M2131_RecommendedDatatableUnhealthy
| Id | c61b167a-59ae-42af-bc98-36c78c5acb5c |
| Rulename | M2131_RecommendedDatatableUnhealthy |
| Description | This alert is designed to monitor recommended data tables aligned to the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when a recommended data table hasn’t been observed in over 48 hours. |
| Severity | Medium |
| Tactics | Discovery |
| Techniques | T1082 |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131/Analytic Rules/M2131RecommendedDatatableUnhealthy.yaml |
| Version | 1.0.0 |
| Arm template | c61b167a-59ae-42af-bc98-36c78c5acb5c.json |
let M2131Mapping = datatable(DataTable:string, MaturityLevel:string)
[
"SigninLogs", "Event Logging (EL0)",
"AADManagedIdentitySignInLogs", "Event Logging (EL0)",
"AADServicePrincipalSignInLogs", "Event Logging (EL0)",
"StorageBlobLogs", "Event Logging (EL0)",
"StorageFileLogs", "Event Logging (EL0)",
"AzureMetrics", "Event Logging (EL0)",
"AuditLogs", "Event Logging (EL0)",
"IdentityInfo", "Event Logging (EL0)",
"CommonSecurityLog", "Event Logging (EL0)",
"ThreatIntelligenceIndicator", "Event Logging (EL0)",
"DeviceNetworkInfo", "Event Logging (EL0)",
"DnsEvents", "Event Logging (EL0)",
"DeviceNetworkEvents", "Event Logging (EL0)",
"AzureDiagnostics", "Event Logging (EL0)",
"Usage", "Event Logging (EL0)",
"SecurityIncident", "Event Logging (EL0)",
"SecurityAlert", "Event Logging (EL0)",
"AzureActivity", "Event Logging (EL0)",
"Heartbeat", "Event Logging (EL0)",
"OfficeActivity", "Event Logging (EL0)",
"SecurityEvent", "Event Logging (EL0)",
"Syslog", "Event Logging (EL0)",
"AWSCloudTrail", "Event Logging (EL0)",
"GWorkspaceActivityReports", "Event Logging (EL0)",
"AWSGuardDuty", "Event Logging (EL0)",
"AWSVPCFlow", "Event Logging (EL0)",
"Perf", "Basic Event Logging (EL1)",
"SentinelHealth", "Basic Event Logging (EL1)",
"DeviceLogonEvents", "Basic Event Logging (EL1)",
"DeviceEvents", "Basic Event Logging (EL1)",
"DeviceNetworkEvents", "Basic Event Logging (EL1)",
"DeviceFileEvents", "Basic Event Logging (EL1)",
"DeviceRegistryEvents", "Basic Event Logging (EL1)",
"DeviceProcessEvents", "Basic Event Logging (EL1)",
"VMConnection", "Basic Event Logging (EL1)",
"EmailEvents", "Basic Event Logging (EL1)",
"ThreatIntelligenceIndicator", "Basic Event Logging (EL1)",
"SecurityRecommendation", "Basic Event Logging (EL1)",
"DeviceProcessEvents", "Basic Event Logging (EL1)",
"ConfigurationData", "Basic Event Logging (EL1)",
"ConfigurationChange", "Basic Event Logging (EL1)",
"GatewayDiagnosticLog", "Basic Event Logging (EL1)",
"TunnelDiagnosticLog", "Basic Event Logging (EL1)",
"IKEDiagnosticLog", "Basic Event Logging (EL1)",
"RouteDiagnosticLog", "Basic Event Logging (EL1)",
"PS2DiagnosticLog", "Basic Event Logging (EL1)",
"Event", "Basic Event Logging (EL1)",
"SqlAtpStatus", "Basic Event Logging (EL1)",
"ConstainerInstanceLog_CL", "Basic Event Logging (EL1)",
"ContainerEvent_CL", "Basic Event Logging (EL1)",
"InsightsMetrics", "Intermediate Event Logging (EL2)",
"EmailUrlInfo", "Intermediate Event Logging (EL2)",
"EmailAttachmentInfo", "Intermediate Event Logging (EL2)",
"InformationProtectionLogs_CL", "Intermediate Event Logging (EL2)",
"CloudAppEvents", "Intermediate Event Logging (EL2)",
"ContainerInventory", "Intermediate Event Logging (EL2)",
"Update", "Advanced Event Logging (EL3)",
"BehaviorAnalytics", "Advanced Event Logging (EL3)",
"Anomalies", "Advanced Event Logging (EL3)",
"SecurityRegulatoryCompliance", "Advanced Event Logging (EL3)"
];
let LastLogTime = Usage
| summarize LastLog_Time = arg_max(TimeGenerated, *) by DataType;
Usage
| summarize last_log = datetime_diff("day",now(), max(TimeGenerated)) by DataType
| where last_log > 0
| join kind=inner (LastLogTime) on DataType
| project DataTable = DataType, ['Last Log Received'] = last_log, LastLog_Time
| where ['Last Log Received'] > 2
| join kind=inner (M2131Mapping) on DataTable
| project-away DataTable1
| order by ['Last Log Received'] desc
| extend CloudApplication = DataTable
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131/Analytic Rules/M2131RecommendedDatatableUnhealthy.yaml
query: |
let M2131Mapping = datatable(DataTable:string, MaturityLevel:string)
[
"SigninLogs", "Event Logging (EL0)",
"AADManagedIdentitySignInLogs", "Event Logging (EL0)",
"AADServicePrincipalSignInLogs", "Event Logging (EL0)",
"StorageBlobLogs", "Event Logging (EL0)",
"StorageFileLogs", "Event Logging (EL0)",
"AzureMetrics", "Event Logging (EL0)",
"AuditLogs", "Event Logging (EL0)",
"IdentityInfo", "Event Logging (EL0)",
"CommonSecurityLog", "Event Logging (EL0)",
"ThreatIntelligenceIndicator", "Event Logging (EL0)",
"DeviceNetworkInfo", "Event Logging (EL0)",
"DnsEvents", "Event Logging (EL0)",
"DeviceNetworkEvents", "Event Logging (EL0)",
"AzureDiagnostics", "Event Logging (EL0)",
"Usage", "Event Logging (EL0)",
"SecurityIncident", "Event Logging (EL0)",
"SecurityAlert", "Event Logging (EL0)",
"AzureActivity", "Event Logging (EL0)",
"Heartbeat", "Event Logging (EL0)",
"OfficeActivity", "Event Logging (EL0)",
"SecurityEvent", "Event Logging (EL0)",
"Syslog", "Event Logging (EL0)",
"AWSCloudTrail", "Event Logging (EL0)",
"GWorkspaceActivityReports", "Event Logging (EL0)",
"AWSGuardDuty", "Event Logging (EL0)",
"AWSVPCFlow", "Event Logging (EL0)",
"Perf", "Basic Event Logging (EL1)",
"SentinelHealth", "Basic Event Logging (EL1)",
"DeviceLogonEvents", "Basic Event Logging (EL1)",
"DeviceEvents", "Basic Event Logging (EL1)",
"DeviceNetworkEvents", "Basic Event Logging (EL1)",
"DeviceFileEvents", "Basic Event Logging (EL1)",
"DeviceRegistryEvents", "Basic Event Logging (EL1)",
"DeviceProcessEvents", "Basic Event Logging (EL1)",
"VMConnection", "Basic Event Logging (EL1)",
"EmailEvents", "Basic Event Logging (EL1)",
"ThreatIntelligenceIndicator", "Basic Event Logging (EL1)",
"SecurityRecommendation", "Basic Event Logging (EL1)",
"DeviceProcessEvents", "Basic Event Logging (EL1)",
"ConfigurationData", "Basic Event Logging (EL1)",
"ConfigurationChange", "Basic Event Logging (EL1)",
"GatewayDiagnosticLog", "Basic Event Logging (EL1)",
"TunnelDiagnosticLog", "Basic Event Logging (EL1)",
"IKEDiagnosticLog", "Basic Event Logging (EL1)",
"RouteDiagnosticLog", "Basic Event Logging (EL1)",
"PS2DiagnosticLog", "Basic Event Logging (EL1)",
"Event", "Basic Event Logging (EL1)",
"SqlAtpStatus", "Basic Event Logging (EL1)",
"ConstainerInstanceLog_CL", "Basic Event Logging (EL1)",
"ContainerEvent_CL", "Basic Event Logging (EL1)",
"InsightsMetrics", "Intermediate Event Logging (EL2)",
"EmailUrlInfo", "Intermediate Event Logging (EL2)",
"EmailAttachmentInfo", "Intermediate Event Logging (EL2)",
"InformationProtectionLogs_CL", "Intermediate Event Logging (EL2)",
"CloudAppEvents", "Intermediate Event Logging (EL2)",
"ContainerInventory", "Intermediate Event Logging (EL2)",
"Update", "Advanced Event Logging (EL3)",
"BehaviorAnalytics", "Advanced Event Logging (EL3)",
"Anomalies", "Advanced Event Logging (EL3)",
"SecurityRegulatoryCompliance", "Advanced Event Logging (EL3)"
];
let LastLogTime = Usage
| summarize LastLog_Time = arg_max(TimeGenerated, *) by DataType;
Usage
| summarize last_log = datetime_diff("day",now(), max(TimeGenerated)) by DataType
| where last_log > 0
| join kind=inner (LastLogTime) on DataType
| project DataTable = DataType, ['Last Log Received'] = last_log, LastLog_Time
| where ['Last Log Received'] > 2
| join kind=inner (M2131Mapping) on DataTable
| project-away DataTable1
| order by ['Last Log Received'] desc
| extend CloudApplication = DataTable
description: |
'This alert is designed to monitor recommended data tables aligned to the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when a recommended data table hasn't been observed in over 48 hours.'
severity: Medium
requiredDataConnectors: []
name: M2131_RecommendedDatatableUnhealthy
triggerThreshold: 0
tactics:
- Discovery
version: 1.0.0
relevantTechniques:
- T1082
triggerOperator: gt
entityMappings:
- entityType: CloudApplication
fieldMappings:
- columnName: DataTable
identifier: Name
id: c61b167a-59ae-42af-bc98-36c78c5acb5c
status: Available
kind: Scheduled
queryFrequency: 1d
queryPeriod: 14d
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c61b167a-59ae-42af-bc98-36c78c5acb5c')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c61b167a-59ae-42af-bc98-36c78c5acb5c')]",
"properties": {
"alertRuleTemplateName": "c61b167a-59ae-42af-bc98-36c78c5acb5c",
"customDetails": null,
"description": "'This alert is designed to monitor recommended data tables aligned to the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when a recommended data table hasn't been observed in over 48 hours.'\n",
"displayName": "M2131_RecommendedDatatableUnhealthy",
"enabled": true,
"entityMappings": [
{
"entityType": "CloudApplication",
"fieldMappings": [
{
"columnName": "DataTable",
"identifier": "Name"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131/Analytic Rules/M2131RecommendedDatatableUnhealthy.yaml",
"query": "let M2131Mapping = datatable(DataTable:string, MaturityLevel:string)\n[\n\"SigninLogs\",\t\"Event Logging (EL0)\",\n\"AADManagedIdentitySignInLogs\", \"Event Logging (EL0)\",\n\"AADServicePrincipalSignInLogs\",\t\"Event Logging (EL0)\",\n\"StorageBlobLogs\",\t\"Event Logging (EL0)\",\n\"StorageFileLogs\",\t\"Event Logging (EL0)\",\n\"AzureMetrics\",\t\"Event Logging (EL0)\",\n\"AuditLogs\",\t\"Event Logging (EL0)\",\n\"IdentityInfo\",\t\"Event Logging (EL0)\",\n\"CommonSecurityLog\",\t\"Event Logging (EL0)\",\n\"ThreatIntelligenceIndicator\",\t\"Event Logging (EL0)\",\n\"DeviceNetworkInfo\",\t\"Event Logging (EL0)\",\n\"DnsEvents\",\t\"Event Logging (EL0)\",\n\"DeviceNetworkEvents\",\t\"Event Logging (EL0)\",\n\"AzureDiagnostics\",\t\"Event Logging (EL0)\",\n\"Usage\",\t\"Event Logging (EL0)\",\n\"SecurityIncident\",\t\"Event Logging (EL0)\",\n\"SecurityAlert\",\t\"Event Logging (EL0)\",\n\"AzureActivity\",\t\"Event Logging (EL0)\",\n\"Heartbeat\",\t\"Event Logging (EL0)\",\n\"OfficeActivity\",\t\"Event Logging (EL0)\",\n\"SecurityEvent\",\t\"Event Logging (EL0)\",\n\"Syslog\",\t\"Event Logging (EL0)\",\n\"AWSCloudTrail\",\t\"Event Logging (EL0)\",\n\"GWorkspaceActivityReports\",\t\"Event Logging (EL0)\",\n\"AWSGuardDuty\",\t\"Event Logging (EL0)\",\n\"AWSVPCFlow\",\t\"Event Logging (EL0)\",\n\"Perf\",\t\"Basic Event Logging (EL1)\",\n\"SentinelHealth\",\t\"Basic Event Logging (EL1)\",\n\"DeviceLogonEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceNetworkEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceFileEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceRegistryEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceProcessEvents\",\t\"Basic Event Logging (EL1)\",\n\"VMConnection\",\t\"Basic Event Logging (EL1)\",\n\"EmailEvents\",\t\"Basic Event Logging (EL1)\",\n\"ThreatIntelligenceIndicator\",\t\"Basic Event Logging (EL1)\",\n\"SecurityRecommendation\",\t\"Basic Event Logging (EL1)\",\n\"DeviceProcessEvents\",\t\"Basic Event Logging (EL1)\",\n\"ConfigurationData\",\t\"Basic Event Logging (EL1)\",\n\"ConfigurationChange\",\t\"Basic Event Logging (EL1)\",\n\"GatewayDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"TunnelDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"IKEDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"RouteDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"PS2DiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"Event\",\t\"Basic Event Logging (EL1)\",\n\"SqlAtpStatus\",\t\"Basic Event Logging (EL1)\",\n\"ConstainerInstanceLog_CL\",\t\"Basic Event Logging (EL1)\",\n\"ContainerEvent_CL\",\t\"Basic Event Logging (EL1)\",\n\"InsightsMetrics\",\t\"Intermediate Event Logging (EL2)\",\n\"EmailUrlInfo\",\t\"Intermediate Event Logging (EL2)\",\n\"EmailAttachmentInfo\",\t\"Intermediate Event Logging (EL2)\",\n\"InformationProtectionLogs_CL\",\t\"Intermediate Event Logging (EL2)\",\n\"CloudAppEvents\",\t\"Intermediate Event Logging (EL2)\",\n\"ContainerInventory\",\t\"Intermediate Event Logging (EL2)\",\n\"Update\",\t\"Advanced Event Logging (EL3)\",\n\"BehaviorAnalytics\",\t\"Advanced Event Logging (EL3)\",\n\"Anomalies\",\t\"Advanced Event Logging (EL3)\",\n\"SecurityRegulatoryCompliance\",\t\"Advanced Event Logging (EL3)\"\n];\nlet LastLogTime = Usage\n| summarize LastLog_Time = arg_max(TimeGenerated, *) by DataType;\nUsage\n| summarize last_log = datetime_diff(\"day\",now(), max(TimeGenerated)) by DataType\n| where last_log > 0\n| join kind=inner (LastLogTime) on DataType\n| project DataTable = DataType, ['Last Log Received'] = last_log, LastLog_Time\n| where ['Last Log Received'] > 2\n| join kind=inner (M2131Mapping) on DataTable\n| project-away DataTable1\n| order by ['Last Log Received'] desc\n| extend CloudApplication = DataTable\n",
"queryFrequency": "P1D",
"queryPeriod": "P14D",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Discovery"
],
"techniques": [
"T1082"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}