security blog<\/a> to keep up with our expert coverage on security matters and follow us at <a href=\"https:\/\/twitter.com\/@MSFTSecurity\">@MSFTSecurity<\/a> or visit our <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\">website<\/a> for the latest news and updates on cybersecurity.<\/p>\n<p>Are you a federal government agency that needs help with cybersecurity? Reach out to <a href=\"https:\/\/www.linkedin.com\/in\/tjbanasik\/\">TJ Banasik<\/a> or <a href=\"http:\/\/www.linkedin.com\/in\/marmci\">Mark McIntyre<\/a> for additional details on the content above, or if you have any other questions about Microsoft\u2019s cybersecurity investments for the federal government.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is the last in a ten-part blog series where we\u2019ll demonstrate principles of the Cybersecurity Maturity Model Certification aligned with Microsoft Azure. In previous blogs in the series we\u2019ve explored access control, audit &amp; accountability maturity, asset &amp; configuration management, identification &amp; authentication, incident response, maintenance &amp; media protection, recovery &amp; risk management, security [&hellip;]<\/p>\n","protected":false},"author":16830,"featured_media":19811,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[14],"tags":[95,3055,189,216,3043],"class_list":["post-19772","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-learning","tag-azure-government","tag-cmmc","tag-compliance","tag-cybersecurity","tag-cybersecurity-maturity-model-certification-cmmc"],"acf":[],"blog_post_summary":"<p>This is the last in a ten-part blog series where we\u2019ll demonstrate principles of the Cybersecurity Maturity Model Certification aligned with Microsoft Azure. In previous blogs in the series we\u2019ve explored access control, audit &amp; accountability maturity, asset &amp; configuration management, identification &amp; authentication, incident response, maintenance &amp; media protection, recovery &amp; risk management, security [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts\/19772","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/users\/16830"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/comments?post=19772"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts\/19772\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/media\/19811"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/media?parent=19772"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/categories?post=19772"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/tags?post=19772"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}