Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

M2131_RecommendedDatatableNotLogged_EL1

Back
Idf9e0ae98-6828-4d5a-b596-7c4586bb14f6
RulenameM2131_RecommendedDatatableNotLogged_EL1
DescriptionThis alert audits your logging architecture for recommended data tables aligned to Basic Event Logging (EL1) of the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when recommended data tables in EL1 are not present.
SeverityMedium
TacticsDiscovery
TechniquesT1082
KindScheduled
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131/Hunting Queries/M2131RecommendedDatatableNotLoggedEL1.yaml
Version1.0.0
Arm templatef9e0ae98-6828-4d5a-b596-7c4586bb14f6.json
Deploy To Azure
let M2131Mapping = datatable(DataTable:string, MaturityLevel:string)
[
"SigninLogs",	"Event Logging (EL0)",
"AADManagedIdentitySignInLogs", "Event Logging (EL0)",
"AADServicePrincipalSignInLogs",	"Event Logging (EL0)",
"StorageBlobLogs",	"Event Logging (EL0)",
"StorageFileLogs",	"Event Logging (EL0)",
"AzureMetrics",	"Event Logging (EL0)",
"AuditLogs",	"Event Logging (EL0)",
"IdentityInfo",	"Event Logging (EL0)",
"CommonSecurityLog",	"Event Logging (EL0)",
"ThreatIntelligenceIndicator",	"Event Logging (EL0)",
"DeviceNetworkInfo",	"Event Logging (EL0)",
"DnsEvents",	"Event Logging (EL0)",
"DeviceNetworkEvents",	"Event Logging (EL0)",
"AzureDiagnostics",	"Event Logging (EL0)",
"Usage",	"Event Logging (EL0)",
"SecurityIncident",	"Event Logging (EL0)",
"SecurityAlert",	"Event Logging (EL0)",
"AzureActivity",	"Event Logging (EL0)",
"Heartbeat",	"Event Logging (EL0)",
"OfficeActivity",	"Event Logging (EL0)",
"SecurityEvent",	"Event Logging (EL0)",
"Syslog",	"Event Logging (EL0)",
"AWSCloudTrail",	"Event Logging (EL0)",
"GWorkspaceActivityReports",	"Event Logging (EL0)",
"AWSGuardDuty",	"Event Logging (EL0)",
"AWSVPCFlow",	"Event Logging (EL0)",
"Perf",	"Basic Event Logging (EL1)",
"SentinelHealth",	"Basic Event Logging (EL1)",
"DeviceLogonEvents",	"Basic Event Logging (EL1)",
"DeviceEvents",	"Basic Event Logging (EL1)",
"DeviceNetworkEvents",	"Basic Event Logging (EL1)",
"DeviceFileEvents",	"Basic Event Logging (EL1)",
"DeviceRegistryEvents",	"Basic Event Logging (EL1)",
"DeviceProcessEvents",	"Basic Event Logging (EL1)",
"VMConnection",	"Basic Event Logging (EL1)",
"EmailEvents",	"Basic Event Logging (EL1)",
"ThreatIntelligenceIndicator",	"Basic Event Logging (EL1)",
"SecurityRecommendation",	"Basic Event Logging (EL1)",
"DeviceProcessEvents",	"Basic Event Logging (EL1)",
"ConfigurationData",	"Basic Event Logging (EL1)",
"ConfigurationChange",	"Basic Event Logging (EL1)",
"GatewayDiagnosticLog",	"Basic Event Logging (EL1)",
"TunnelDiagnosticLog",	"Basic Event Logging (EL1)",
"IKEDiagnosticLog",	"Basic Event Logging (EL1)",
"RouteDiagnosticLog",	"Basic Event Logging (EL1)",
"PS2DiagnosticLog",	"Basic Event Logging (EL1)",
"Event",	"Basic Event Logging (EL1)",
"SqlAtpStatus",	"Basic Event Logging (EL1)",
"ConstainerInstanceLog_CL",	"Basic Event Logging (EL1)",
"ContainerEvent_CL",	"Basic Event Logging (EL1)",
"InsightsMetrics",	"Intermediate Event Logging (EL2)",
"EmailUrlInfo",	"Intermediate Event Logging (EL2)",
"EmailAttachmentInfo",	"Intermediate Event Logging (EL2)",
"InformationProtectionLogs_CL",	"Intermediate Event Logging (EL2)",
"CloudAppEvents",	"Intermediate Event Logging (EL2)",
"ContainerInventory",	"Intermediate Event Logging (EL2)",
"Update",	"Advanced Event Logging (EL3)",
"BehaviorAnalytics",	"Advanced Event Logging (EL3)",
"Anomalies",	"Advanced Event Logging (EL3)",
"SecurityRegulatoryCompliance",	"Advanced Event Logging (EL3)"
];
Usage
  | summarize Entries = count(), Size = sum(Quantity), last_log = datetime_diff("second",now(), max(TimeGenerated)) by DataType
  | join kind=fullouter(M2131Mapping) on $left.DataType == $right.DataTable
  | project RecommendedDataTable=DataTable, ExistingDataTable=DataType, MaturityLevel, Size
  | summarize Logged = countif(Size > 0), NotLogged = countif(isempty(Size)) by RecommendedDataTable, MaturityLevel
  | where NotLogged > 0 and MaturityLevel == "Basic Event Logging (EL1)" and RecommendedDataTable <> "Usage"
  //| where RecommendedDataTable <> "Data Table Name"
  | project RecommendedDataTable, MaturityLevel, NotLogged, TimeObserved=now()
  | extend CloudApplication = RecommendedDataTable
kind: Scheduled
relevantTechniques:
- T1082
description: |
    'This alert audits your logging architecture for recommended data tables aligned to Basic Event Logging (EL1) of the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when recommended data tables in EL1 are not present.'
entityMappings:
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: RecommendedDataTable
name: M2131_RecommendedDatatableNotLogged_EL1
tactics:
- Discovery
requiredDataConnectors: []
version: 1.0.0
id: f9e0ae98-6828-4d5a-b596-7c4586bb14f6
query: |
  let M2131Mapping = datatable(DataTable:string, MaturityLevel:string)
  [
  "SigninLogs",	"Event Logging (EL0)",
  "AADManagedIdentitySignInLogs", "Event Logging (EL0)",
  "AADServicePrincipalSignInLogs",	"Event Logging (EL0)",
  "StorageBlobLogs",	"Event Logging (EL0)",
  "StorageFileLogs",	"Event Logging (EL0)",
  "AzureMetrics",	"Event Logging (EL0)",
  "AuditLogs",	"Event Logging (EL0)",
  "IdentityInfo",	"Event Logging (EL0)",
  "CommonSecurityLog",	"Event Logging (EL0)",
  "ThreatIntelligenceIndicator",	"Event Logging (EL0)",
  "DeviceNetworkInfo",	"Event Logging (EL0)",
  "DnsEvents",	"Event Logging (EL0)",
  "DeviceNetworkEvents",	"Event Logging (EL0)",
  "AzureDiagnostics",	"Event Logging (EL0)",
  "Usage",	"Event Logging (EL0)",
  "SecurityIncident",	"Event Logging (EL0)",
  "SecurityAlert",	"Event Logging (EL0)",
  "AzureActivity",	"Event Logging (EL0)",
  "Heartbeat",	"Event Logging (EL0)",
  "OfficeActivity",	"Event Logging (EL0)",
  "SecurityEvent",	"Event Logging (EL0)",
  "Syslog",	"Event Logging (EL0)",
  "AWSCloudTrail",	"Event Logging (EL0)",
  "GWorkspaceActivityReports",	"Event Logging (EL0)",
  "AWSGuardDuty",	"Event Logging (EL0)",
  "AWSVPCFlow",	"Event Logging (EL0)",
  "Perf",	"Basic Event Logging (EL1)",
  "SentinelHealth",	"Basic Event Logging (EL1)",
  "DeviceLogonEvents",	"Basic Event Logging (EL1)",
  "DeviceEvents",	"Basic Event Logging (EL1)",
  "DeviceNetworkEvents",	"Basic Event Logging (EL1)",
  "DeviceFileEvents",	"Basic Event Logging (EL1)",
  "DeviceRegistryEvents",	"Basic Event Logging (EL1)",
  "DeviceProcessEvents",	"Basic Event Logging (EL1)",
  "VMConnection",	"Basic Event Logging (EL1)",
  "EmailEvents",	"Basic Event Logging (EL1)",
  "ThreatIntelligenceIndicator",	"Basic Event Logging (EL1)",
  "SecurityRecommendation",	"Basic Event Logging (EL1)",
  "DeviceProcessEvents",	"Basic Event Logging (EL1)",
  "ConfigurationData",	"Basic Event Logging (EL1)",
  "ConfigurationChange",	"Basic Event Logging (EL1)",
  "GatewayDiagnosticLog",	"Basic Event Logging (EL1)",
  "TunnelDiagnosticLog",	"Basic Event Logging (EL1)",
  "IKEDiagnosticLog",	"Basic Event Logging (EL1)",
  "RouteDiagnosticLog",	"Basic Event Logging (EL1)",
  "PS2DiagnosticLog",	"Basic Event Logging (EL1)",
  "Event",	"Basic Event Logging (EL1)",
  "SqlAtpStatus",	"Basic Event Logging (EL1)",
  "ConstainerInstanceLog_CL",	"Basic Event Logging (EL1)",
  "ContainerEvent_CL",	"Basic Event Logging (EL1)",
  "InsightsMetrics",	"Intermediate Event Logging (EL2)",
  "EmailUrlInfo",	"Intermediate Event Logging (EL2)",
  "EmailAttachmentInfo",	"Intermediate Event Logging (EL2)",
  "InformationProtectionLogs_CL",	"Intermediate Event Logging (EL2)",
  "CloudAppEvents",	"Intermediate Event Logging (EL2)",
  "ContainerInventory",	"Intermediate Event Logging (EL2)",
  "Update",	"Advanced Event Logging (EL3)",
  "BehaviorAnalytics",	"Advanced Event Logging (EL3)",
  "Anomalies",	"Advanced Event Logging (EL3)",
  "SecurityRegulatoryCompliance",	"Advanced Event Logging (EL3)"
  ];
  Usage
    | summarize Entries = count(), Size = sum(Quantity), last_log = datetime_diff("second",now(), max(TimeGenerated)) by DataType
    | join kind=fullouter(M2131Mapping) on $left.DataType == $right.DataTable
    | project RecommendedDataTable=DataTable, ExistingDataTable=DataType, MaturityLevel, Size
    | summarize Logged = countif(Size > 0), NotLogged = countif(isempty(Size)) by RecommendedDataTable, MaturityLevel
    | where NotLogged > 0 and MaturityLevel == "Basic Event Logging (EL1)" and RecommendedDataTable <> "Usage"
    //| where RecommendedDataTable <> "Data Table Name"
    | project RecommendedDataTable, MaturityLevel, NotLogged, TimeObserved=now()
    | extend CloudApplication = RecommendedDataTable  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131/Hunting Queries/M2131RecommendedDatatableNotLoggedEL1.yaml
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f9e0ae98-6828-4d5a-b596-7c4586bb14f6')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f9e0ae98-6828-4d5a-b596-7c4586bb14f6')]",
      "properties": {
        "alertRuleTemplateName": "f9e0ae98-6828-4d5a-b596-7c4586bb14f6",
        "customDetails": null,
        "description": "'This alert audits your logging architecture for recommended data tables aligned to Basic Event Logging (EL1) of the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when recommended data tables in EL1 are not present.'\n",
        "displayName": "M2131_RecommendedDatatableNotLogged_EL1",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "RecommendedDataTable",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131/Hunting Queries/M2131RecommendedDatatableNotLoggedEL1.yaml",
        "query": "let M2131Mapping = datatable(DataTable:string, MaturityLevel:string)\n[\n\"SigninLogs\",\t\"Event Logging (EL0)\",\n\"AADManagedIdentitySignInLogs\", \"Event Logging (EL0)\",\n\"AADServicePrincipalSignInLogs\",\t\"Event Logging (EL0)\",\n\"StorageBlobLogs\",\t\"Event Logging (EL0)\",\n\"StorageFileLogs\",\t\"Event Logging (EL0)\",\n\"AzureMetrics\",\t\"Event Logging (EL0)\",\n\"AuditLogs\",\t\"Event Logging (EL0)\",\n\"IdentityInfo\",\t\"Event Logging (EL0)\",\n\"CommonSecurityLog\",\t\"Event Logging (EL0)\",\n\"ThreatIntelligenceIndicator\",\t\"Event Logging (EL0)\",\n\"DeviceNetworkInfo\",\t\"Event Logging (EL0)\",\n\"DnsEvents\",\t\"Event Logging (EL0)\",\n\"DeviceNetworkEvents\",\t\"Event Logging (EL0)\",\n\"AzureDiagnostics\",\t\"Event Logging (EL0)\",\n\"Usage\",\t\"Event Logging (EL0)\",\n\"SecurityIncident\",\t\"Event Logging (EL0)\",\n\"SecurityAlert\",\t\"Event Logging (EL0)\",\n\"AzureActivity\",\t\"Event Logging (EL0)\",\n\"Heartbeat\",\t\"Event Logging (EL0)\",\n\"OfficeActivity\",\t\"Event Logging (EL0)\",\n\"SecurityEvent\",\t\"Event Logging (EL0)\",\n\"Syslog\",\t\"Event Logging (EL0)\",\n\"AWSCloudTrail\",\t\"Event Logging (EL0)\",\n\"GWorkspaceActivityReports\",\t\"Event Logging (EL0)\",\n\"AWSGuardDuty\",\t\"Event Logging (EL0)\",\n\"AWSVPCFlow\",\t\"Event Logging (EL0)\",\n\"Perf\",\t\"Basic Event Logging (EL1)\",\n\"SentinelHealth\",\t\"Basic Event Logging (EL1)\",\n\"DeviceLogonEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceNetworkEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceFileEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceRegistryEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceProcessEvents\",\t\"Basic Event Logging (EL1)\",\n\"VMConnection\",\t\"Basic Event Logging (EL1)\",\n\"EmailEvents\",\t\"Basic Event Logging (EL1)\",\n\"ThreatIntelligenceIndicator\",\t\"Basic Event Logging (EL1)\",\n\"SecurityRecommendation\",\t\"Basic Event Logging (EL1)\",\n\"DeviceProcessEvents\",\t\"Basic Event Logging (EL1)\",\n\"ConfigurationData\",\t\"Basic Event Logging (EL1)\",\n\"ConfigurationChange\",\t\"Basic Event Logging (EL1)\",\n\"GatewayDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"TunnelDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"IKEDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"RouteDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"PS2DiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"Event\",\t\"Basic Event Logging (EL1)\",\n\"SqlAtpStatus\",\t\"Basic Event Logging (EL1)\",\n\"ConstainerInstanceLog_CL\",\t\"Basic Event Logging (EL1)\",\n\"ContainerEvent_CL\",\t\"Basic Event Logging (EL1)\",\n\"InsightsMetrics\",\t\"Intermediate Event Logging (EL2)\",\n\"EmailUrlInfo\",\t\"Intermediate Event Logging (EL2)\",\n\"EmailAttachmentInfo\",\t\"Intermediate Event Logging (EL2)\",\n\"InformationProtectionLogs_CL\",\t\"Intermediate Event Logging (EL2)\",\n\"CloudAppEvents\",\t\"Intermediate Event Logging (EL2)\",\n\"ContainerInventory\",\t\"Intermediate Event Logging (EL2)\",\n\"Update\",\t\"Advanced Event Logging (EL3)\",\n\"BehaviorAnalytics\",\t\"Advanced Event Logging (EL3)\",\n\"Anomalies\",\t\"Advanced Event Logging (EL3)\",\n\"SecurityRegulatoryCompliance\",\t\"Advanced Event Logging (EL3)\"\n];\nUsage\n  | summarize Entries = count(), Size = sum(Quantity), last_log = datetime_diff(\"second\",now(), max(TimeGenerated)) by DataType\n  | join kind=fullouter(M2131Mapping) on $left.DataType == $right.DataTable\n  | project RecommendedDataTable=DataTable, ExistingDataTable=DataType, MaturityLevel, Size\n  | summarize Logged = countif(Size > 0), NotLogged = countif(isempty(Size)) by RecommendedDataTable, MaturityLevel\n  | where NotLogged > 0 and MaturityLevel == \"Basic Event Logging (EL1)\" and RecommendedDataTable <> \"Usage\"\n  //| where RecommendedDataTable <> \"Data Table Name\"\n  | project RecommendedDataTable, MaturityLevel, NotLogged, TimeObserved=now()\n  | extend CloudApplication = RecommendedDataTable\n",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [
          "T1082"
        ],
        "templateVersion": "1.0.0"
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}