Accelerating Zero Trust Alignment with Microsoft Sentinel
Published Sep 05 2023 12:18 AM 16.5K Views

According to the Microsoft Digital Defense Report of 2022, the United States government network is the target of nearly half of global nation-state attacks. Over the last few years, the United States Department of Defense (DoD) has been adapting their approach to best defend against these attacks, which have been growing in volume, severity, and sophistication.


As part of this effort, the DoD established a Zero Trust Portfolio Management office in January 2022 and released a Zero Trust reference architecture. The latest update from November 2022 provides crucial details for implementing the Zero Trust strategy, including clear guidance of 45 separate capabilities and 152 activities needed to adopt a consistent approach.


This strategy reflects a marked shift from a compliance and controls-based approach to an outcomes-focused methodology that recognizes that the adversary is already in the DoD’s networks and that perimeter defenses are no longer sufficient for achieving cyber resiliency. The goal of this strategy is to achieve enterprise-wide implementation by 2027.


To help the DoD achieve this ambitious goal, Microsoft is pleased to announce the DoD Zero Trust workbook!


Watch our demo here: DoD Zero Trust Workbook demo




Zero Trust changes the fundamental methodology of defending the DoD’s digital assets focused on three key principles:

  1. Verify explicitly
  2. Use least privileged access
  3. Assume breach

Microsoft has embraced Zero Trust internally and considers Zero Trust principles when shipping products. As a leading cloud service provider and security company, Microsoft supports thousands of organizations globally on their Zero Trust journeys. We applaud the DoD in their proactive journey toward a zero-trust posture and are committed to supporting the hardening of our nation’s cyber defenses.


Microsoft Sentinel is a scalable, cloud-native solution that provides security information and event management (SIEM) and security orchestration, automation, and response (SOAR). Grounded in AI, Sentinel delivers intelligent security analytics and threat intelligence. Microsoft Sentinel is your bird's-eye view across the enterprise - alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution time frames.


A key component of Sentinel are workbooks. Workbooks are intended for SOC engineers and analysts of all tiers to visualize data. Leveraging the power of connectors, this workbook brings together Microsoft and 3rd party telemetry in a single pane of glass to assess, track, and improve posture relative to the DoD CIO guidance.


This workbook helps empowers defenders build, evaluate, and improve security architectures aligned to the DoD strategy across the following user profiles:


  • Security Architect: Build/design a cloud security architecture to compliance requirements.
  • Managed Security Services Provider: Leverage the workbook for Zero Trust Assessments.
  • SecOps Analyst: Review activity in query, configure alerts, deploy SOAR automation.
  • IT Pro: Identify performance issues, investigate issues, set alerts for remediation monitoring.
  • Security Engineer: Assess security controls, review alerting thresholds, adjust configurations.
  • Security Manager: Review requirements, analyze reporting, evaluate capabilities, adjust accordingly.


Deploying the Workbook:

It is recommended that you have the log sources listed above to get the full benefit of the DoD Zero Trust Workbook, but the workbook will deploy regardless of your available log sources.


Follow the steps below to enable the workbook:

Requirements: Microsoft Sentinel Workspace and Security Reader rights

1) From the Azure portal, navigate to Microsoft Sentinel

2) Select Workbooks > Templates

3) Search DoD Zero Trust and select Save to add to My Workbooks



  1. What will this workbook do for my organization?

This workbook provides structure, guidance, and simplification of the DoD Zero Trust Strategy to make it easier to track, prioritize, and improve Zero Trust Target (and Advanced) level Capabilities/Activities that are required to be implemented by 2027.


  1. Does this workbook only pertain to Microsoft-specific capabilities?

No, the out-of-the-box content of this Sentinel workbook includes references to Microsoft-specific capabilities/solutions. However, the workbook has been designed to account for "Alternate Implementations" (non-Microsoft), which may also meet the Target (and Advanced)-level Zero Trust Capabilities and Activities. In addition, Microsoft Sentinel supports custom log formats and multiple third-party data connectors that can provide visibility for non-Microsoft solutions.


  1. How will this workbook help with deployment and maturity of the DoD Zero Trust Strategy Capabilities & Activities?
  • Provides Zero Trust roll-up of organizational maturity and situational awareness as it relates directly to the 2027 Zero Trust Target-level deadline.
  • Provides DoD Zero Trust Activity simplification and improved awareness, allowing responsible parties for each pillar(s) to report which capabilities are planned, implemented, or not applicable.
  • Provides guidance and recommendations to meet the 45 capabilities (and supporting 152 activities)
  • Provides a working (and evolving) organized method of orchestrating and managing/tracking efforts around the Zero Trust Capabilities and Activities covered in the DoD Zero Trust Strategy.
  1. Why are some of the visualizations not working in my workbook?

The visualizations within this workbook are simply examples and rely on specific logs to populate accordingly. We realize that not every organization leverages the same solution logs used to build/populate this workbook. In addition, we also realize that many customers leverage third-party solutions for their needs. Every implementation of this workbook is unique to the respective environment in which it is installed. It is intended to be a starting point and can be further customized to better meet the needs of each customer. Please contact your Account Representative if your team requires further assistance and/or customizations.

Visualizations can be used to show examples of the DoD Zero Trust Activities in use/or configurations themselves. They can also be used to further develop automations related to improving cyber hygiene through deploying Zero Trust principals.


  1. Who should use this workbook?

This workbook is designed for both executives and individuals who are directly responsible for implementing the respective Capabilities/Activities due by 2027 outlined in the DoD Zero Trust Strategy.

This workbook derives language and terminology specific to the DoD Zero Trust Strategy. However, many non-DoD organizations can also leverage this guidance for their needs.


  1. Where does the Zero Trust Maturity (Percentage) score come from?

The Zero Trust Maturity score is calculated based on the interactive capabilities sections contained within each of the pillars. When updated, the drop-down boxes labeled, “Implementation Status” directly contribute to the overall level of maturity reported under the “Zero Trust Essentials” → "DoD Zero Trust Assessment Tracker".


  1. How can I make recommendations to improve this workbook?

Please utilize the link in the opening screen labeled, “Please take some time to take a quick survey”. Our team values these responses and takes them very seriously. Any feedback that you can provide is greatly appreciated.


  1. Can this workbook be customized?

Yes! This workbook has been created with additional customization in mind. Please contact your Account Representative if you would to like to inquire about any additional assistance with customizing this workbook to suit your organizational goals related to DoD Zero Trust Strategy maturity.


  1. Do other customers outside the DoD utilize this workbook?

Yes, many customers outside the DoD have also gravitated toward the DoD Zero Trust Strategy because it focuses on an outcomes-focused methodology and includes specific "Capabilities and Activities" that apply to core Zero Trust principals.


  1. Who created this workbook?

This workbook was created by a collaboration of Microsoft teams and subject matter experts along with our pilot customers.


  1. Does this workbook cover all 152 “Activities” defined in the Strategy?

Yes, the recommendations, visualizations, and guidance, while centered around the 45 capabilities, will still apply to all 152 activities. This workbook aims to simplify the Target (and Advanced)-level Zero Trust Capabilities and Activities. Based on prior feedback, this workbook may be updated in the future to include further guidance, reporting, and relevant information.


Learn more about Zero Trust with Microsoft:



The Microsoft Sentinel DoD Zero Trust Workbook demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. All requirements, validations, and controls are governed by the Department of Defense. This workbook provides visibility and situational awareness for control requirements delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user, and some panels may require additional configurations and query modification for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective control requirements.


Version history
Last update:
‎Sep 05 2023 12:19 AM
Updated by: