M2131_RecommendedDatatableNotLogged_EL3
| Id | 8b415f2d-44c1-4edb-8ca6-ddf7d2d28b20 |
| Rulename | M2131_RecommendedDatatableNotLogged_EL3 |
| Description | This alert audits your logging architecture for recommended data tables aligned to Advanced Event Logging (EL3) of the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when recommended data tables in EL3 are not present. |
| Severity | Medium |
| Tactics | Discovery |
| Techniques | T1082 |
| Kind | Scheduled |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131/Hunting Queries/M2131RecommendedDatatableNotLoggedEL3.yaml |
| Version | 1.0.0 |
| Arm template | 8b415f2d-44c1-4edb-8ca6-ddf7d2d28b20.json |
let M2131Mapping = datatable(DataTable:string, MaturityLevel:string)
[
"SigninLogs", "Event Logging (EL0)",
"AADManagedIdentitySignInLogs", "Event Logging (EL0)",
"AADServicePrincipalSignInLogs", "Event Logging (EL0)",
"StorageBlobLogs", "Event Logging (EL0)",
"StorageFileLogs", "Event Logging (EL0)",
"AzureMetrics", "Event Logging (EL0)",
"AuditLogs", "Event Logging (EL0)",
"IdentityInfo", "Event Logging (EL0)",
"CommonSecurityLog", "Event Logging (EL0)",
"ThreatIntelligenceIndicator", "Event Logging (EL0)",
"DeviceNetworkInfo", "Event Logging (EL0)",
"DnsEvents", "Event Logging (EL0)",
"DeviceNetworkEvents", "Event Logging (EL0)",
"AzureDiagnostics", "Event Logging (EL0)",
"Usage", "Event Logging (EL0)",
"SecurityIncident", "Event Logging (EL0)",
"SecurityAlert", "Event Logging (EL0)",
"AzureActivity", "Event Logging (EL0)",
"Heartbeat", "Event Logging (EL0)",
"OfficeActivity", "Event Logging (EL0)",
"SecurityEvent", "Event Logging (EL0)",
"Syslog", "Event Logging (EL0)",
"AWSCloudTrail", "Event Logging (EL0)",
"GWorkspaceActivityReports", "Event Logging (EL0)",
"AWSGuardDuty", "Event Logging (EL0)",
"AWSVPCFlow", "Event Logging (EL0)",
"Perf", "Basic Event Logging (EL1)",
"SentinelHealth", "Basic Event Logging (EL1)",
"DeviceLogonEvents", "Basic Event Logging (EL1)",
"DeviceEvents", "Basic Event Logging (EL1)",
"DeviceNetworkEvents", "Basic Event Logging (EL1)",
"DeviceFileEvents", "Basic Event Logging (EL1)",
"DeviceRegistryEvents", "Basic Event Logging (EL1)",
"DeviceProcessEvents", "Basic Event Logging (EL1)",
"VMConnection", "Basic Event Logging (EL1)",
"EmailEvents", "Basic Event Logging (EL1)",
"ThreatIntelligenceIndicator", "Basic Event Logging (EL1)",
"SecurityRecommendation", "Basic Event Logging (EL1)",
"DeviceProcessEvents", "Basic Event Logging (EL1)",
"ConfigurationData", "Basic Event Logging (EL1)",
"ConfigurationChange", "Basic Event Logging (EL1)",
"GatewayDiagnosticLog", "Basic Event Logging (EL1)",
"TunnelDiagnosticLog", "Basic Event Logging (EL1)",
"IKEDiagnosticLog", "Basic Event Logging (EL1)",
"RouteDiagnosticLog", "Basic Event Logging (EL1)",
"PS2DiagnosticLog", "Basic Event Logging (EL1)",
"Event", "Basic Event Logging (EL1)",
"SqlAtpStatus", "Basic Event Logging (EL1)",
"ConstainerInstanceLog_CL", "Basic Event Logging (EL1)",
"ContainerEvent_CL", "Basic Event Logging (EL1)",
"InsightsMetrics", "Intermediate Event Logging (EL2)",
"EmailUrlInfo", "Intermediate Event Logging (EL2)",
"EmailAttachmentInfo", "Intermediate Event Logging (EL2)",
"InformationProtectionLogs_CL", "Intermediate Event Logging (EL2)",
"CloudAppEvents", "Intermediate Event Logging (EL2)",
"ContainerInventory", "Intermediate Event Logging (EL2)",
"Update", "Advanced Event Logging (EL3)",
"BehaviorAnalytics", "Advanced Event Logging (EL3)",
"Anomalies", "Advanced Event Logging (EL3)",
"SecurityRegulatoryCompliance", "Advanced Event Logging (EL3)"
];
Usage
| summarize Entries = count(), Size = sum(Quantity), last_log = datetime_diff("second",now(), max(TimeGenerated)) by DataType
| join kind=fullouter(M2131Mapping) on $left.DataType == $right.DataTable
| project RecommendedDataTable=DataTable, ExistingDataTable=DataType, MaturityLevel, Size
| summarize Logged = countif(Size > 0), NotLogged = countif(isempty(Size)) by RecommendedDataTable, MaturityLevel
| where NotLogged > 0 and MaturityLevel == "Advanced Event Logging (EL3)"
//| where RecommendedDataTable <> "Data Table Name"
| project RecommendedDataTable, MaturityLevel, NotLogged, TimeObserved=now()
| extend CloudApplication = RecommendedDataTable
relevantTechniques:
- T1082
name: M2131_RecommendedDatatableNotLogged_EL3
requiredDataConnectors: []
entityMappings:
- fieldMappings:
- identifier: Name
columnName: RecommendedDataTable
entityType: CloudApplication
query: |
let M2131Mapping = datatable(DataTable:string, MaturityLevel:string)
[
"SigninLogs", "Event Logging (EL0)",
"AADManagedIdentitySignInLogs", "Event Logging (EL0)",
"AADServicePrincipalSignInLogs", "Event Logging (EL0)",
"StorageBlobLogs", "Event Logging (EL0)",
"StorageFileLogs", "Event Logging (EL0)",
"AzureMetrics", "Event Logging (EL0)",
"AuditLogs", "Event Logging (EL0)",
"IdentityInfo", "Event Logging (EL0)",
"CommonSecurityLog", "Event Logging (EL0)",
"ThreatIntelligenceIndicator", "Event Logging (EL0)",
"DeviceNetworkInfo", "Event Logging (EL0)",
"DnsEvents", "Event Logging (EL0)",
"DeviceNetworkEvents", "Event Logging (EL0)",
"AzureDiagnostics", "Event Logging (EL0)",
"Usage", "Event Logging (EL0)",
"SecurityIncident", "Event Logging (EL0)",
"SecurityAlert", "Event Logging (EL0)",
"AzureActivity", "Event Logging (EL0)",
"Heartbeat", "Event Logging (EL0)",
"OfficeActivity", "Event Logging (EL0)",
"SecurityEvent", "Event Logging (EL0)",
"Syslog", "Event Logging (EL0)",
"AWSCloudTrail", "Event Logging (EL0)",
"GWorkspaceActivityReports", "Event Logging (EL0)",
"AWSGuardDuty", "Event Logging (EL0)",
"AWSVPCFlow", "Event Logging (EL0)",
"Perf", "Basic Event Logging (EL1)",
"SentinelHealth", "Basic Event Logging (EL1)",
"DeviceLogonEvents", "Basic Event Logging (EL1)",
"DeviceEvents", "Basic Event Logging (EL1)",
"DeviceNetworkEvents", "Basic Event Logging (EL1)",
"DeviceFileEvents", "Basic Event Logging (EL1)",
"DeviceRegistryEvents", "Basic Event Logging (EL1)",
"DeviceProcessEvents", "Basic Event Logging (EL1)",
"VMConnection", "Basic Event Logging (EL1)",
"EmailEvents", "Basic Event Logging (EL1)",
"ThreatIntelligenceIndicator", "Basic Event Logging (EL1)",
"SecurityRecommendation", "Basic Event Logging (EL1)",
"DeviceProcessEvents", "Basic Event Logging (EL1)",
"ConfigurationData", "Basic Event Logging (EL1)",
"ConfigurationChange", "Basic Event Logging (EL1)",
"GatewayDiagnosticLog", "Basic Event Logging (EL1)",
"TunnelDiagnosticLog", "Basic Event Logging (EL1)",
"IKEDiagnosticLog", "Basic Event Logging (EL1)",
"RouteDiagnosticLog", "Basic Event Logging (EL1)",
"PS2DiagnosticLog", "Basic Event Logging (EL1)",
"Event", "Basic Event Logging (EL1)",
"SqlAtpStatus", "Basic Event Logging (EL1)",
"ConstainerInstanceLog_CL", "Basic Event Logging (EL1)",
"ContainerEvent_CL", "Basic Event Logging (EL1)",
"InsightsMetrics", "Intermediate Event Logging (EL2)",
"EmailUrlInfo", "Intermediate Event Logging (EL2)",
"EmailAttachmentInfo", "Intermediate Event Logging (EL2)",
"InformationProtectionLogs_CL", "Intermediate Event Logging (EL2)",
"CloudAppEvents", "Intermediate Event Logging (EL2)",
"ContainerInventory", "Intermediate Event Logging (EL2)",
"Update", "Advanced Event Logging (EL3)",
"BehaviorAnalytics", "Advanced Event Logging (EL3)",
"Anomalies", "Advanced Event Logging (EL3)",
"SecurityRegulatoryCompliance", "Advanced Event Logging (EL3)"
];
Usage
| summarize Entries = count(), Size = sum(Quantity), last_log = datetime_diff("second",now(), max(TimeGenerated)) by DataType
| join kind=fullouter(M2131Mapping) on $left.DataType == $right.DataTable
| project RecommendedDataTable=DataTable, ExistingDataTable=DataType, MaturityLevel, Size
| summarize Logged = countif(Size > 0), NotLogged = countif(isempty(Size)) by RecommendedDataTable, MaturityLevel
| where NotLogged > 0 and MaturityLevel == "Advanced Event Logging (EL3)"
//| where RecommendedDataTable <> "Data Table Name"
| project RecommendedDataTable, MaturityLevel, NotLogged, TimeObserved=now()
| extend CloudApplication = RecommendedDataTable
id: 8b415f2d-44c1-4edb-8ca6-ddf7d2d28b20
tactics:
- Discovery
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131/Hunting Queries/M2131RecommendedDatatableNotLoggedEL3.yaml
kind: Scheduled
severity: Medium
description: |
'This alert audits your logging architecture for recommended data tables aligned to Advanced Event Logging (EL3) of the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when recommended data tables in EL3 are not present.'
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8b415f2d-44c1-4edb-8ca6-ddf7d2d28b20')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8b415f2d-44c1-4edb-8ca6-ddf7d2d28b20')]",
"properties": {
"alertRuleTemplateName": "8b415f2d-44c1-4edb-8ca6-ddf7d2d28b20",
"customDetails": null,
"description": "'This alert audits your logging architecture for recommended data tables aligned to Advanced Event Logging (EL3) of the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when recommended data tables in EL3 are not present.'\n",
"displayName": "M2131_RecommendedDatatableNotLogged_EL3",
"enabled": true,
"entityMappings": [
{
"entityType": "CloudApplication",
"fieldMappings": [
{
"columnName": "RecommendedDataTable",
"identifier": "Name"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131/Hunting Queries/M2131RecommendedDatatableNotLoggedEL3.yaml",
"query": "let M2131Mapping = datatable(DataTable:string, MaturityLevel:string)\n[\n\"SigninLogs\",\t\"Event Logging (EL0)\",\n\"AADManagedIdentitySignInLogs\", \"Event Logging (EL0)\",\n\"AADServicePrincipalSignInLogs\",\t\"Event Logging (EL0)\",\n\"StorageBlobLogs\",\t\"Event Logging (EL0)\",\n\"StorageFileLogs\",\t\"Event Logging (EL0)\",\n\"AzureMetrics\",\t\"Event Logging (EL0)\",\n\"AuditLogs\",\t\"Event Logging (EL0)\",\n\"IdentityInfo\",\t\"Event Logging (EL0)\",\n\"CommonSecurityLog\",\t\"Event Logging (EL0)\",\n\"ThreatIntelligenceIndicator\",\t\"Event Logging (EL0)\",\n\"DeviceNetworkInfo\",\t\"Event Logging (EL0)\",\n\"DnsEvents\",\t\"Event Logging (EL0)\",\n\"DeviceNetworkEvents\",\t\"Event Logging (EL0)\",\n\"AzureDiagnostics\",\t\"Event Logging (EL0)\",\n\"Usage\",\t\"Event Logging (EL0)\",\n\"SecurityIncident\",\t\"Event Logging (EL0)\",\n\"SecurityAlert\",\t\"Event Logging (EL0)\",\n\"AzureActivity\",\t\"Event Logging (EL0)\",\n\"Heartbeat\",\t\"Event Logging (EL0)\",\n\"OfficeActivity\",\t\"Event Logging (EL0)\",\n\"SecurityEvent\",\t\"Event Logging (EL0)\",\n\"Syslog\",\t\"Event Logging (EL0)\",\n\"AWSCloudTrail\",\t\"Event Logging (EL0)\",\n\"GWorkspaceActivityReports\",\t\"Event Logging (EL0)\",\n\"AWSGuardDuty\",\t\"Event Logging (EL0)\",\n\"AWSVPCFlow\",\t\"Event Logging (EL0)\",\n\"Perf\",\t\"Basic Event Logging (EL1)\",\n\"SentinelHealth\",\t\"Basic Event Logging (EL1)\",\n\"DeviceLogonEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceNetworkEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceFileEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceRegistryEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceProcessEvents\",\t\"Basic Event Logging (EL1)\",\n\"VMConnection\",\t\"Basic Event Logging (EL1)\",\n\"EmailEvents\",\t\"Basic Event Logging (EL1)\",\n\"ThreatIntelligenceIndicator\",\t\"Basic Event Logging (EL1)\",\n\"SecurityRecommendation\",\t\"Basic Event Logging (EL1)\",\n\"DeviceProcessEvents\",\t\"Basic Event Logging (EL1)\",\n\"ConfigurationData\",\t\"Basic Event Logging (EL1)\",\n\"ConfigurationChange\",\t\"Basic Event Logging (EL1)\",\n\"GatewayDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"TunnelDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"IKEDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"RouteDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"PS2DiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"Event\",\t\"Basic Event Logging (EL1)\",\n\"SqlAtpStatus\",\t\"Basic Event Logging (EL1)\",\n\"ConstainerInstanceLog_CL\",\t\"Basic Event Logging (EL1)\",\n\"ContainerEvent_CL\",\t\"Basic Event Logging (EL1)\",\n\"InsightsMetrics\",\t\"Intermediate Event Logging (EL2)\",\n\"EmailUrlInfo\",\t\"Intermediate Event Logging (EL2)\",\n\"EmailAttachmentInfo\",\t\"Intermediate Event Logging (EL2)\",\n\"InformationProtectionLogs_CL\",\t\"Intermediate Event Logging (EL2)\",\n\"CloudAppEvents\",\t\"Intermediate Event Logging (EL2)\",\n\"ContainerInventory\",\t\"Intermediate Event Logging (EL2)\",\n\"Update\",\t\"Advanced Event Logging (EL3)\",\n\"BehaviorAnalytics\",\t\"Advanced Event Logging (EL3)\",\n\"Anomalies\",\t\"Advanced Event Logging (EL3)\",\n\"SecurityRegulatoryCompliance\",\t\"Advanced Event Logging (EL3)\"\n];\nUsage\n | summarize Entries = count(), Size = sum(Quantity), last_log = datetime_diff(\"second\",now(), max(TimeGenerated)) by DataType\n | join kind=fullouter(M2131Mapping) on $left.DataType == $right.DataTable\n | project RecommendedDataTable=DataTable, ExistingDataTable=DataType, MaturityLevel, Size\n | summarize Logged = countif(Size > 0), NotLogged = countif(isempty(Size)) by RecommendedDataTable, MaturityLevel\n | where NotLogged > 0 and MaturityLevel == \"Advanced Event Logging (EL3)\"\n //| where RecommendedDataTable <> \"Data Table Name\" \n | project RecommendedDataTable, MaturityLevel, NotLogged, TimeObserved=now()\n | extend CloudApplication = RecommendedDataTable\n",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Discovery"
],
"techniques": [
"T1082"
],
"templateVersion": "1.0.0"
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}