Managing the unknown unknowns is a continual challenge for security operations teams. How do you know when you have a monitoring blind spot, and will the threat find it before you do? Security teams must monitor/measure log health, coverage, and maturity. Too often, security teams discover these blind spots after an attack occurs. Investigating security incidents without logs presents significant challenges. Log sources feeding primary SecOps monitoring use cases must have equal or better Service Level Agreements (SLA) than respective use cases. For example, a SecOps monitoring use case for ransomware within 15-minute response SLAs must equal or better log health response as conflicts will greatly reduce response times.
Equally important is coverage across the organization’s portfolio. Understanding log coverage across cloud, multi-cloud, and hybrid networks is challenging. Environments change dynamically and monitoring teams require known baselines of coverage. A SecOps team cannot monitor what they cannot see. If a Security Operations Center only has 85% coverage of endpoints, the remaining assets subset becomes the blind spot.
The third dynamic is measuring maturity of log management. Understanding maturity requires a repeatable framework for evaluation of current posture and granular steps to mature the model for greater coverage and visibility. Recently, the US Government released M-21-31, which requires federal government agencies to mature log event management capabilities to improve the ability to investigate and respond to cloud security attacks. This initiative guides federal agencies to understand log event management and is broken up into four tiers of maturity. We are announcing the Microsoft Sentinel: Maturity Model for Event Log Management (M-21-31) Solution. This solution consists of (1) Workbook, (8) Analytics Rules, (4) Hunting Queries, and (3) Playbooks.
Content Use Cases
- Microsoft Sentinel: Maturity Model for Event Log Management (M-21-31) Workbook: The solution provides actionable insights into log management posture and intuitive steps for remediation to drive compliance across event logging maturity levels. The workbook serves as a starting point for designing and reporting event log management capabilities by providing visibility into current posture mapped against the four maturity tiers.
Microsoft Sentinel: Maturity Model for Event Log Management (M-21-31) Solution
- (8) Analytics Rules: Analytics rules and hunting queries empower security teams with ongoing monitoring and assessment. Analytics rules ensure compliance over time by tracking the agent, asset, data connector health and more to ensure log flow over time.
- Recommended data table is unhealthy (last logged received drop)
- Data connector added, changed, or removed
- Asset stopped logging (heartbeat)
- Log Analytics workspace: Active storage is less than 12 Months
- Event Log Management Posture Changed (Event Logging EL0)
- Event Log Management Posture Changed (Basic Event Logging EL1)
- Event Log Management Posture Changed (Intermediate Event Logging EL2)
- Event Log Management Posture Changed (Advanced Event Logging EL3)
- (4) Hunting Queries: Hunting queries provide a proactive way to understand your logging environment, relative to the four maturity levels.
- Recommended data table is not logged
- Event Logging (EL0)
- Basic Event Logging (EL1)
- Intermediate Event Logging (EL2)
- Advanced Event Logging (EL3)
- (3) Playbooks: Playbooks drive automated, consistent response, ensuring security teams to focus their time on what is important: providing remediation and response based on collected insights from Microsoft Sentinel, rather than navigating across portals for relevant data.
- Notify Log Management Team
- Alert triggers email and teams chat to log management team
- Open DevOps Task
- Alert triggers an Azure DevOps task to address the Microsoft Defender for Cloud policy recommendations
- Open JIRA Ticket
- Alert triggers a JIRA Ticket to address the Microsoft Defender for Cloud policy recommendations
- Single pane of glass for aggregating, managing, and actioning data from 25+ Microsoft products to address M-21-31 logging requirements
- Deep links for seamless pivots between products
- Over-time analysis for more complete understanding of security and compliance posture
- Monitor log health, coverage, and maturity with (12) analytics and hunting queries.
- Respond to posture deviations with (3) playbook automations
- Leverage pre-written KQL queries to gain insights from log telemetry with the option to customize for further analysis
- 150+ visualizations, recommendations, queries across logs, Azure Resource Graph, policy, logging, metrics, and APIs
- Customizable reporting via single-click exports
- Integration with Microsoft Defender for Cloud: Regulatory Compliance Assessments
- Implementers: Design + Build
- Assessors: Audit + Assessment
- Analysts: Monitor + Respond
- Decision Makers: Situational Awareness
- MSSP: Consultants
This content is designed to enable Event Log Maturity Management and aligning with the M-21-31 requirements. Below are the steps to onboard required dependencies, enable connectors, review content, and provide feedback:
- Review the Microsoft Sentinel: Maturity Model for Event Log Management (M-21-31) Workbook
- Microsoft Sentinel > Workbooks > Search Maturity Model for Event Log Management (M-21-31)
- Review/Enable Analytics Rules
- Microsoft Sentinel > Analytics > Search M-21-31
- Review Hunting Queries
- Microsoft Sentinel > Hunting > Queries >Search M-21-31
- Review Playbook Automation
- Microsoft Sentinel > Automation > Active playbooks > Search Notify-LogManagementTeam > Enable
- Create Automation Rule
- Analytics > Search M-21-31> Edit > Automated Response > Add new > Select Actions: Run Playbook > Select Notify-LogManagementTeam and configure automation options > Review > Save > Mirror configuration across all M-21-31 analytics rules. Note, Open JIRA Ticket and Create Azure DevOps Task are additional Playbooks available per organizational requirements.
- Review the content and provide feedback through the survey
Frequently Asked Questions
- Are additional products required?
- No, Microsoft Sentinel and Microsoft Defender for Cloud are baseline requirements to get started with the content package. The recommended products provide additional use case enrichments in evaluating event log maturity.
- Is Multi-Subscription, Multi-Cloud and Multi-Tenant supported?
- Is custom reporting available?
- Yes, via guide, time, workspace, and subscription parameters.
- Is third party integration supported?
- Yes, workbooks and analytics are customizable for integration with third party products.
- Is this available in government regions?
- Yes, this solution is deployable to commercial environments via Content Hub (Preview) and deployable to government regions via the GitHub Deploy to Azure Button in the Solution’s readme file.
- Are Blank Panels Bad?
- No, they’re an opportunity to explore/address the requirements
- Can this content be exported as a report?
- Yes, via Print Workbooks and Download Artifacts features.
- What rights are required to use this content?
Learn More About Meeting the Cybersecurity Executive Order with Microsoft Security