DoD Zero Trust Strategy for the automation and orchestration pillar
The DoD Zero Trust Strategy and Roadmap outlines a path for Department of Defense components and Defense Industrial Base (DIB) partners to adopt a new cybersecurity framework based on Zero Trust principles. Zero Trust eliminates traditional perimeters and trust assumptions, enabling a more efficient architecture that enhances security, user experiences, and mission performance.
This guide has recommendations for the 152 Zero Trust activities in the DoD Zero Trust Capability Execution Roadmap. The sections correspond with the seven pillars of the DoD Zero Trust model.
Use the following links to go to sections of the guide.
- Introduction
- User
- Device
- Applications and workloads
- Data
- Network
- Automation and orchestration
- Visibility and analytics
6 Automation and orchestration
This section has Microsoft guidance and recommendations for DoD Zero Trust activities in the automation and orchestration pillar. To learn more, see visibility, automation, and orchestration with Zero Trust.
6.1 Policy decision point (PDP) and policy orchestration
Microsoft Sentinel has security orchestration, automation, and response (SOAR) through cloud-based resources. Automate detection and responses to cyber-attacks. Sentinel integrates with Microsoft Entra ID, Microsoft Defender XDR, Microsoft 365, Azure, and non-Microsoft platforms. These extensible integrations enable Sentinel to coordinate cybersecurity detection and response actions across platforms, increasing the effectiveness and efficiency of security operations.
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Target 6.1.1 Policy Inventory & DevelopmentThe DoD enterprise works with the Organizations to catalog and inventory existing Cyber Security policies and standards. Policies are updated and created in cross pillar activities as needed to meet critical ZT Target functionality. Outcomes: - Policies have been collected in reference to applicable compliance and risk (e.g. RMF, NIST)- Policies have been reviewed for missing Pillars and Capabilities per the ZTRA- Missing areas of policies are updated to meet the capabilities per ZTRA |
Microsoft Purview Compliance ManagerUse Microsoft Purview Compliance Manager to assess and manage compliance in a multicloud environment.- Compliance Manager- Azure, Dynamics 365, Microsoft Purview- Multicloud supportMicrosoft Defender for CloudUse Defender for Cloud regulatory compliance features to view and improve compliance with Azure Policy initiatives in a multicloud environment.- Improve regulatory compliance- FedRAMP High Regulatory Compliance- NIST SP 800-53 Rev. 5 Regulatory Compliance- CMMC Regulatory ComplianceMicrosoft SentinelThe Sentinel content hub has solutions to visualize and measure progress with domain-specific security requirements.- Sentinel content hub catalog- DoD ZT Sentinel workbook- NIST SP 800-53 solution |
Target 6.1.2 Organization Access ProfileDoD Organizations develop basic access profiles for mission/task and non-mission/task DAAS access using the data from the User, Data, Network, and device pillars. The DoD Enterprise works with the Organizations to develop an Enterprise Security Profile using the existing Organizational security profiles to create a common access approach to DAAS. A phased approach can be used in organizations to limit risk to mission/task critical DAAS access once the security profile(s) are created. Outcomes: - Organization scoped profile(s) are created to determine access to DAAS using capabilities from User, Data, Network, and Device pillars- Initial enterprise profile access standard is developed for access to DAAS- When possible the organization profile(s) utilizes enterprise available services in the User, Data, Network, and Device pillars |
Conditional AccessDefine standardized DoD policy sets with Conditional Access. Include authentication strength, device compliance, also user, and sign-in risk controls.- Conditional Access |
Target 6.1.3 Enterprise Security Profile Pt1The Enterprise Security profile covers the User, Data, Network, and Device pillars initially. Existing Organizational Security Profiles are integrated for non-mission/task DAAS access following.Outcomes:- Enterprise Profile(s) are created to access DAAS using capabilities from User, Data, Network, and Device Pillars- Non-mission/task critical organization profile(s) are integrated with the enterprise profile(s) using a standardized approach |
Complete activity 6.1.2.Microsoft Graph APIUse Microsoft Graph API to manage and deploy Conditional Access policies, cross-tenant access settings, and other Microsoft Entra configuration settings. - Programmatic access- Cross-tenant access settings API- Graph features and services |
Advanced 6.1.4 Enterprise Security Profile Pt2The minimum number of Enterprise Security Profile(s) exist granting access to the widest range of DAAS across Pillars within the DoD Organizations. Mission/task organization profiles are integrated with the Enterprise Security Profile(s) and exceptions are managed in a risk based methodical approach. Outcomes: - Enterprise Profile(s) have been reduced and simplified to support widest array of access to DAAS- Where appropriate Mission/Task Critical profile(s) have been integrated and supported Organization profiles are considered the exception |
Conditional AccessUse the Conditional Access insights and reporting workbook to see how Conditional Access policies affect your organization. If possible, combine policies. A simplified policy set is easier to manage, troubleshoot, and pilot new Conditional Access features. You can use Conditional Access templates to make simpler policies.- Insights and reports- TemplatesUse the What If tool and report-only mode to troubleshoot and evaluate new policies.- Troubleshoot Conditional Access- Report-only modeReduce your organization’s dependence on trusted network locations. Use country locations determined by GPS coordinates, or IP address to simplify location conditions in Conditional Access policies.- Location conditionsCustom security attributesUse custom security attributes and application filters in Conditional Access policies to scope security attribute authorization assigned to application objects, such as sensitivity.- Custom security attributes- Filter for apps |
6.2 Critical process automation
Microsoft Sentinel automation executes tasks typically performed by Tier-1 security analysts. Automation rules use Azure Logic Apps, to help you develop detailed, automated workflows that enhance security operations. For example, incident enrichment: link to external data sources to detect malicious activity.
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Target 6.2.1 Task Automation AnalysisDoD Organizations identify and enumerate all task activities that can be executed both manually and in an automated fashion. Task activities are organized into automated and manual categories. Manual activities are analyzed for possible retirement. Outcomes: - Automatable tasks are identified- Tasks are enumerated- Policy Inventory and Development |
Complete activity 6.1.1.Azure Resource ManagerUse ARM templates and Azure Blueprints to automate deployments using infrastructure-as-code (IaC).- ARM templates- Azure BlueprintsAzure PolicyOrganize Azure Policy assignments using its initiative definitions.- Azure Policy- Initiative definitionMicrosoft Defender for CloudDeploy Defender for Cloud regulatory standards and benchmarks.- Assign security standardsMicrosoft Entra ID GovernanceDefine access-package catalogs to establish standards for access-package assignments and reviews. Develop identity lifecycle workflows using Azure Logic Apps to automate joiner, mover, leaver, and other automatable tasks.- Entitlement management resources- External user access- Access review deployment- Create lifecycle workflows |
Target 6.2.2 Enterprise Integration & Workflow Provisioning Pt1The DoD enterprise establishes baseline integrations within the Security Orchestration, Automation, and Response solution (SOAR) required to enable target level ZTA functionality. DoD organizations identify integration points and prioritize key ones per the DoD enterprise baseline. Critical integrations occur meeting key services enabling recovery and protection capabilities. Outcomes: - Implement full enterprise integrations- Identify key integrations- Identify recovery and protection requirements |
Microsoft SentinelConnect relevant data sources to Sentinel to enable analytics rules. Include connectors for Microsoft 365, Microsoft Defender XDR, Microsoft Entra ID, Microsoft Entra ID Protection, Microsoft Defender for Cloud, Azure Firewall, Azure Resource Manager, Security events with Azure Monitor Agent (AMA,) and other API, Syslog, or Common Event Format (CEF) data sources.- Sentinel data connectors- UEBA in SentinelMicrosoft Defender XDRConfigure integrations of deployed Microsoft Defender XDR components and connect Microsoft Defender XDR to Sentinel.- Connect data from Defender XDR to SentinelSee Microsoft guidance 2.7.2 in Device.Use Defender XDR to hunt for, investigate, alert, and respond to threats- Automated investigation and response |
Advanced 6.2.3 Enterprise Integration and Workflow Provisioning Pt2DoD Organizations integrate remaining services to meet baseline requirements and advanced ZTA functionality requirements as appropriate per environment. Service provisioning is integrated and automated into workflows where required meeting ZTA target functionalities. Outcomes: - Services identified- Service provisioning is implemented |
Microsoft Defender XDRMicrosoft Defender XDR protects identities, devices, data, and applications. Use Defender XDR to configure component integrations- XDR tool setup- Defender XDR remediationsMicrosoft SentinelConnect new data sources to Sentinel and enable standard and custom analytics rules.- SOAR in Sentinel |
6.3 Machine learning
Microsoft Defender XDR and Microsoft Sentinel use artificial intelligence (AI), machine learning (ML), and threat intelligence to detect and respond to advanced threats. Use integrations of Microsoft Defender XDR, Microsoft Intune, Microsoft Entra ID Protection, and Conditional Access to use risk signals to enforce adaptive access policies.
Learn about the Microsoft security stack and ML, Preparing for Security Copilot in US Government Clouds.
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Target 6.3.1 Implement Data Tagging & Classification ML ToolsDoD Organizations utilize existing Data Tagging and Classification standards and requirements to procure Machine Learning solution(s) as needed. Machine Learning solution(s) is implemented in organizations and existing tagged and classified data repositories are used to establish baselines. Machine learning solution(s) applies data tags in a supervised approach to continually improve analysis. Outcome: - Implemented data tagging and classification tools are integrated with ML tools |
Microsoft PurviewConfigure autolabeling in Microsoft Purview for service side (Microsoft 365) and client side (Microsoft Office apps), and in Microsoft Purview Data Map.- Sensitivity data labels in Data MapSee Microsoft guidance 4.3.4 and 4.3.5 in Data. |
6.4 Artificial intelligence
Microsoft Defender XDR and Microsoft Sentinel use artificial intelligence (AI), machine learning (ML), and threat intelligence to detect and respond to advanced threats. Integrations between Microsoft Defender XDR, Microsoft Intune, Microsoft Entra ID Protection, and Conditional Access help you use risk signals to enforce adaptive access policies.
Learn about the Microsoft security stack and AI, Preparing for Security Copilot in US Government Clouds.
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Advanced 6.4.1 Implement AI automation toolsDoD Organizations identify areas of improvement based on existing machine learning techniques for Artificial Intelligence. AI solutions are identified, procured, and implemented using the identified areas as requirements. Outcomes: - Develop AI tool requirements- Procure and implement AI tools |
Fusion in Microsoft SentinelFusion is an advanced multistage attack detection analytics rule in Sentinel. Fusion is an ML-trained correlation engine that detects multistage attacks, or advanced persistent threats (APTs). It identifies anomalous behaviors and suspicious activities otherwise difficult to catch. Incidents are low-volume, high-fidelity, and high-severity.- Advanced multistage attack detection- Customizable anomalies- Anomaly detection analytics rulesMicrosoft Entra ID ProtectionIdentity protection uses machine-learning (ML) algorithms to detect and remediate identity-based risks. Enable Microsoft Entra ID Protection to create Conditional Access policies for user and sign-in risk.- Microsoft Entra ID Protection- Configure and enable risk policiesAzure DDoS ProtectionAzure DDoS Protection uses intelligent traffic profiling to learn about application traffic and adjust the profile as traffic changes.- Azure DDoS Protection |
Advanced 6.4.2 AI Driven by Analytics decides A&O modificationsDoD Organizations utilizing existing machine learning functions implement and use AI technology such as neural networks to drive automation and orchestration decisions. Decision making is moved to AI as much as possible freeing up human staff for other efforts. Utilizing historical patterns, AI will make anticipatory changes in the environment to better reduce risk. Outcome: - AI is able to make changes to automated workflow activities |
Microsoft SentinelEnable analytic rules to detect advanced multistage attacks with Fusion and UEBA anomalies in Microsoft Sentinel. Design automation rules and playbooks for security response.See Microsoft guidance in 6.2.3 and 6.4.1. |
6.5 Security orchestration, automation, and response (SOAR)
Microsoft Defender XDR has detection and response capabilities with standard and customizable detections. Extend the capability by using Microsoft Sentinel analytics rules to trigger security orchestration, automation, and response (SOAR) actions with Azure Logic Apps.
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Target 6.5.1 Response Automation AnalysisDoD Organizations identify and enumerate all response activities that are executed both manually and in an automated fashion. Response activities are organized into automated and manual categories. Manual activities are analyzed for possible retirement. Outcome: - Automatable response activities are identified- Response activities are enumerated |
Microsoft Defender XDRMicrosoft Defender XDR has automatic and manual response actions for file and device incidents.- Incidents in Defender XDR |
Target 6.5.2 Implement SOAR ToolsDoD enterprise working with Organizations develops a standard set of requirements for security orchestration, automation, and response (SOAR) tooling to enable target level ZTA functions. DoD Organizations use approved requirements to procure and implement SOAR solution. Basic infrastructure integrations for future SOAR functionality is completed. Outcomes: - Develop requirements for SOAR tool- Procure SOAR tool |
Microsoft Defender XDRUse Microsoft Defender XDR standard response capabilities.See Microsoft guidance 6.5.1.Microsoft SentinelSentinel uses Azure Logic Apps for SOAR functionality. Use Logic Apps to create and run automated workflows with little to no code. Use Logic Apps to connect to and interact with resources outside Microsoft Sentinel. - Playbooks with automation rules- Automate threat response with playbooks |
Advanced 6.5.3 Implement PlaybooksDoD organizations review all existing playbooks to identify for future automation. Existing manual and automated processes missing playbooks have playbooks developed. Playbooks are prioritized for automation to be integrated with the Automated Workflows activities covering Critical Processes. Manual processes without playbooks are authorized using a risk based methodical approach.Outcomes:- When possible, automate playbooks based on automated workflows capability- Manual playbooks are developed and implemented |
Microsoft SentinelReview current security processes and use best practices in the Microsoft Cloud Adoption Framework (CAF). To extend SOAR capabilities, create and customize playbooks. Start with Sentinel playbook templates.- Security operations- SOC Process Framework- Playbooks from templates |
6.6 API standardization
Microsoft Graph API has a standard interface to interact with Microsoft cloud services. Azure API Management can protect APIs hosted by your organization.
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Target 6.6.1 Tool Compliance AnalysisAutomation and Orchestration tooling and solutions are analyzed for compliance and capabilities based on the DoD Enterprise programmatic interface standard and requirements. Any more tooling or solutions are identified to support the programmatic interface standards and requirements. Outcomes: - API status is determined compliance or noncompliance to API standards- Tools to be used are Identified |
Microsoft Graph security APIMicrosoft Defender, Microsoft Sentinel, and Microsoft Entra have documented APIs.- Security API- Work with Microsoft Graph- Identity protection APIsFollow best practices for APIs developed by your organization.- Application Programming Interface- RESTful web API design |
Target 6.6.2 Standardized API Calls and Schemas Pt1The DoD enterprise works with organizations to establish a programmatic interface (e.g., API) standard and requirements as needed to enable target ZTA functionalities. DoD Organizations update programmatic interfaces to the new standard and mandate newly acquired/developed tools to meet the new standard. Tools unable to meet the standard are allowed by exception using a risk-based methodical approach. Outcomes: - Initial calls and schemas are implemented- Noncompliant tools are replaced |
Complete activity 6.6.1.Azure API ManagementUse Azure API Management as an API gateway to communicate with APIs and create a consistent access schema for various APIs.- Azure API ManagementAzure Automation toolsOrchestrate Zero Trust actions using Azure Automation tools.- Integration and automation in Azure |
Target 6.6.3 Standardized API Calls and Schemas Pt2DoD organizations complete the migration to the new programmatic interface standard. Tools marked for decommission in the previous activity are retired and functions are migrated to modernized tools. Approved schemas are adopted based on the DoD Enterprise standard/requirements. Outcome: - All calls and schemas are implemented |
Microsoft SentinelUse Sentinel as an orchestration engine to trigger and execute actions in automation tools cited in this document.- Automate threat response with playbooks |
6.7 Security operations center (SOC) and incident response (IR)
Microsoft Sentinel is a case management solution to investigate and manage security incidents. To automate security response actions, connect threat intelligence solutions, deploy Sentinel solutions, enable user entity behavior analytics (UEBAs), and create playbooks with Azure Logic Apps.
Learn how to increase SOC maturity, see Sentinel incident investigation and case management.
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Target 6.7.1 Workflow Enrichment Pt1DoD enterprise works with organizations to establish a cybersecurity incident response standard using industry best practices such as NIST. DoD Organizations utilize the enterprise standard to determine incident response workflows. External sources of enrichment are identified for future integration. Outcomes: - Threat events are identified- Workflows for threat events are developed |
Microsoft Sentinel data connectorsEnrich Sentinel workflows by connecting Microsoft Defender Threat Intelligence to Sentinel.- Data connector for Defender Threat IntelligenceMicrosoft Sentinel solutionsUse Sentinel solutions to review industry best practices.- NIST 800-53 solution- CMMS 2.0 solution- DoD ZT Sentinel workbooks- Sentinel content and solutions |
Target 6.7.2 Workflow Enrichment Pt2DoD organizations identify and establish extended workflows for additional incident response types. Initial enrichment data sources are used for existing workflows. Additional enrichment sources are identified for future integrations. Outcomes: - Workflows for Advanced threat events are developed- Advanced Threat events are identified |
Microsoft SentinelUse advanced multistage attack detection in Fusion, and UEBA anomaly detection analytics rules, in Microsoft Sentinel to trigger automated security response playbooks.See Microsoft guidance 6.2.3 and 6.4.1 in this section.To enrich Sentinel workflows, connect Microsoft Defender Threat Intelligence and other threat intelligence platforms solutions to Microsoft Sentinel.- Connect threat intelligence platforms to Sentinel- Connect Sentinel to STIX/TAXII threat intelligence feedsSee Microsoft guidance 6.7.1. |
Advanced 6.7.3 Workflow Enrichment Pt3DoD organizations use final enrichment data sources on basic and extended threat response workflows. Outcomes: - Enrichment data has been identified- Enrichment data is integrated into workflows |
Microsoft SentinelAdd entities to improve threat intelligence results in Sentinel.- Tasks to manage incidents in Sentinel- Enrich entities with geolocation dataEnrich investigation workflows and manage incidents in Sentinel.- Tasks to manage incidents in Sentinel- Enrich entities with geolocation data |
Advanced 6.7.4 Automated WorkflowDoD organizations focus on automating Security Orchestration, Automation, and Response (SOAR) functions and playbooks. Manual processes within security operations are identified and fully automated as possible. Remaining manual processes are decommissioned when possible or marked for exception using a risk based approach.Outcomes:- Workflow processes are fully automated- Manual Processes have been identified- Remaining Processes are marked as exceptions and documented |
Microsoft Sentinel playbooksSentinel playbooks are based on Logic Apps, a cloud service that schedules, automates, and orchestrates tasks and workflows across enterprise systems. Build response playbooks with templates, deploy solutions from the Sentinel content hub. Build custom analytics rules and response actions with Azure Logic Apps. - Sentinel playbooks from templates- Automate threat response with playbooks- Sentinel content hub catalog- Azure Logic Apps |
Next steps
Configure Microsoft cloud services for the DoD Zero Trust Strategy:
- Introduction
- User
- Device
- Applications and workloads
- Data
- Network
- Automation and orchestration
- Visibility and analytics
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for