M2131_RecommendedDatatableNotLogged_EL0
| Id | b3e0bfd4-52d2-4684-9514-716035cdbff2 |
| Rulename | M2131_RecommendedDatatableNotLogged_EL0 |
| Description | This alert audits your logging architecture for recommended data tables aligned to Event Logging (EL0) of the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when recommended data tables in EL0 are not present. |
| Severity | Medium |
| Tactics | Discovery |
| Techniques | T1082 |
| Kind | Scheduled |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131/Hunting Queries/M2131RecommendedDatatableNotLoggedEL0.yaml |
| Version | 1.0.0 |
| Arm template | b3e0bfd4-52d2-4684-9514-716035cdbff2.json |
let M2131Mapping = datatable(DataTable:string, MaturityLevel:string)
[
"SigninLogs", "Event Logging (EL0)",
"AADManagedIdentitySignInLogs", "Event Logging (EL0)",
"AADServicePrincipalSignInLogs", "Event Logging (EL0)",
"StorageBlobLogs", "Event Logging (EL0)",
"StorageFileLogs", "Event Logging (EL0)",
"AzureMetrics", "Event Logging (EL0)",
"AuditLogs", "Event Logging (EL0)",
"IdentityInfo", "Event Logging (EL0)",
"CommonSecurityLog", "Event Logging (EL0)",
"ThreatIntelligenceIndicator", "Event Logging (EL0)",
"DeviceNetworkInfo", "Event Logging (EL0)",
"DnsEvents", "Event Logging (EL0)",
"DeviceNetworkEvents", "Event Logging (EL0)",
"AzureDiagnostics", "Event Logging (EL0)",
"Usage", "Event Logging (EL0)",
"SecurityIncident", "Event Logging (EL0)",
"SecurityAlert", "Event Logging (EL0)",
"AzureActivity", "Event Logging (EL0)",
"Heartbeat", "Event Logging (EL0)",
"OfficeActivity", "Event Logging (EL0)",
"SecurityEvent", "Event Logging (EL0)",
"Syslog", "Event Logging (EL0)",
"AWSCloudTrail", "Event Logging (EL0)",
"GWorkspaceActivityReports", "Event Logging (EL0)",
"AWSGuardDuty", "Event Logging (EL0)",
"AWSVPCFlow", "Event Logging (EL0)",
"Perf", "Basic Event Logging (EL1)",
"SentinelHealth", "Basic Event Logging (EL1)",
"DeviceLogonEvents", "Basic Event Logging (EL1)",
"DeviceEvents", "Basic Event Logging (EL1)",
"DeviceNetworkEvents", "Basic Event Logging (EL1)",
"DeviceFileEvents", "Basic Event Logging (EL1)",
"DeviceRegistryEvents", "Basic Event Logging (EL1)",
"DeviceProcessEvents", "Basic Event Logging (EL1)",
"VMConnection", "Basic Event Logging (EL1)",
"EmailEvents", "Basic Event Logging (EL1)",
"ThreatIntelligenceIndicator", "Basic Event Logging (EL1)",
"SecurityRecommendation", "Basic Event Logging (EL1)",
"DeviceProcessEvents", "Basic Event Logging (EL1)",
"ConfigurationData", "Basic Event Logging (EL1)",
"ConfigurationChange", "Basic Event Logging (EL1)",
"GatewayDiagnosticLog", "Basic Event Logging (EL1)",
"TunnelDiagnosticLog", "Basic Event Logging (EL1)",
"IKEDiagnosticLog", "Basic Event Logging (EL1)",
"RouteDiagnosticLog", "Basic Event Logging (EL1)",
"PS2DiagnosticLog", "Basic Event Logging (EL1)",
"Event", "Basic Event Logging (EL1)",
"SqlAtpStatus", "Basic Event Logging (EL1)",
"ConstainerInstanceLog_CL", "Basic Event Logging (EL1)",
"ContainerEvent_CL", "Basic Event Logging (EL1)",
"InsightsMetrics", "Intermediate Event Logging (EL2)",
"EmailUrlInfo", "Intermediate Event Logging (EL2)",
"EmailAttachmentInfo", "Intermediate Event Logging (EL2)",
"InformationProtectionLogs_CL", "Intermediate Event Logging (EL2)",
"CloudAppEvents", "Intermediate Event Logging (EL2)",
"ContainerInventory", "Intermediate Event Logging (EL2)",
"Update", "Advanced Event Logging (EL3)",
"BehaviorAnalytics", "Advanced Event Logging (EL3)",
"Anomalies", "Advanced Event Logging (EL3)",
"SecurityRegulatoryCompliance", "Advanced Event Logging (EL3)"
];
Usage
| summarize Entries = count(), Size = sum(Quantity), last_log = datetime_diff("second",now(), max(TimeGenerated)) by DataType
| join kind=fullouter(M2131Mapping) on $left.DataType == $right.DataTable
| project RecommendedDataTable=DataTable, ExistingDataTable=DataType, MaturityLevel, Size
| summarize Logged = countif(Size > 0), NotLogged = countif(isempty(Size)) by RecommendedDataTable, MaturityLevel
| where NotLogged > 0 and MaturityLevel == "Event Logging (EL0)" and RecommendedDataTable <> "Usage"
//| where RecommendedDataTable <> "Data Table Name"
| project RecommendedDataTable, MaturityLevel, NotLogged, TimeObserved=now()
| extend CloudApplication = RecommendedDataTable
name: M2131_RecommendedDatatableNotLogged_EL0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131/Hunting Queries/M2131RecommendedDatatableNotLoggedEL0.yaml
severity: Medium
kind: Scheduled
entityMappings:
- entityType: CloudApplication
fieldMappings:
- columnName: RecommendedDataTable
identifier: Name
tactics:
- Discovery
relevantTechniques:
- T1082
requiredDataConnectors: []
description: |
'This alert audits your logging architecture for recommended data tables aligned to Event Logging (EL0) of the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when recommended data tables in EL0 are not present.'
query: |
let M2131Mapping = datatable(DataTable:string, MaturityLevel:string)
[
"SigninLogs", "Event Logging (EL0)",
"AADManagedIdentitySignInLogs", "Event Logging (EL0)",
"AADServicePrincipalSignInLogs", "Event Logging (EL0)",
"StorageBlobLogs", "Event Logging (EL0)",
"StorageFileLogs", "Event Logging (EL0)",
"AzureMetrics", "Event Logging (EL0)",
"AuditLogs", "Event Logging (EL0)",
"IdentityInfo", "Event Logging (EL0)",
"CommonSecurityLog", "Event Logging (EL0)",
"ThreatIntelligenceIndicator", "Event Logging (EL0)",
"DeviceNetworkInfo", "Event Logging (EL0)",
"DnsEvents", "Event Logging (EL0)",
"DeviceNetworkEvents", "Event Logging (EL0)",
"AzureDiagnostics", "Event Logging (EL0)",
"Usage", "Event Logging (EL0)",
"SecurityIncident", "Event Logging (EL0)",
"SecurityAlert", "Event Logging (EL0)",
"AzureActivity", "Event Logging (EL0)",
"Heartbeat", "Event Logging (EL0)",
"OfficeActivity", "Event Logging (EL0)",
"SecurityEvent", "Event Logging (EL0)",
"Syslog", "Event Logging (EL0)",
"AWSCloudTrail", "Event Logging (EL0)",
"GWorkspaceActivityReports", "Event Logging (EL0)",
"AWSGuardDuty", "Event Logging (EL0)",
"AWSVPCFlow", "Event Logging (EL0)",
"Perf", "Basic Event Logging (EL1)",
"SentinelHealth", "Basic Event Logging (EL1)",
"DeviceLogonEvents", "Basic Event Logging (EL1)",
"DeviceEvents", "Basic Event Logging (EL1)",
"DeviceNetworkEvents", "Basic Event Logging (EL1)",
"DeviceFileEvents", "Basic Event Logging (EL1)",
"DeviceRegistryEvents", "Basic Event Logging (EL1)",
"DeviceProcessEvents", "Basic Event Logging (EL1)",
"VMConnection", "Basic Event Logging (EL1)",
"EmailEvents", "Basic Event Logging (EL1)",
"ThreatIntelligenceIndicator", "Basic Event Logging (EL1)",
"SecurityRecommendation", "Basic Event Logging (EL1)",
"DeviceProcessEvents", "Basic Event Logging (EL1)",
"ConfigurationData", "Basic Event Logging (EL1)",
"ConfigurationChange", "Basic Event Logging (EL1)",
"GatewayDiagnosticLog", "Basic Event Logging (EL1)",
"TunnelDiagnosticLog", "Basic Event Logging (EL1)",
"IKEDiagnosticLog", "Basic Event Logging (EL1)",
"RouteDiagnosticLog", "Basic Event Logging (EL1)",
"PS2DiagnosticLog", "Basic Event Logging (EL1)",
"Event", "Basic Event Logging (EL1)",
"SqlAtpStatus", "Basic Event Logging (EL1)",
"ConstainerInstanceLog_CL", "Basic Event Logging (EL1)",
"ContainerEvent_CL", "Basic Event Logging (EL1)",
"InsightsMetrics", "Intermediate Event Logging (EL2)",
"EmailUrlInfo", "Intermediate Event Logging (EL2)",
"EmailAttachmentInfo", "Intermediate Event Logging (EL2)",
"InformationProtectionLogs_CL", "Intermediate Event Logging (EL2)",
"CloudAppEvents", "Intermediate Event Logging (EL2)",
"ContainerInventory", "Intermediate Event Logging (EL2)",
"Update", "Advanced Event Logging (EL3)",
"BehaviorAnalytics", "Advanced Event Logging (EL3)",
"Anomalies", "Advanced Event Logging (EL3)",
"SecurityRegulatoryCompliance", "Advanced Event Logging (EL3)"
];
Usage
| summarize Entries = count(), Size = sum(Quantity), last_log = datetime_diff("second",now(), max(TimeGenerated)) by DataType
| join kind=fullouter(M2131Mapping) on $left.DataType == $right.DataTable
| project RecommendedDataTable=DataTable, ExistingDataTable=DataType, MaturityLevel, Size
| summarize Logged = countif(Size > 0), NotLogged = countif(isempty(Size)) by RecommendedDataTable, MaturityLevel
| where NotLogged > 0 and MaturityLevel == "Event Logging (EL0)" and RecommendedDataTable <> "Usage"
//| where RecommendedDataTable <> "Data Table Name"
| project RecommendedDataTable, MaturityLevel, NotLogged, TimeObserved=now()
| extend CloudApplication = RecommendedDataTable
id: b3e0bfd4-52d2-4684-9514-716035cdbff2
version: 1.0.0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b3e0bfd4-52d2-4684-9514-716035cdbff2')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b3e0bfd4-52d2-4684-9514-716035cdbff2')]",
"properties": {
"alertRuleTemplateName": "b3e0bfd4-52d2-4684-9514-716035cdbff2",
"customDetails": null,
"description": "'This alert audits your logging architecture for recommended data tables aligned to Event Logging (EL0) of the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when recommended data tables in EL0 are not present.'\n",
"displayName": "M2131_RecommendedDatatableNotLogged_EL0",
"enabled": true,
"entityMappings": [
{
"entityType": "CloudApplication",
"fieldMappings": [
{
"columnName": "RecommendedDataTable",
"identifier": "Name"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131/Hunting Queries/M2131RecommendedDatatableNotLoggedEL0.yaml",
"query": "let M2131Mapping = datatable(DataTable:string, MaturityLevel:string)\n[\n\"SigninLogs\",\t\"Event Logging (EL0)\",\n\"AADManagedIdentitySignInLogs\", \"Event Logging (EL0)\",\n\"AADServicePrincipalSignInLogs\",\t\"Event Logging (EL0)\",\n\"StorageBlobLogs\",\t\"Event Logging (EL0)\",\n\"StorageFileLogs\",\t\"Event Logging (EL0)\",\n\"AzureMetrics\",\t\"Event Logging (EL0)\",\n\"AuditLogs\",\t\"Event Logging (EL0)\",\n\"IdentityInfo\",\t\"Event Logging (EL0)\",\n\"CommonSecurityLog\",\t\"Event Logging (EL0)\",\n\"ThreatIntelligenceIndicator\",\t\"Event Logging (EL0)\",\n\"DeviceNetworkInfo\",\t\"Event Logging (EL0)\",\n\"DnsEvents\",\t\"Event Logging (EL0)\",\n\"DeviceNetworkEvents\",\t\"Event Logging (EL0)\",\n\"AzureDiagnostics\",\t\"Event Logging (EL0)\",\n\"Usage\",\t\"Event Logging (EL0)\",\n\"SecurityIncident\",\t\"Event Logging (EL0)\",\n\"SecurityAlert\",\t\"Event Logging (EL0)\",\n\"AzureActivity\",\t\"Event Logging (EL0)\",\n\"Heartbeat\",\t\"Event Logging (EL0)\",\n\"OfficeActivity\",\t\"Event Logging (EL0)\",\n\"SecurityEvent\",\t\"Event Logging (EL0)\",\n\"Syslog\",\t\"Event Logging (EL0)\",\n\"AWSCloudTrail\",\t\"Event Logging (EL0)\",\n\"GWorkspaceActivityReports\",\t\"Event Logging (EL0)\",\n\"AWSGuardDuty\",\t\"Event Logging (EL0)\",\n\"AWSVPCFlow\",\t\"Event Logging (EL0)\",\n\"Perf\",\t\"Basic Event Logging (EL1)\",\n\"SentinelHealth\",\t\"Basic Event Logging (EL1)\",\n\"DeviceLogonEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceNetworkEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceFileEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceRegistryEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceProcessEvents\",\t\"Basic Event Logging (EL1)\",\n\"VMConnection\",\t\"Basic Event Logging (EL1)\",\n\"EmailEvents\",\t\"Basic Event Logging (EL1)\",\n\"ThreatIntelligenceIndicator\",\t\"Basic Event Logging (EL1)\",\n\"SecurityRecommendation\",\t\"Basic Event Logging (EL1)\",\n\"DeviceProcessEvents\",\t\"Basic Event Logging (EL1)\",\n\"ConfigurationData\",\t\"Basic Event Logging (EL1)\",\n\"ConfigurationChange\",\t\"Basic Event Logging (EL1)\",\n\"GatewayDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"TunnelDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"IKEDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"RouteDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"PS2DiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"Event\",\t\"Basic Event Logging (EL1)\",\n\"SqlAtpStatus\",\t\"Basic Event Logging (EL1)\",\n\"ConstainerInstanceLog_CL\",\t\"Basic Event Logging (EL1)\",\n\"ContainerEvent_CL\",\t\"Basic Event Logging (EL1)\",\n\"InsightsMetrics\",\t\"Intermediate Event Logging (EL2)\",\n\"EmailUrlInfo\",\t\"Intermediate Event Logging (EL2)\",\n\"EmailAttachmentInfo\",\t\"Intermediate Event Logging (EL2)\",\n\"InformationProtectionLogs_CL\",\t\"Intermediate Event Logging (EL2)\",\n\"CloudAppEvents\",\t\"Intermediate Event Logging (EL2)\",\n\"ContainerInventory\",\t\"Intermediate Event Logging (EL2)\",\n\"Update\",\t\"Advanced Event Logging (EL3)\",\n\"BehaviorAnalytics\",\t\"Advanced Event Logging (EL3)\",\n\"Anomalies\",\t\"Advanced Event Logging (EL3)\",\n\"SecurityRegulatoryCompliance\",\t\"Advanced Event Logging (EL3)\"\n];\nUsage\n | summarize Entries = count(), Size = sum(Quantity), last_log = datetime_diff(\"second\",now(), max(TimeGenerated)) by DataType\n | join kind=fullouter(M2131Mapping) on $left.DataType == $right.DataTable\n | project RecommendedDataTable=DataTable, ExistingDataTable=DataType, MaturityLevel, Size\n | summarize Logged = countif(Size > 0), NotLogged = countif(isempty(Size)) by RecommendedDataTable, MaturityLevel\n | where NotLogged > 0 and MaturityLevel == \"Event Logging (EL0)\" and RecommendedDataTable <> \"Usage\"\n //| where RecommendedDataTable <> \"Data Table Name\" \n | project RecommendedDataTable, MaturityLevel, NotLogged, TimeObserved=now()\n | extend CloudApplication = RecommendedDataTable\n",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Discovery"
],
"techniques": [
"T1082"
],
"templateVersion": "1.0.0"
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}