M2131_RecommendedDatatableNotLogged_EL3
| Id | 8b415f2d-44c1-4edb-8ca6-ddf7d2d28b20 |
| Rulename | M2131_RecommendedDatatableNotLogged_EL3 |
| Description | This alert audits your logging architecture for recommended data tables aligned to Advanced Event Logging (EL3) of the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when recommended data tables in EL3 are not present. |
| Severity | Medium |
| Tactics | Discovery |
| Techniques | T1082 |
| Kind | Scheduled |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131/Hunting Queries/M2131RecommendedDatatableNotLoggedEL3.yaml |
| Version | 1.0.0 |
| Arm template | 8b415f2d-44c1-4edb-8ca6-ddf7d2d28b20.json |
let M2131Mapping = datatable(DataTable:string, MaturityLevel:string)
[
"SigninLogs", "Event Logging (EL0)",
"AADManagedIdentitySignInLogs", "Event Logging (EL0)",
"AADServicePrincipalSignInLogs", "Event Logging (EL0)",
"StorageBlobLogs", "Event Logging (EL0)",
"StorageFileLogs", "Event Logging (EL0)",
"AzureMetrics", "Event Logging (EL0)",
"AuditLogs", "Event Logging (EL0)",
"IdentityInfo", "Event Logging (EL0)",
"CommonSecurityLog", "Event Logging (EL0)",
"ThreatIntelligenceIndicator", "Event Logging (EL0)",
"DeviceNetworkInfo", "Event Logging (EL0)",
"DnsEvents", "Event Logging (EL0)",
"DeviceNetworkEvents", "Event Logging (EL0)",
"AzureDiagnostics", "Event Logging (EL0)",
"Usage", "Event Logging (EL0)",
"SecurityIncident", "Event Logging (EL0)",
"SecurityAlert", "Event Logging (EL0)",
"AzureActivity", "Event Logging (EL0)",
"Heartbeat", "Event Logging (EL0)",
"OfficeActivity", "Event Logging (EL0)",
"SecurityEvent", "Event Logging (EL0)",
"Syslog", "Event Logging (EL0)",
"AWSCloudTrail", "Event Logging (EL0)",
"GWorkspaceActivityReports", "Event Logging (EL0)",
"AWSGuardDuty", "Event Logging (EL0)",
"AWSVPCFlow", "Event Logging (EL0)",
"Perf", "Basic Event Logging (EL1)",
"SentinelHealth", "Basic Event Logging (EL1)",
"DeviceLogonEvents", "Basic Event Logging (EL1)",
"DeviceEvents", "Basic Event Logging (EL1)",
"DeviceNetworkEvents", "Basic Event Logging (EL1)",
"DeviceFileEvents", "Basic Event Logging (EL1)",
"DeviceRegistryEvents", "Basic Event Logging (EL1)",
"DeviceProcessEvents", "Basic Event Logging (EL1)",
"VMConnection", "Basic Event Logging (EL1)",
"EmailEvents", "Basic Event Logging (EL1)",
"ThreatIntelligenceIndicator", "Basic Event Logging (EL1)",
"SecurityRecommendation", "Basic Event Logging (EL1)",
"DeviceProcessEvents", "Basic Event Logging (EL1)",
"ConfigurationData", "Basic Event Logging (EL1)",
"ConfigurationChange", "Basic Event Logging (EL1)",
"GatewayDiagnosticLog", "Basic Event Logging (EL1)",
"TunnelDiagnosticLog", "Basic Event Logging (EL1)",
"IKEDiagnosticLog", "Basic Event Logging (EL1)",
"RouteDiagnosticLog", "Basic Event Logging (EL1)",
"PS2DiagnosticLog", "Basic Event Logging (EL1)",
"Event", "Basic Event Logging (EL1)",
"SqlAtpStatus", "Basic Event Logging (EL1)",
"ConstainerInstanceLog_CL", "Basic Event Logging (EL1)",
"ContainerEvent_CL", "Basic Event Logging (EL1)",
"InsightsMetrics", "Intermediate Event Logging (EL2)",
"EmailUrlInfo", "Intermediate Event Logging (EL2)",
"EmailAttachmentInfo", "Intermediate Event Logging (EL2)",
"InformationProtectionLogs_CL", "Intermediate Event Logging (EL2)",
"CloudAppEvents", "Intermediate Event Logging (EL2)",
"ContainerInventory", "Intermediate Event Logging (EL2)",
"Update", "Advanced Event Logging (EL3)",
"BehaviorAnalytics", "Advanced Event Logging (EL3)",
"Anomalies", "Advanced Event Logging (EL3)",
"SecurityRegulatoryCompliance", "Advanced Event Logging (EL3)"
];
Usage
| summarize Entries = count(), Size = sum(Quantity), last_log = datetime_diff("second",now(), max(TimeGenerated)) by DataType
| join kind=fullouter(M2131Mapping) on $left.DataType == $right.DataTable
| project RecommendedDataTable=DataTable, ExistingDataTable=DataType, MaturityLevel, Size
| summarize Logged = countif(Size > 0), NotLogged = countif(isempty(Size)) by RecommendedDataTable, MaturityLevel
| where NotLogged > 0 and MaturityLevel == "Advanced Event Logging (EL3)"
//| where RecommendedDataTable <> "Data Table Name"
| project RecommendedDataTable, MaturityLevel, NotLogged, TimeObserved=now()
| extend CloudApplication = RecommendedDataTable
entityMappings:
- fieldMappings:
- columnName: RecommendedDataTable
identifier: Name
entityType: CloudApplication
tactics:
- Discovery
name: M2131_RecommendedDatatableNotLogged_EL3
query: |
let M2131Mapping = datatable(DataTable:string, MaturityLevel:string)
[
"SigninLogs", "Event Logging (EL0)",
"AADManagedIdentitySignInLogs", "Event Logging (EL0)",
"AADServicePrincipalSignInLogs", "Event Logging (EL0)",
"StorageBlobLogs", "Event Logging (EL0)",
"StorageFileLogs", "Event Logging (EL0)",
"AzureMetrics", "Event Logging (EL0)",
"AuditLogs", "Event Logging (EL0)",
"IdentityInfo", "Event Logging (EL0)",
"CommonSecurityLog", "Event Logging (EL0)",
"ThreatIntelligenceIndicator", "Event Logging (EL0)",
"DeviceNetworkInfo", "Event Logging (EL0)",
"DnsEvents", "Event Logging (EL0)",
"DeviceNetworkEvents", "Event Logging (EL0)",
"AzureDiagnostics", "Event Logging (EL0)",
"Usage", "Event Logging (EL0)",
"SecurityIncident", "Event Logging (EL0)",
"SecurityAlert", "Event Logging (EL0)",
"AzureActivity", "Event Logging (EL0)",
"Heartbeat", "Event Logging (EL0)",
"OfficeActivity", "Event Logging (EL0)",
"SecurityEvent", "Event Logging (EL0)",
"Syslog", "Event Logging (EL0)",
"AWSCloudTrail", "Event Logging (EL0)",
"GWorkspaceActivityReports", "Event Logging (EL0)",
"AWSGuardDuty", "Event Logging (EL0)",
"AWSVPCFlow", "Event Logging (EL0)",
"Perf", "Basic Event Logging (EL1)",
"SentinelHealth", "Basic Event Logging (EL1)",
"DeviceLogonEvents", "Basic Event Logging (EL1)",
"DeviceEvents", "Basic Event Logging (EL1)",
"DeviceNetworkEvents", "Basic Event Logging (EL1)",
"DeviceFileEvents", "Basic Event Logging (EL1)",
"DeviceRegistryEvents", "Basic Event Logging (EL1)",
"DeviceProcessEvents", "Basic Event Logging (EL1)",
"VMConnection", "Basic Event Logging (EL1)",
"EmailEvents", "Basic Event Logging (EL1)",
"ThreatIntelligenceIndicator", "Basic Event Logging (EL1)",
"SecurityRecommendation", "Basic Event Logging (EL1)",
"DeviceProcessEvents", "Basic Event Logging (EL1)",
"ConfigurationData", "Basic Event Logging (EL1)",
"ConfigurationChange", "Basic Event Logging (EL1)",
"GatewayDiagnosticLog", "Basic Event Logging (EL1)",
"TunnelDiagnosticLog", "Basic Event Logging (EL1)",
"IKEDiagnosticLog", "Basic Event Logging (EL1)",
"RouteDiagnosticLog", "Basic Event Logging (EL1)",
"PS2DiagnosticLog", "Basic Event Logging (EL1)",
"Event", "Basic Event Logging (EL1)",
"SqlAtpStatus", "Basic Event Logging (EL1)",
"ConstainerInstanceLog_CL", "Basic Event Logging (EL1)",
"ContainerEvent_CL", "Basic Event Logging (EL1)",
"InsightsMetrics", "Intermediate Event Logging (EL2)",
"EmailUrlInfo", "Intermediate Event Logging (EL2)",
"EmailAttachmentInfo", "Intermediate Event Logging (EL2)",
"InformationProtectionLogs_CL", "Intermediate Event Logging (EL2)",
"CloudAppEvents", "Intermediate Event Logging (EL2)",
"ContainerInventory", "Intermediate Event Logging (EL2)",
"Update", "Advanced Event Logging (EL3)",
"BehaviorAnalytics", "Advanced Event Logging (EL3)",
"Anomalies", "Advanced Event Logging (EL3)",
"SecurityRegulatoryCompliance", "Advanced Event Logging (EL3)"
];
Usage
| summarize Entries = count(), Size = sum(Quantity), last_log = datetime_diff("second",now(), max(TimeGenerated)) by DataType
| join kind=fullouter(M2131Mapping) on $left.DataType == $right.DataTable
| project RecommendedDataTable=DataTable, ExistingDataTable=DataType, MaturityLevel, Size
| summarize Logged = countif(Size > 0), NotLogged = countif(isempty(Size)) by RecommendedDataTable, MaturityLevel
| where NotLogged > 0 and MaturityLevel == "Advanced Event Logging (EL3)"
//| where RecommendedDataTable <> "Data Table Name"
| project RecommendedDataTable, MaturityLevel, NotLogged, TimeObserved=now()
| extend CloudApplication = RecommendedDataTable
severity: Medium
kind: Scheduled
relevantTechniques:
- T1082
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131/Hunting Queries/M2131RecommendedDatatableNotLoggedEL3.yaml
id: 8b415f2d-44c1-4edb-8ca6-ddf7d2d28b20
requiredDataConnectors: []
description: |
'This alert audits your logging architecture for recommended data tables aligned to Advanced Event Logging (EL3) of the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when recommended data tables in EL3 are not present.'
version: 1.0.0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8b415f2d-44c1-4edb-8ca6-ddf7d2d28b20')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8b415f2d-44c1-4edb-8ca6-ddf7d2d28b20')]",
"properties": {
"alertRuleTemplateName": "8b415f2d-44c1-4edb-8ca6-ddf7d2d28b20",
"customDetails": null,
"description": "'This alert audits your logging architecture for recommended data tables aligned to Advanced Event Logging (EL3) of the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when recommended data tables in EL3 are not present.'\n",
"displayName": "M2131_RecommendedDatatableNotLogged_EL3",
"enabled": true,
"entityMappings": [
{
"entityType": "CloudApplication",
"fieldMappings": [
{
"columnName": "RecommendedDataTable",
"identifier": "Name"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131/Hunting Queries/M2131RecommendedDatatableNotLoggedEL3.yaml",
"query": "let M2131Mapping = datatable(DataTable:string, MaturityLevel:string)\n[\n\"SigninLogs\",\t\"Event Logging (EL0)\",\n\"AADManagedIdentitySignInLogs\", \"Event Logging (EL0)\",\n\"AADServicePrincipalSignInLogs\",\t\"Event Logging (EL0)\",\n\"StorageBlobLogs\",\t\"Event Logging (EL0)\",\n\"StorageFileLogs\",\t\"Event Logging (EL0)\",\n\"AzureMetrics\",\t\"Event Logging (EL0)\",\n\"AuditLogs\",\t\"Event Logging (EL0)\",\n\"IdentityInfo\",\t\"Event Logging (EL0)\",\n\"CommonSecurityLog\",\t\"Event Logging (EL0)\",\n\"ThreatIntelligenceIndicator\",\t\"Event Logging (EL0)\",\n\"DeviceNetworkInfo\",\t\"Event Logging (EL0)\",\n\"DnsEvents\",\t\"Event Logging (EL0)\",\n\"DeviceNetworkEvents\",\t\"Event Logging (EL0)\",\n\"AzureDiagnostics\",\t\"Event Logging (EL0)\",\n\"Usage\",\t\"Event Logging (EL0)\",\n\"SecurityIncident\",\t\"Event Logging (EL0)\",\n\"SecurityAlert\",\t\"Event Logging (EL0)\",\n\"AzureActivity\",\t\"Event Logging (EL0)\",\n\"Heartbeat\",\t\"Event Logging (EL0)\",\n\"OfficeActivity\",\t\"Event Logging (EL0)\",\n\"SecurityEvent\",\t\"Event Logging (EL0)\",\n\"Syslog\",\t\"Event Logging (EL0)\",\n\"AWSCloudTrail\",\t\"Event Logging (EL0)\",\n\"GWorkspaceActivityReports\",\t\"Event Logging (EL0)\",\n\"AWSGuardDuty\",\t\"Event Logging (EL0)\",\n\"AWSVPCFlow\",\t\"Event Logging (EL0)\",\n\"Perf\",\t\"Basic Event Logging (EL1)\",\n\"SentinelHealth\",\t\"Basic Event Logging (EL1)\",\n\"DeviceLogonEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceNetworkEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceFileEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceRegistryEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceProcessEvents\",\t\"Basic Event Logging (EL1)\",\n\"VMConnection\",\t\"Basic Event Logging (EL1)\",\n\"EmailEvents\",\t\"Basic Event Logging (EL1)\",\n\"ThreatIntelligenceIndicator\",\t\"Basic Event Logging (EL1)\",\n\"SecurityRecommendation\",\t\"Basic Event Logging (EL1)\",\n\"DeviceProcessEvents\",\t\"Basic Event Logging (EL1)\",\n\"ConfigurationData\",\t\"Basic Event Logging (EL1)\",\n\"ConfigurationChange\",\t\"Basic Event Logging (EL1)\",\n\"GatewayDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"TunnelDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"IKEDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"RouteDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"PS2DiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"Event\",\t\"Basic Event Logging (EL1)\",\n\"SqlAtpStatus\",\t\"Basic Event Logging (EL1)\",\n\"ConstainerInstanceLog_CL\",\t\"Basic Event Logging (EL1)\",\n\"ContainerEvent_CL\",\t\"Basic Event Logging (EL1)\",\n\"InsightsMetrics\",\t\"Intermediate Event Logging (EL2)\",\n\"EmailUrlInfo\",\t\"Intermediate Event Logging (EL2)\",\n\"EmailAttachmentInfo\",\t\"Intermediate Event Logging (EL2)\",\n\"InformationProtectionLogs_CL\",\t\"Intermediate Event Logging (EL2)\",\n\"CloudAppEvents\",\t\"Intermediate Event Logging (EL2)\",\n\"ContainerInventory\",\t\"Intermediate Event Logging (EL2)\",\n\"Update\",\t\"Advanced Event Logging (EL3)\",\n\"BehaviorAnalytics\",\t\"Advanced Event Logging (EL3)\",\n\"Anomalies\",\t\"Advanced Event Logging (EL3)\",\n\"SecurityRegulatoryCompliance\",\t\"Advanced Event Logging (EL3)\"\n];\nUsage\n | summarize Entries = count(), Size = sum(Quantity), last_log = datetime_diff(\"second\",now(), max(TimeGenerated)) by DataType\n | join kind=fullouter(M2131Mapping) on $left.DataType == $right.DataTable\n | project RecommendedDataTable=DataTable, ExistingDataTable=DataType, MaturityLevel, Size\n | summarize Logged = countif(Size > 0), NotLogged = countif(isempty(Size)) by RecommendedDataTable, MaturityLevel\n | where NotLogged > 0 and MaturityLevel == \"Advanced Event Logging (EL3)\"\n //| where RecommendedDataTable <> \"Data Table Name\" \n | project RecommendedDataTable, MaturityLevel, NotLogged, TimeObserved=now()\n | extend CloudApplication = RecommendedDataTable\n",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Discovery"
],
"techniques": [
"T1082"
],
"templateVersion": "1.0.0"
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}