DoD Zero Trust Strategy for the visibility and analytics pillar

The DoD Zero Trust Strategy and Roadmap outlines a path for Department of Defense components and Defense Industrial Base (DIB) partners to adopt a new cybersecurity framework based on Zero Trust principles. Zero Trust eliminates traditional perimeters and trust assumptions, enabling a more efficient architecture that enhances security, user experiences, and mission performance.

This guide has recommendations for the 152 Zero Trust activities in the DoD Zero Trust Capability Execution Roadmap. The sections correspond with the seven pillars of the DoD Zero Trust model.

Use the following links to go to sections of the guide.

7 Visibility and analytics

This section has Microsoft guidance and recommendations for DoD Zero Trust activities in the visibility and analytics pillar. To learn more, see Visibility, automation, and orchestration with Zero Trust.

7.1 Log all traffic

Microsoft Sentinel is a scalable, cloud-native security information event management (SIEM) system. Also, Sentinel is a security orchestration, automation, and response (SOAR) solution to handle large data volumes from various sources. Sentinel data connectors ingest data across users, devices, applications, and infrastructure, on-premises and in multiple clouds.

DoD Activity Description and Outcome Microsoft guidance and recommendations
Target 7.1.1 Scale Considerations
DoD organizations conduct analysis to determine current and future needs of scaling. Scaling is analyzed following common industry best practice methods and ZT Pillars. The team works with existing Business Continuity Planning (BCP) and Disaster Recovery Planning (DPR) groups to determine distributed environment needs in emergencies and as organizations grow.

- Sufficient infrastructure in place
- Distributed environment established
- Sufficient bandwidth for network traffic
Microsoft Sentinel
Sentinel uses a Log Analytics workspace to store security log data for analysis. Log Analytics is a platform as a service (PaaS) in Azure. There’s no infrastructure to manage or build.
- Workspace architecture
- Workspace architecture best practices
- Reduce costs for Sentinel

Azure Monitor Agent
Stream logs using Azure Monitor Agent for virtual machines (VMs) also network appliances on-premises and in other clouds.
- Windows Security Events with AMA
- Stream logs in CEF and Syslog format
- Data collection
- Azure Monitor Agent Performance Benchmark
- Scalable ingestion

Networking infrastructure
Ensure networking infrastructure meets bandwidth requirements for Microsoft 365 and cloud-based security monitoring for on-premises servers.
- Microsoft 365 network connectivity
- Network planning and performance tuning
- Azure ExpressRoute
- Connected machine agent network requirements

Business continuity management in Azure
Azure has mature business-continuity management programs for multiple industries. Review business continuity management and division of responsibilities.
- Business continuity management
- Reliability guidance

Target 7.1.2 Log Parsing
DoD Organizations identify and prioritize log and flow sources (e.g., Firewalls, Endpoint Detection & Response, Active Directory, Switches, Routers, etc.) and develop a plan for collection of high priority logs first then low priority. An open industry-standard log format is agreed upon at the DoD Enterprise level with the Organizations and implemented in future procurement requirements. Existing solutions and technologies are migrated to the format on a continual basis.

- Standardized log formats
- Rules developed for each log format
Microsoft Sentinel data connectors
Connect relevant data sources to Sentinel. Enable and configure analytics rules. Data connectors use standardized log formats.
- Monitor Zero Trust security architectures
- Create Sentinel custom connectors
- Logs Ingestion API in Azure Monitor

See Microsoft guidance 6.2.2 in Automation and orchestration.

Standardize logging with Common Event Format (CEF), an industry standard used by security vendors for event interoperability between platforms. Use Syslog for systems that don't support logs in CEF.
- CEF with Azure Monitor connector for Sentinel
- Ingest Syslog and CEF messages to Sentinel with Azure Monitor

Use the Advanced Security Information Model (ASIM) (Public preview) to collect and view data from multiple sources with a normalized schema.
- ASIM to normalize data

Target 7.1.3 Log Analysis
Common user and device activities are identified and prioritized based on risk. Activities deemed the most simplistic and risky have analytics created using different data sources such as logs. Trends and patterns are developed based on the analytics collected to look at activities over longer periods of time.

- Develop analytics per activity
- Identify activities to analyze
Complete activity 7.1.2.

Microsoft Defender XDR
Microsoft Defender XDR is a unified pre- and post-breach enterprise defense suite that coordinates detection, prevention, investigation, and response natively across endpoints, identities, email, and applications. Use Defender XDR to protect against and respond to sophisticated attacks.
- Investigate alerts
- Zero Trust with Defender XDR
- Defender XDR for US government

Microsoft Sentinel
Develop custom analytics queries and visualize collected data using workbooks.
- Custom analytics rules to detect threats
- Visualize collected data

7.2 Security information and event management

Microsoft Defender XDR and Microsoft Sentinel work together to detect, alert, and respond to security threats. Microsoft Defender XDR detects threats across Microsoft 365, identities, devices, applications, and infrastructure. Defender XR generates alerts in the Microsoft Defender portal. Connect alerts and raw data from Microsoft Defender XDR to Sentinel and use advanced analytics rules to correlate events and generate incidents for high fidelity alerts.

DoD Activity Description and Outcome Microsoft guidance and recommendations
Target 7.2.1 Threat Alerting Pt1
DoD Organizations utilize existing Security Information and Event Management (SIEM) solution to develop basic rules and alerts for common threat events (malware, phishing, etc.) Alerts and/or rule firings are fed into the parallel "Asset ID & Alert Correlation" activity to being automation of responses.

- Rules developed for threat correlation
Microsoft Defender XDR
Microsoft Defender XDR has alerts for threats detected across multi-platform endpoints, identities, email, collaboration tools, applications, and cloud infrastructure. The platform aggregates related alerts into incidents automatically to streamline security review.
- Investigate alerts

Microsoft Sentinel analytics rules
Enable standard analytics rules for connected data sources and create custom analytics rules to detect threats in Sentinel.

See Microsoft guidance in 7.1.3.

Target 7.2.2 Threat Alerting Pt2
DoD Organizations expand threat alerting in the Security Information and Event Management (SIEM) solution to include Cyber Threat Intelligence (CTI) data feeds. Deviation and anomaly rules are developed in the SIEM to detect advanced threats.

- Develop analytics to detect deviations
Microsoft Sentinel threat intelligence
Connect cyber threat intelligence (CTI) feeds to Sentinel.
- Threat intelligence

See Microsoft guidance 6.7.1 and 6.7.2 in Automation and orchestration.

Microsoft Sentinel solutions
Use analytics rules and workbooks in the Microsoft Sentinel content hub.
- Sentinel content and solutions

Microsoft Sentinel analytics rules
Create scheduled analytics rules to detect deviations, create incidents, and trigger security orchestration, automation, and response (SOAR) actions.
- Custom analytics rules to detect threats

Advanced 7.2.3 Threat Alerting Pt3
Threat Alerting is expanded to include advanced data sources such as Extended Detection & Response (XDR), User & Entity Behavior Analytics (UEBA), and User Activity Monitoring (UAM). These advanced data sources are used to develop improved anomalous and pattern activity detections.

- Identify triggering anomalous events
- Implement triggering policy
Microsoft Sentinel data connectors
Connect Microsoft Defender XDR to Sentinel to aggregate alerts, incidents, and raw data.
- Connect Defender XDR to Sentinel

Microsoft Sentinel customizable anomalies
Use Microsoft Sentinel customizable anomaly templates to reduce noise with anomaly detection rules
- Customizable anomalies to detect threats

Fusion in Microsoft Sentinel
The Fusion engine correlates alerts for advanced multi-stage attacks.
- Fusion engine detections

See Microsoft guidance 6.4.1 in Automation and orchestration.

Target 7.2.4 Asset ID and Alert Correlation
DoD Organizations develop basic correlation rules using asset and alert data. Response to common threat events (e.g., malware, phishing, etc.) are automated within the Security Information and Event Management (SIEM) solution.

- Rules developed for asset ID based responses
Microsoft Defender XDR
Microsoft Defender XDR correlates signals across multi-platform endpoints, identities, email, collaboration tools, applications, and cloud infrastructure. Configure self-healing with Microsoft Defender automated investigation and response capabilities.
- Microsoft Defender XDR
- Automated investigation and response

Microsoft Sentinel entities
Alerts going to, or generated by Sentinel, contain data items Sentinel classifies into entities: user accounts, hosts, files, processes, IP addresses, URLs. Use entities pages to view entity information, analyze behavior, and improve investigations.
- Classify and analyze data using entities
- Investigate entity pages

Target 7.2.5 User/Device Baselines
DoD Organizations develop user and device baseline approaches based on DoD enterprise standards for the appropriate pillar. Attributes utilized in baselining are pulled from the enterprise wide standards developed in cross pillar activities.

- Identify user and device baselines
Microsoft Sentinel data connectors
Establish a data ingestion baseline for Sentinel. At a minimum, include Microsoft Entra ID and Microsoft Defender XDR connectors, configure standard analytics rules, and enable user entity behavior analytics (UEBA).
- Connect Defender XDR to Sentinel
- Enable UEBA

Azure Lighthouse
Configure Azure Lighthouse to manage Sentinel workspaces across multiple tenants.
- Extend Sentinel across workspaces and tenants
- Multitenant operations for defense organizations

7.3 Common security and risk analytics

Microsoft Defender XDR has standard threat detections, analytics, and alerting. Use Microsoft Sentinel customizable near-real-time analytics rules to help correlate, detect, and generate alerts for anomalies across connected data sources.

DoD Activity Description and Outcome Microsoft guidance and recommendations
Target 7.3.1 Implement Analytics Tools
DoD Organizations procure and implement basic Cyber-focused analytics tools. Analytics development is prioritized based on risk and complexity looking for easy impactful analytics first. Continued analytics development focuses on Pillar requirements to better meet reporting needs.

- Develop requirements for analytic environment
- Procure and implement analytic tools

Microsoft Defender XDR and Microsoft Sentinel
Configure integration of Microsoft Defender XDR and Sentinel.
- Microsoft Defender XDR
- Sentinel and Defender XDR for Zero Trust
Target 7.3.2 Establish User Baseline Behaviors
Utilizing the analytics developed for users and devices in a parallel activity, baselines are established in a technical solution. These baselines are applied to an identified set of users based on risk initially and then expanded to the larger DoD Organization user base. The technical solution used is integrated with machine learning functionality to begin automation.

- Identify users for baseline
- Establish ML-based baselines
Microsoft Defender XDR
Microsoft Defender XDR integrated automated detection and response is a frontline of defense. The guidance in User and Device pillars establishes baseline behavior and enforces policies with Microsoft Defender XDR signals in Microsoft Intune (device compliance) and Conditional Access (compliant device and identity risk).

See Microsoft guidance in User and Device.

Microsoft Sentinel analytics rules
Use Sentinel to correlate events, detect threats, and trigger response actions. Connect relevant data sources to Sentinel and create near-real-time analytics rules to detect threats during data ingestion.
- Detect threats

See Microsoft guidance in 7.2.5.

Microsoft Sentinel notebooks
Build a customized ML models to analyze Sentinel data using Jupyter notebooks and the bring-your-own-Machine-Learning (BYO-ML) platform.
- BYO-ML into Sentinel
- Jupyter notebooks and MSTICPy

7.4 User and entity behavior analytics

Microsoft Defender XDR and Microsoft Sentinel detect anomalies using user entity behavior analytics (UEBA). Detect anomalies in Sentinel with Fusion, UEBA, and machine-learning (ML) analytics rules. Also, Sentinel integrates with Azure Notebooks (Jupyter Notebook) for bring-your-own-Machine-Learning (BYO-ML) and visualization functionality.

DoD Activity Description and Outcome Microsoft guidance and recommendations
Target 7.4.1 Baseline and Profiling Pt1
Utilizing the analytics developed for users and devices in a parallel activity, common profiles are created for typical user and device types. Analytics taken from baselining are updated to look at larger containers, profiles.

- Develop analytics to detect changing threat conditions
- Identify user and device threat profiles
Microsoft Defender XDR
Visit the Microsoft Defender portal for a unified view of incidents, alerts, reports, and threat analytics. Use Microsoft Secure Score to assess and improve security posture. Create custom detections to monitor and respond to security events in Microsoft Defender XDR.
- Microsoft Defender portal
- Assess security posture with Secure Score
- Custom detections

Microsoft Sentinel
Use workbooks to visualize and monitor data. Create custom analytics rules and enable anomaly detection to identify and alert for changing threat conditions.
- Visualize and monitor data
- Custom analytics to detect threats
- Customize anomalies to detect threats

Advanced 7.4.2 Baseline and Profiling Pt2
DoD Organizations expand baselines and profiles to include unmanaged and nonstandard device types including Internet of Things (IoT) and Operational Technology (OT) through data output monitoring. These devices are again profiled based on standardized attributes and use cases. Analytics are updated to consider the new baselines and profiles accordingly enabling further detections and response. Specific risky users and devices are automatically prioritized for increased monitoring based on risk. Detection and response are integrated with cross pillar functionalities.

- Add threat profiles for IoT and OT devices
- Develop and extend analytics
- Extend threat profiles to individual users and devices
Microsoft Defender XDR
Discover and secure unmanaged devices with Microsoft Defender for Endpoint.
- Device discovery
- Tenant attach to support endpoint security policies from Intune
- Secure managed and unmanaged devices
- Authenticated network device scans
- Unmanaged Windows device authenticated scan

Microsoft Defender for IoT
Deploy Defender for IoT sensors in operational technology (OT) networks. Defender for IoT supports agentless device monitoring for cloud, on-premises, and hybrid OT networks. Enable learning mode for a baseline of your environment and connect Defender for IoT to Microsoft Sentinel.
- Defender for IoT for organizations
- OT monitoring
- Learned baseline of OT alerts
- Connect Defender for IoT with Sentinel
- Investigate entities with entity pages

Advanced 7.4.3 UEBA Baseline Support Pt1
User and Entity Behavior Analytics (UEBA) within DoD Organizations expands monitoring to advanced analytics such as Machine Learning (ML). These results are in turn reviewed and fed back into the ML algorithms to improve detection and response.

- Implement ML-based analytics to detect anomalies
Complete activity 7.3.2.

Microsoft Sentinel analytics rules
Sentinel uses two models to create baselines and detect anomalies, UEBA and machine learning.
- Detected anomalies

UEBA anomalies
UEBA detects anomalies based on dynamic entity baselines.
- Enable UEBA
- UEBA anomalies

Machine learning anomalies
ML anomalies identify unusual behavior with standard analytics rule templates.
- ML anomalies

Advanced 7.4.4 UEBA Baseline Support Pt2
User & Entity Behavior Analytics (UEBA) within DoD Organizations completes its expansion by using traditional and machine learning (ML) based results to be fed into Artificial Intelligence (AI) algorithms. Initially AI based detections are supervised but ultimately using advanced techniques such as neural networks, UEBA operators aren't part of the learning process.

- Implement ML-based analytics to detect anomalies (supervised AI detections)
Fusion in Microsoft Sentinel
Use the advanced multistage attack detection in Fusion analytics rule, in Sentinel. Fusion is an ML-trained correlation engine that detects multistage attacks and advanced persistent threats (APTs). It identifies combinations of anomalous behaviors and suspicious activities, otherwise difficult to catch.
- Advanced multistage attack detection

Microsoft Sentinel notebooks
Build your own customized ML models to analyze Microsoft Sentinel data using Jupyter notebooks and the bring-your-own-Machine-Learning (BYO-ML) platform.
- BYO-ML into Sentinel
- Jupyter notebooks and MSTICPy

7.5 Threat intelligence integration

Microsoft Defender Threat Intelligence streamlines triage, incident response, threat hunting, vulnerability management, and cyber threat intelligence (CTI) from Microsoft threat experts and other sources. Microsoft Sentinel connects to Microsoft Defender Threat Intelligence and third-party CTI sources.

DoD Activity Description and Outcome Microsoft guidance and recommendations
Target 7.5.1 Cyber Threat Intelligence Program Pt1
The DoD Enterprise works with the Organizations to develop and Cyber Threat Intelligence (CTI) program policy, standard and process. Organizations utilize this documentation to develop organizational CTI teams with key mission/task stakeholders. CTI Teams integrate common feeds of data with the Security Information and Event Management (SIEM) for improved alerting and response. Integrations with Device and Network enforcement points (e.g., Firewalls, Endpoint Security Suites, etc.) are created to conduct basic monitoring of CTI driven data.

- Cyber Threat Intelligence team is in place with critical stakeholders
- Public and Baseline CTI feeds are being utilized by SIEM for alerting
- Basic integration points exist with Device and Network enforcement points (e.g., NGAV, NGFW, NG-IPS)
Microsoft Defender Threat Intelligence
Connect Defender Threat Intelligence and other threat intelligence feeds to Sentinel.
- Defender Threat Intelligence
- Enable data connector for Defender Threat Intelligence
- Connect threat intelligence platforms to Sentinel

Azure networking
Integrate network resources with Microsoft Sentinel.
- Sentinel with Azure Web App Firewall
- Azure Firewall with Sentinel

Target 7.5.2 Cyber Threat Intelligence Program Pt2
DoD Organizations expand their Cyber Threat Intelligence (CTI) teams to include new stakeholders as appropriate. Authenticated, private, and controlled CTI data feeds are integrated into Security Information and Event Management (SIEM) and enforcement points from the Device, User, Network and Data pillars.

- Cyber Threat Intelligence team is in place with extended stakeholders as appropriate
- Controlled and Private feed are being utilized by SIEM and other appropriate Analytics tools for alerting and monitoring
- Integration is in place for extended enforcement points within the Device, User, Network and Data pillars (UEBA, UAM)
Microsoft Sentinel data connectors
Manage networking resources in Azure with REST API. Establish basic integration with network enforcement points using Sentinel playbooks and Logic Apps.
- Virtual network REST operations
- Threat response with Sentinel playbooks

Find playbooks for other network enforcement points in the Sentinel playbook repository.
- Sentinel playbooks in GitHub

7.6 Automated dynamic policies

The Microsoft Security stack uses machine learning (ML) and artificial intelligence (AI) to protect identities, devices, applications, data, and infrastructure. With Microsoft Defender XDR and Conditional Access, ML detections establish aggregate risk levels for users and devices.

Use device risk to mark a device as noncompliant. Identity risk level enables organizations to require phishing-resistant authentication methods, compliant devices, increased sign-in frequency, and more. Use risk conditions and Conditional Access controls to enforce automated, dynamic access policies.

DoD Activity Description and Outcome Microsoft guidance and recommendations
Advanced 7.6.1 AI-Enabled Network Access
DoD Organizations utilize the SDN Infrastructure and Enterprise Security Profiles to enable Artificial Intelligence (AI)/Machine Learning (ML) driven network access. Analytics from previous activities is used to teach the AI/ML algorithms improving decision making.

- Network access is AI driven based on environment analytics
Microsoft Defender XDR
Automatic attack disruption in Microsoft Defender XDR limits lateral movement. This action reduces the effects of a ransomware attack. Microsoft Security researchers use AI models to counteract complexities of advanced attacks using Defender XDR. The solution correlates signals into high-confidence incidents to identify and contain the attacks in real-time.
- Attack disruptions

Network protection capabilities in Microsoft Defender SmartScreen and Web protection expand to the operating system to block command and control (C2) attacks.
- Protect your network
- AI to disrupt human-operated ransomware)

Microsoft Sentinel
Use Azure Firewall to visualize firewall activities, detect threats with AI investigation capabilities, correlate activities, and automate response actions.
- Azure Firewall with Sentinel

Advanced 7.6.2 AI-enabled Dynamic Access Control
DoD organizations utilize previous rule based dynamic access to teach Artificial Intelligence (AI)/Machine Learning (ML) algorithms to make access decision to various resources. The "AI-enabled Network Access" activity algorithms are updated to enable broader decision making to all DAAS.

- JIT/JEA are integrated with AI
Conditional Access
Require Microsoft Defender for Endpoint machine risk level in Microsoft Intune compliance policy. Use device compliance and Microsoft Entra ID Protection risk conditions in Conditional Access policies.
- Risk-based access policies
- Compliance policies to set rules for Intune managed devices

Privileged Identity Management
Use identity protection risk level and device compliance signals to define an authentication context for privileged access. Require authentication context for PIM requests to enforce policies for just-In-time (JIT) access.

See Microsoft guidance 7.6.1 in this section and 1.4.4 in User.

Next steps

Configure Microsoft cloud services for the DoD Zero Trust Strategy: