DoD Zero Trust Strategy for the automation and orchestration pillar

Article
04/12/2024

The DoD Zero Trust Strategy and Roadmap outlines a path for Department of Defense components and Defense Industrial Base (DIB) partners to adopt a new cybersecurity framework based on Zero Trust principles. Zero Trust eliminates traditional perimeters and trust assumptions, enabling a more efficient architecture that enhances security, user experiences, and mission performance.

This guide has recommendations for the 152 Zero Trust activities in the DoD Zero Trust Capability Execution Roadmap. The sections correspond with the seven pillars of the DoD Zero Trust model.

Use the following links to go to sections of the guide.

6 Automation and orchestration

This section has Microsoft guidance and recommendations for DoD Zero Trust activities in the automation and orchestration pillar. To learn more, see visibility, automation, and orchestration with Zero Trust.

6.1 Policy decision point (PDP) and policy orchestration

Microsoft Sentinel has security orchestration, automation, and response (SOAR) through cloud-based resources. Automate detection and responses to cyber-attacks. Sentinel integrates with Microsoft Entra ID, Microsoft Defender XDR, Microsoft 365, Azure, and non-Microsoft platforms. These extensible integrations enable Sentinel to coordinate cybersecurity detection and response actions across platforms, increasing the effectiveness and efficiency of security operations.

DoD Activity Description and Outcome	Microsoft guidance and recommendations
`Target` 6.1.1 Policy Inventory & Development The DoD enterprise works with the Organizations to catalog and inventory existing Cyber Security policies and standards. Policies are updated and created in cross pillar activities as needed to meet critical ZT Target functionality. Outcomes: - Policies have been collected in reference to applicable compliance and risk (e.g. RMF, NIST) - Policies have been reviewed for missing Pillars and Capabilities per the ZTRA - Missing areas of policies are updated to meet the capabilities per ZTRA	Microsoft Purview Compliance Manager Use Microsoft Purview Compliance Manager to assess and manage compliance in a multicloud environment. - Compliance Manager - Azure, Dynamics 365, Microsoft Purview - Multicloud support Microsoft Defender for Cloud Use Defender for Cloud regulatory compliance features to view and improve compliance with Azure Policy initiatives in a multicloud environment. - Improve regulatory compliance - FedRAMP High Regulatory Compliance - NIST SP 800-53 Rev. 5 Regulatory Compliance - CMMC Regulatory Compliance Microsoft Sentinel The Sentinel content hub has solutions to visualize and measure progress with domain-specific security requirements. - Sentinel content hub catalog - DoD ZT Sentinel workbook - NIST SP 800-53 solution
`Target` 6.1.2 Organization Access Profile DoD Organizations develop basic access profiles for mission/task and non-mission/task DAAS access using the data from the User, Data, Network, and device pillars. The DoD Enterprise works with the Organizations to develop an Enterprise Security Profile using the existing Organizational security profiles to create a common access approach to DAAS. A phased approach can be used in organizations to limit risk to mission/task critical DAAS access once the security profile(s) are created. Outcomes: - Organization scoped profile(s) are created to determine access to DAAS using capabilities from User, Data, Network, and Device pillars - Initial enterprise profile access standard is developed for access to DAAS - When possible the organization profile(s) utilizes enterprise available services in the User, Data, Network, and Device pillars	Conditional Access Define standardized DoD policy sets with Conditional Access. Include authentication strength, device compliance, also user, and sign-in risk controls. - Conditional Access
`Target` 6.1.3 Enterprise Security Profile Pt1 The Enterprise Security profile covers the User, Data, Network, and Device pillars initially. Existing Organizational Security Profiles are integrated for non-mission/task DAAS access following. Outcomes: - Enterprise Profile(s) are created to access DAAS using capabilities from User, Data, Network, and Device Pillars - Non-mission/task critical organization profile(s) are integrated with the enterprise profile(s) using a standardized approach	Complete activity 6.1.2. Microsoft Graph API Use Microsoft Graph API to manage and deploy Conditional Access policies, cross-tenant access settings, and other Microsoft Entra configuration settings. - Programmatic access - Cross-tenant access settings API - Graph features and services
`Advanced` 6.1.4 Enterprise Security Profile Pt2 The minimum number of Enterprise Security Profile(s) exist granting access to the widest range of DAAS across Pillars within the DoD Organizations. Mission/task organization profiles are integrated with the Enterprise Security Profile(s) and exceptions are managed in a risk based methodical approach. Outcomes: - Enterprise Profile(s) have been reduced and simplified to support widest array of access to DAAS - Where appropriate Mission/Task Critical profile(s) have been integrated and supported Organization profiles are considered the exception	Conditional Access Use the Conditional Access insights and reporting workbook to see how Conditional Access policies affect your organization. If possible, combine policies. A simplified policy set is easier to manage, troubleshoot, and pilot new Conditional Access features. You can use Conditional Access templates to make simpler policies. - Insights and reports - Templates Use the What If tool and report-only mode to troubleshoot and evaluate new policies. - Troubleshoot Conditional Access - Report-only mode Reduce your organization’s dependence on trusted network locations. Use country locations determined by GPS coordinates, or IP address to simplify location conditions in Conditional Access policies. - Location conditions Custom security attributes Use custom security attributes and application filters in Conditional Access policies to scope security attribute authorization assigned to application objects, such as sensitivity. - Custom security attributes - Filter for apps

6.2 Critical process automation

Microsoft Sentinel automation executes tasks typically performed by Tier-1 security analysts. Automation rules use Azure Logic Apps, to help you develop detailed, automated workflows that enhance security operations. For example, incident enrichment: link to external data sources to detect malicious activity.

DoD Activity Description and Outcome	Microsoft guidance and recommendations
`Target` 6.2.1 Task Automation Analysis DoD Organizations identify and enumerate all task activities that can be executed both manually and in an automated fashion. Task activities are organized into automated and manual categories. Manual activities are analyzed for possible retirement. Outcomes: - Automatable tasks are identified - Tasks are enumerated - Policy Inventory and Development	Complete activity 6.1.1. Azure Resource Manager Use ARM templates and Azure Blueprints to automate deployments using infrastructure-as-code (IaC). - ARM templates - Azure Blueprints Azure Policy Organize Azure Policy assignments using its initiative definitions. - Azure Policy - Initiative definition Microsoft Defender for Cloud Deploy Defender for Cloud regulatory standards and benchmarks. - Assign security standards Microsoft Entra ID Governance Define access-package catalogs to establish standards for access-package assignments and reviews. Develop identity lifecycle workflows using Azure Logic Apps to automate joiner, mover, leaver, and other automatable tasks. - Entitlement management resources - External user access - Access review deployment - Create lifecycle workflows
`Target` 6.2.2 Enterprise Integration & Workflow Provisioning Pt1 The DoD enterprise establishes baseline integrations within the Security Orchestration, Automation, and Response solution (SOAR) required to enable target level ZTA functionality. DoD organizations identify integration points and prioritize key ones per the DoD enterprise baseline. Critical integrations occur meeting key services enabling recovery and protection capabilities. Outcomes: - Implement full enterprise integrations - Identify key integrations - Identify recovery and protection requirements	Microsoft Sentinel Connect relevant data sources to Sentinel to enable analytics rules. Include connectors for Microsoft 365, Microsoft Defender XDR, Microsoft Entra ID, Microsoft Entra ID Protection, Microsoft Defender for Cloud, Azure Firewall, Azure Resource Manager, Security events with Azure Monitor Agent (AMA,) and other API, Syslog, or Common Event Format (CEF) data sources. - Sentinel data connectors - UEBA in Sentinel Microsoft Defender XDR Configure integrations of deployed Microsoft Defender XDR components and connect Microsoft Defender XDR to Sentinel. - Connect data from Defender XDR to Sentinel See Microsoft guidance 2.7.2 in Device. Use Defender XDR to hunt for, investigate, alert, and respond to threats - Automated investigation and response
`Advanced` 6.2.3 Enterprise Integration and Workflow Provisioning Pt2 DoD Organizations integrate remaining services to meet baseline requirements and advanced ZTA functionality requirements as appropriate per environment. Service provisioning is integrated and automated into workflows where required meeting ZTA target functionalities. Outcomes: - Services identified - Service provisioning is implemented	Microsoft Defender XDR Microsoft Defender XDR protects identities, devices, data, and applications. Use Defender XDR to configure component integrations - XDR tool setup - Defender XDR remediations Microsoft Sentinel Connect new data sources to Sentinel and enable standard and custom analytics rules. - SOAR in Sentinel

6.3 Machine learning

Microsoft Defender XDR and Microsoft Sentinel use artificial intelligence (AI), machine learning (ML), and threat intelligence to detect and respond to advanced threats. Use integrations of Microsoft Defender XDR, Microsoft Intune, Microsoft Entra ID Protection, and Conditional Access to use risk signals to enforce adaptive access policies.

Learn about the Microsoft security stack and ML, Preparing for Security Copilot in US Government Clouds.

DoD Activity Description and Outcome Microsoft guidance and recommendations

Target 6.3.1 Implement Data Tagging & Classification ML Tools
DoD Organizations utilize existing Data Tagging and Classification standards and requirements to procure Machine Learning solution(s) as needed. Machine Learning solution(s) is implemented in organizations and existing tagged and classified data repositories are used to establish baselines. Machine learning solution(s) applies data tags in a supervised approach to continually improve analysis.

Outcome:
- Implemented data tagging and classification tools are integrated with ML tools Microsoft Purview
Configure autolabeling in Microsoft Purview for service side (Microsoft 365) and client side (Microsoft Office apps), and in Microsoft Purview Data Map.
- Sensitivity data labels in Data Map

See Microsoft guidance 4.3.4 and 4.3.5 in Data.

DoD Activity Description and Outcome	Microsoft guidance and recommendations
`Target` 6.3.1 Implement Data Tagging & Classification ML Tools DoD Organizations utilize existing Data Tagging and Classification standards and requirements to procure Machine Learning solution(s) as needed. Machine Learning solution(s) is implemented in organizations and existing tagged and classified data repositories are used to establish baselines. Machine learning solution(s) applies data tags in a supervised approach to continually improve analysis. Outcome: - Implemented data tagging and classification tools are integrated with ML tools	Microsoft Purview Configure autolabeling in Microsoft Purview for service side (Microsoft 365) and client side (Microsoft Office apps), and in Microsoft Purview Data Map. - Sensitivity data labels in Data Map See Microsoft guidance 4.3.4 and 4.3.5 in Data.

6.4 Artificial intelligence

Microsoft Defender XDR and Microsoft Sentinel use artificial intelligence (AI), machine learning (ML), and threat intelligence to detect and respond to advanced threats. Integrations between Microsoft Defender XDR, Microsoft Intune, Microsoft Entra ID Protection, and Conditional Access help you use risk signals to enforce adaptive access policies.

Learn about the Microsoft security stack and AI, Preparing for Security Copilot in US Government Clouds.

DoD Activity Description and Outcome Microsoft guidance and recommendations

Advanced 6.4.1 Implement AI automation tools
DoD Organizations identify areas of improvement based on existing machine learning techniques for Artificial Intelligence. AI solutions are identified, procured, and implemented using the identified areas as requirements.

Outcomes:
- Develop AI tool requirements
- Procure and implement AI tools Fusion in Microsoft Sentinel
Fusion is an advanced multistage attack detection analytics rule in Sentinel. Fusion is an ML-trained correlation engine that detects multistage attacks, or advanced persistent threats (APTs). It identifies anomalous behaviors and suspicious activities otherwise difficult to catch. Incidents are low-volume, high-fidelity, and high-severity.
- Advanced multistage attack detection
- Customizable anomalies
- Anomaly detection analytics rules

Microsoft Entra ID Protection
Identity protection uses machine-learning (ML) algorithms to detect and remediate identity-based risks. Enable Microsoft Entra ID Protection to create Conditional Access policies for user and sign-in risk.
- Microsoft Entra ID Protection
- Configure and enable risk policies

Azure DDoS Protection
Azure DDoS Protection uses intelligent traffic profiling to learn about application traffic and adjust the profile as traffic changes.
- Azure DDoS Protection

Advanced 6.4.2 AI Driven by Analytics decides A&O modifications
DoD Organizations utilizing existing machine learning functions implement and use AI technology such as neural networks to drive automation and orchestration decisions. Decision making is moved to AI as much as possible freeing up human staff for other efforts. Utilizing historical patterns, AI will make anticipatory changes in the environment to better reduce risk.

Outcome:
- AI is able to make changes to automated workflow activities Microsoft Sentinel
Enable analytic rules to detect advanced multistage attacks with Fusion and UEBA anomalies in Microsoft Sentinel. Design automation rules and playbooks for security response.

See Microsoft guidance in 6.2.3 and 6.4.1.

DoD Activity Description and Outcome	Microsoft guidance and recommendations
`Advanced` 6.4.1 Implement AI automation tools DoD Organizations identify areas of improvement based on existing machine learning techniques for Artificial Intelligence. AI solutions are identified, procured, and implemented using the identified areas as requirements. Outcomes: - Develop AI tool requirements - Procure and implement AI tools	Fusion in Microsoft Sentinel Fusion is an advanced multistage attack detection analytics rule in Sentinel. Fusion is an ML-trained correlation engine that detects multistage attacks, or advanced persistent threats (APTs). It identifies anomalous behaviors and suspicious activities otherwise difficult to catch. Incidents are low-volume, high-fidelity, and high-severity. - Advanced multistage attack detection - Customizable anomalies - Anomaly detection analytics rules Microsoft Entra ID Protection Identity protection uses machine-learning (ML) algorithms to detect and remediate identity-based risks. Enable Microsoft Entra ID Protection to create Conditional Access policies for user and sign-in risk. - Microsoft Entra ID Protection - Configure and enable risk policies Azure DDoS Protection Azure DDoS Protection uses intelligent traffic profiling to learn about application traffic and adjust the profile as traffic changes. - Azure DDoS Protection
`Advanced` 6.4.2 AI Driven by Analytics decides A&O modifications DoD Organizations utilizing existing machine learning functions implement and use AI technology such as neural networks to drive automation and orchestration decisions. Decision making is moved to AI as much as possible freeing up human staff for other efforts. Utilizing historical patterns, AI will make anticipatory changes in the environment to better reduce risk. Outcome: - AI is able to make changes to automated workflow activities	Microsoft Sentinel Enable analytic rules to detect advanced multistage attacks with Fusion and UEBA anomalies in Microsoft Sentinel. Design automation rules and playbooks for security response. See Microsoft guidance in 6.2.3 and 6.4.1.

6.5 Security orchestration, automation, and response (SOAR)

Microsoft Defender XDR has detection and response capabilities with standard and customizable detections. Extend the capability by using Microsoft Sentinel analytics rules to trigger security orchestration, automation, and response (SOAR) actions with Azure Logic Apps.

DoD Activity Description and Outcome	Microsoft guidance and recommendations
`Target` 6.5.1 Response Automation Analysis DoD Organizations identify and enumerate all response activities that are executed both manually and in an automated fashion. Response activities are organized into automated and manual categories. Manual activities are analyzed for possible retirement. Outcome: - Automatable response activities are identified - Response activities are enumerated	Microsoft Defender XDR Microsoft Defender XDR has automatic and manual response actions for file and device incidents. - Incidents in Defender XDR
`Target` 6.5.2 Implement SOAR Tools DoD enterprise working with Organizations develops a standard set of requirements for security orchestration, automation, and response (SOAR) tooling to enable target level ZTA functions. DoD Organizations use approved requirements to procure and implement SOAR solution. Basic infrastructure integrations for future SOAR functionality is completed. Outcomes: - Develop requirements for SOAR tool - Procure SOAR tool	Microsoft Defender XDR Use Microsoft Defender XDR standard response capabilities. See Microsoft guidance 6.5.1. Microsoft Sentinel Sentinel uses Azure Logic Apps for SOAR functionality. Use Logic Apps to create and run automated workflows with little to no code. Use Logic Apps to connect to and interact with resources outside Microsoft Sentinel. - Playbooks with automation rules - Automate threat response with playbooks
`Advanced` 6.5.3 Implement Playbooks DoD organizations review all existing playbooks to identify for future automation. Existing manual and automated processes missing playbooks have playbooks developed. Playbooks are prioritized for automation to be integrated with the Automated Workflows activities covering Critical Processes. Manual processes without playbooks are authorized using a risk based methodical approach. Outcomes: - When possible, automate playbooks based on automated workflows capability - Manual playbooks are developed and implemented	Microsoft Sentinel Review current security processes and use best practices in the Microsoft Cloud Adoption Framework (CAF). To extend SOAR capabilities, create and customize playbooks. Start with Sentinel playbook templates. - Security operations - SOC Process Framework - Playbooks from templates

6.6 API standardization

Microsoft Graph API has a standard interface to interact with Microsoft cloud services. Azure API Management can protect APIs hosted by your organization.

DoD Activity Description and Outcome	Microsoft guidance and recommendations
`Target` 6.6.1 Tool Compliance Analysis Automation and Orchestration tooling and solutions are analyzed for compliance and capabilities based on the DoD Enterprise programmatic interface standard and requirements. Any more tooling or solutions are identified to support the programmatic interface standards and requirements. Outcomes: - API status is determined compliance or noncompliance to API standards - Tools to be used are Identified	Microsoft Graph security API Microsoft Defender, Microsoft Sentinel, and Microsoft Entra have documented APIs. - Security API - Work with Microsoft Graph - Identity protection APIs Follow best practices for APIs developed by your organization. - Application Programming Interface - RESTful web API design
`Target` 6.6.2 Standardized API Calls and Schemas Pt1 The DoD enterprise works with organizations to establish a programmatic interface (e.g., API) standard and requirements as needed to enable target ZTA functionalities. DoD Organizations update programmatic interfaces to the new standard and mandate newly acquired/developed tools to meet the new standard. Tools unable to meet the standard are allowed by exception using a risk-based methodical approach. Outcomes: - Initial calls and schemas are implemented - Noncompliant tools are replaced	Complete activity 6.6.1. Azure API Management Use Azure API Management as an API gateway to communicate with APIs and create a consistent access schema for various APIs. - Azure API Management Azure Automation tools Orchestrate Zero Trust actions using Azure Automation tools. - Integration and automation in Azure
`Target` 6.6.3 Standardized API Calls and Schemas Pt2 DoD organizations complete the migration to the new programmatic interface standard. Tools marked for decommission in the previous activity are retired and functions are migrated to modernized tools. Approved schemas are adopted based on the DoD Enterprise standard/requirements. Outcome: - All calls and schemas are implemented	Microsoft Sentinel Use Sentinel as an orchestration engine to trigger and execute actions in automation tools cited in this document. - Automate threat response with playbooks

6.7 Security operations center (SOC) and incident response (IR)

Microsoft Sentinel is a case management solution to investigate and manage security incidents. To automate security response actions, connect threat intelligence solutions, deploy Sentinel solutions, enable user entity behavior analytics (UEBAs), and create playbooks with Azure Logic Apps.

Learn how to increase SOC maturity, see Sentinel incident investigation and case management.

DoD Activity Description and Outcome	Microsoft guidance and recommendations
`Target` 6.7.1 Workflow Enrichment Pt1 DoD enterprise works with organizations to establish a cybersecurity incident response standard using industry best practices such as NIST. DoD Organizations utilize the enterprise standard to determine incident response workflows. External sources of enrichment are identified for future integration. Outcomes: - Threat events are identified - Workflows for threat events are developed	Microsoft Sentinel data connectors Enrich Sentinel workflows by connecting Microsoft Defender Threat Intelligence to Sentinel. - Data connector for Defender Threat Intelligence Microsoft Sentinel solutions Use Sentinel solutions to review industry best practices. - NIST 800-53 solution - CMMS 2.0 solution - DoD ZT Sentinel workbooks - Sentinel content and solutions
`Target` 6.7.2 Workflow Enrichment Pt2 DoD organizations identify and establish extended workflows for additional incident response types. Initial enrichment data sources are used for existing workflows. Additional enrichment sources are identified for future integrations. Outcomes: - Workflows for Advanced threat events are developed - Advanced Threat events are identified	Microsoft Sentinel Use advanced multistage attack detection in Fusion, and UEBA anomaly detection analytics rules, in Microsoft Sentinel to trigger automated security response playbooks. See Microsoft guidance 6.2.3 and 6.4.1 in this section. To enrich Sentinel workflows, connect Microsoft Defender Threat Intelligence and other threat intelligence platforms solutions to Microsoft Sentinel. - Connect threat intelligence platforms to Sentinel - Connect Sentinel to STIX/TAXII threat intelligence feeds See Microsoft guidance 6.7.1.
`Advanced` 6.7.3 Workflow Enrichment Pt3 DoD organizations use final enrichment data sources on basic and extended threat response workflows. Outcomes: - Enrichment data has been identified - Enrichment data is integrated into workflows	Microsoft Sentinel Add entities to improve threat intelligence results in Sentinel. - Tasks to manage incidents in Sentinel - Enrich entities with geolocation data Enrich investigation workflows and manage incidents in Sentinel. - Tasks to manage incidents in Sentinel - Enrich entities with geolocation data
`Advanced` 6.7.4 Automated Workflow DoD organizations focus on automating Security Orchestration, Automation, and Response (SOAR) functions and playbooks. Manual processes within security operations are identified and fully automated as possible. Remaining manual processes are decommissioned when possible or marked for exception using a risk based approach. Outcomes: - Workflow processes are fully automated - Manual Processes have been identified - Remaining Processes are marked as exceptions and documented	Microsoft Sentinel playbooks Sentinel playbooks are based on Logic Apps, a cloud service that schedules, automates, and orchestrates tasks and workflows across enterprise systems. Build response playbooks with templates, deploy solutions from the Sentinel content hub. Build custom analytics rules and response actions with Azure Logic Apps. - Sentinel playbooks from templates - Automate threat response with playbooks - Sentinel content hub catalog - Azure Logic Apps

Next steps

Configure Microsoft cloud services for the DoD Zero Trust Strategy:

Share via