Azure Sentinel Cybersecurity Maturity Model Certification (CMMC) Workbook
Published Feb 02 2021 07:00 AM 19.9K Views

The Azure Sentinel CMMC Workbook provides a mechanism for viewing log queries aligned to CMMC controls across the Azure cloud including Microsoft security offerings, Office 365, Teams, Intune, Windows Virtual Desktop and many more. This workbook enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective CMMC requirements and practices. The workbook features 250+ control cards aligned to the 17 CMMC control families across all 5 maturity levels with selectable GUI buttons for navigation.




The workbook helps you to gain better visibility into your cloud architecture from security perspective while reinforcing CMMC principles for building cybersecurity critical thinking skills. The workbook consolidates multiple log sources from your Azure environment:

  • Azure Active Directory
  • Azure Active Directory Identity Protection
  • Azure Activity
  • Azure DDoS Protection
  • Azure Firewall
  • Azure Information Protection
  • Azure Security Center
  • Common Event Format
  • DNS
  • Intune
  • Microsoft 365 Defender
  • Microsoft Cloud App Security
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Office 365
  • Security Events
  • Syslog
  • Threat Intelligence Platforms
  • Windows Firewall
  • Teams
  • User Entity Behavior Analytics
  • Windows Virtual Desktop

What is Cybersecurity Maturity Model Certification (CMMC)?



The US Defense Industrial Base (DIB) is charged with implementing Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. DFARS requires organizations supporting the Department of Defense (DoD) to implement NIST SP 800-171 and FedRAMP Moderate Impact level controls. DoD has mandated CMMC with periodic assessments because historic self-attestation audits haven’t met the desired impact. CMMC builds upon DFARS 7012 by verifying an organization’s readiness to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) such as International Traffic in Arms Regulation (ITAR) and Export Administration Regulations (EAR) export-controlled data.


CMMC extends beyond the parent organization into sub-contractors, partners, and suppliers. The framework is intended to enforce critical thinking approaches for comprehensive security. The CMMC framework specifies 5 levels of maturity measurement from Maturity Level 1 (Basic Cyber Hygiene) to Maturity Level 5 (Proactive & Advanced Cyber Practice). The Certification levels will be determined through audits from independent, third-party assessment organizations (C3PAO). Even if your organization doesn’t require CMMC compliance, the framework provides a useful maturity model assessment framework for building/improving cybersecurity resiliency.  


Deploying the Workbook

It is recommended that you have the log sources listed above to get the full benefit of the CMMC Workbook, but the workbook will deploy regardless of your available log sources. Follow the steps below to enable the workbook:


Requirements: Azure Sentinel Workspace and Security Reader rights.

1) From the Azure portal, navigate to Azure Sentinel

2) Select Workbooks > Templates

3) Search CMMC and select Save to add to My Workbooks

Navigating the Workbook

The Legend Panel provides a helpful reference for navigating the workbook with respective colors, features, and reference indicators.





The Guide Toggle is available in the top left of the workbook. This toggle allows you to view panels such as architectural recommendations and guides which will be helpful when you first access the workbook but can be hidden once you’ve grasped respective concepts.


The Control Family Ribbon provides a mechanism for navigating to the desired control family. Selecting a control family will display Control Cards in the respective Control Family. The Maturity Level Ribbon drills down further to the desired control maturity level. You can view an index of controls in the workbook if you have the Guide Toggle enabled.




For example, if you’re interested in viewing Incident Response controls, you can view the Control Family Index to view which controls are covered in the workbook.




To drill down into a control of interest such as RM.4.149 (Update Threat Profiles/Adversary Tactics, Techniques, Procedures), select Risk & Recovery Management and Maturity Level 4 which populates all control cards available for that family in Maturity Level 4.




The Azure Sentinel CMMC Workbook displays each control in a Control Card. The Control Card provides respective control details to help you better understand the requirement, view your data, adjust SIEM queries, export artifacts, onboard Microsoft controls, navigate to respective configuration blades, access reference materials, and view correlated compliance frameworks.




Use Cases

There are several use cases for the Azure Sentinel CMMC Workbook depending on user roles and requirements. The graphic below shows how a cloud security architect can leverage the workbook to review requirements, reference documentation, make configurations, and export artifacts. There are also several additional use cases where this workbook will be helpful:

  • Security Architect: Build/design a cloud security architecture to compliance requirements.
  • SecOps Analyst: Review activity in query, configure alerts, deploy SOAR automation.
  • IT Pro: Identify performance issues, investigate issues, set alerts for remediation monitoring.
  • Security Engineer: Assess security controls, review alerting thresholds, adjust configurations.
  • Security Manager: Review requirements, analyze reporting, evaluate capabilities, adjust accordingly.




Configurations & Troubleshooting

It’s important to note that this workbook provides visibility and situational awareness for control requirements delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations and query modification for operation. It’s unlikely that all 250+ panels will populate data, but this is expected as panels without data highlight respective areas for evaluation in maturing cybersecurity capabilities. Control Cards without data will display the custom error message below. Most issues are resolved by confirming licensing/availability/health of the log source, confirming the log source is connected to the Sentinel workspace, and adjusting time thresholds for larger data sets. Ultimately this workbook is customer-controlled content, so panels are configurable per customer requirements. You can edit/adjust Control Card queries as follows:


  • CMMC Workbook > Edit > Edit Panel > Adjust Panel KQL Query > Save



While using the Microsoft security controls for the CMMC Workbook is recommended, it’s not a set requirement as customers often rely on a multitude of security providers and solutions. Below is a use-case example for adjusting a Control Card to include third party tooling. The default KQL query provides a framework for target data and it is readily adjusted with the desired customer controls/solutions.




Microsoft Blog Posts on CMMC

Below are additional resources for learning more about CMMC in the cloud with Microsoft. Let us know if there are additional government compliance frameworks we can help with. Bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity or visit our website for the latest news and updates on cybersecurity.




The Azure Sentinel CMMC Workbook demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. All accreditation requirements and decisions are governed by the CMMC Accreditation Body. This workbook provides visibility and situational awareness for control requirements delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations and query modification for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective control requirements.

Version history
Last update:
‎Nov 02 2021 06:33 PM
Updated by: