Managing the unknown unknowns is a continual challenge for security operations teams. How do you know when you have a monitoring blind spot, and will the threat find it before you do? Security teams must monitor/measure log health, coverage, and maturity. Too often, security teams discover these blind spots after an attack occurs. Investigating security incidents without logs presents significant challenges. Log sources feeding primary SecOps monitoring use cases must have equal or better Service Level Agreements (SLA) than respective use cases. For example, a SecOps monitoring use case for ransomware within 15-minute response SLAs must equal or better log health response as conflicts will greatly reduce response times.
Equally important is coverage across the organization’s portfolio. Understanding log coverage across cloud, multi-cloud, and hybrid networks is challenging. Environments change dynamically and monitoring teams require known baselines of coverage. A SecOps team cannot monitor what they cannot see. If a Security Operations Center only has 85% coverage of endpoints, the remaining assets subset becomes the blind spot.
The third dynamic is measuring maturity of log management. Understanding maturity requires a repeatable framework for evaluation of current posture and granular steps to mature the model for greater coverage and visibility. Recently, the US Government released M-21-31, which requires federal government agencies to mature log event management capabilities to improve the ability to investigate and respond to cloud security attacks. This initiative guides federal agencies to understand log event management and is broken up into four tiers of maturity. We are announcing the Microsoft Sentinel: Maturity Model for Event Log Management (M-21-31) Solution. This solution consists of (1) Workbook, (8) Analytics Rules, (4) Hunting Queries, and (3) Playbooks.
Content Use Cases
Microsoft Sentinel: Maturity Model for Event Log Management (M-21-31) Workbook: The solution provides actionable insights into log management posture and intuitive steps for remediation to drive compliance across event logging maturity levels. The workbook serves as a starting point for designing and reporting event log management capabilities by providing visibility into current posture mapped against the four maturity tiers.
Microsoft Sentinel: Maturity Model for Event Log Management (M-21-31) Solution
(8) Analytics Rules: Analytics rules and hunting queries empower security teams with ongoing monitoring and assessment. Analytics rules ensure compliance over time by tracking the agent, asset, data connector health and more to ensure log flow over time.
Recommended data table is unhealthy (last logged received drop)
Data connector added, changed, or removed
Asset stopped logging (heartbeat)
Log Analytics workspace: Active storage is less than 12 Months
(4) Hunting Queries: Hunting queries provide a proactive way to understand your logging environment, relative to the four maturity levels.
Recommended data table is not logged
Event Logging (EL0)
Basic Event Logging (EL1)
Intermediate Event Logging (EL2)
Advanced Event Logging (EL3)
(3) Playbooks: Playbooks drive automated, consistent response, ensuring security teams to focus their time on what is important: providing remediation and response based on collected insights from Microsoft Sentinel, rather than navigating across portals for relevant data.
Notify Log Management Team
Alert triggers email and teams chat to log management team
Open DevOps Task
Alert triggers an Azure DevOps task to address the Microsoft Defender for Cloud policy recommendations
Open JIRA Ticket
Alert triggers a JIRA Ticket to address the Microsoft Defender for Cloud policy recommendations
Single pane of glass for aggregating, managing, and actioning data from 25+ Microsoft products to address M-21-31 logging requirements
Deep links for seamless pivots between products
Over-time analysis for more complete understanding of security and compliance posture
Monitor log health, coverage, and maturity with (12) analytics and hunting queries.
Respond to posture deviations with (3) playbook automations
Leverage pre-written KQL queries to gain insights from log telemetry with the option to customize for further analysis
150+ visualizations, recommendations, queries across logs, Azure Resource Graph, policy, logging, metrics, and APIs
Customizable reporting via single-click exports
Integration with Microsoft Defender for Cloud: Regulatory Compliance Assessments
Implementers: Design + Build
Assessors: Audit + Assessment
Analysts: Monitor + Respond
Decision Makers: Situational Awareness
This content is designed to enable Event Log Maturity Management and aligning with the M-21-31 requirements. Below are the steps to onboard required dependencies, enable connectors, review content, and provide feedback:
Review the Microsoft Sentinel: Maturity Model for Event Log Management (M-21-31) Workbook
Microsoft Sentinel > Workbooks > Search Maturity Model for Event Log Management (M-21-31)
Review/Enable Analytics Rules
Microsoft Sentinel > Analytics > Search M-21-31
Review Hunting Queries
Microsoft Sentinel > Hunting > Queries >Search M-21-31
Review Playbook Automation
Microsoft Sentinel > Automation > Active playbooks > Search Notify-LogManagementTeam > Enable
Create Automation Rule
Analytics > Search M-21-31> Edit > Automated Response > Add new > Select Actions: Run Playbook > Select Notify-LogManagementTeam and configure automation options > Review > Save > Mirror configuration across all M-21-31 analytics rules. Note, Open JIRA Ticket and Create Azure DevOps Task are additional Playbooks available per organizational requirements.
Review the content and provide feedback through the survey
Frequently Asked Questions
Are additional products required?
No, Microsoft Sentinel and Microsoft Defender for Cloud are baseline requirements to get started with the content package. The recommended products provide additional use case enrichments in evaluating event log maturity.
Is Multi-Subscription, Multi-Cloud and Multi-Tenant supported?