Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

M2131_RecommendedDatatableNotLogged_EL1

Back
Idf9e0ae98-6828-4d5a-b596-7c4586bb14f6
RulenameM2131_RecommendedDatatableNotLogged_EL1
DescriptionThis alert audits your logging architecture for recommended data tables aligned to Basic Event Logging (EL1) of the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when recommended data tables in EL1 are not present.
SeverityMedium
TacticsDiscovery
TechniquesT1082
KindScheduled
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131/Hunting Queries/M2131RecommendedDatatableNotLoggedEL1.yaml
Version1.0.0
Arm templatef9e0ae98-6828-4d5a-b596-7c4586bb14f6.json
Deploy To Azure
let M2131Mapping = datatable(DataTable:string, MaturityLevel:string)
[
"SigninLogs",	"Event Logging (EL0)",
"AADManagedIdentitySignInLogs", "Event Logging (EL0)",
"AADServicePrincipalSignInLogs",	"Event Logging (EL0)",
"StorageBlobLogs",	"Event Logging (EL0)",
"StorageFileLogs",	"Event Logging (EL0)",
"AzureMetrics",	"Event Logging (EL0)",
"AuditLogs",	"Event Logging (EL0)",
"IdentityInfo",	"Event Logging (EL0)",
"CommonSecurityLog",	"Event Logging (EL0)",
"ThreatIntelligenceIndicator",	"Event Logging (EL0)",
"DeviceNetworkInfo",	"Event Logging (EL0)",
"DnsEvents",	"Event Logging (EL0)",
"DeviceNetworkEvents",	"Event Logging (EL0)",
"AzureDiagnostics",	"Event Logging (EL0)",
"Usage",	"Event Logging (EL0)",
"SecurityIncident",	"Event Logging (EL0)",
"SecurityAlert",	"Event Logging (EL0)",
"AzureActivity",	"Event Logging (EL0)",
"Heartbeat",	"Event Logging (EL0)",
"OfficeActivity",	"Event Logging (EL0)",
"SecurityEvent",	"Event Logging (EL0)",
"Syslog",	"Event Logging (EL0)",
"AWSCloudTrail",	"Event Logging (EL0)",
"GWorkspaceActivityReports",	"Event Logging (EL0)",
"AWSGuardDuty",	"Event Logging (EL0)",
"AWSVPCFlow",	"Event Logging (EL0)",
"Perf",	"Basic Event Logging (EL1)",
"SentinelHealth",	"Basic Event Logging (EL1)",
"DeviceLogonEvents",	"Basic Event Logging (EL1)",
"DeviceEvents",	"Basic Event Logging (EL1)",
"DeviceNetworkEvents",	"Basic Event Logging (EL1)",
"DeviceFileEvents",	"Basic Event Logging (EL1)",
"DeviceRegistryEvents",	"Basic Event Logging (EL1)",
"DeviceProcessEvents",	"Basic Event Logging (EL1)",
"VMConnection",	"Basic Event Logging (EL1)",
"EmailEvents",	"Basic Event Logging (EL1)",
"ThreatIntelligenceIndicator",	"Basic Event Logging (EL1)",
"SecurityRecommendation",	"Basic Event Logging (EL1)",
"DeviceProcessEvents",	"Basic Event Logging (EL1)",
"ConfigurationData",	"Basic Event Logging (EL1)",
"ConfigurationChange",	"Basic Event Logging (EL1)",
"GatewayDiagnosticLog",	"Basic Event Logging (EL1)",
"TunnelDiagnosticLog",	"Basic Event Logging (EL1)",
"IKEDiagnosticLog",	"Basic Event Logging (EL1)",
"RouteDiagnosticLog",	"Basic Event Logging (EL1)",
"PS2DiagnosticLog",	"Basic Event Logging (EL1)",
"Event",	"Basic Event Logging (EL1)",
"SqlAtpStatus",	"Basic Event Logging (EL1)",
"ConstainerInstanceLog_CL",	"Basic Event Logging (EL1)",
"ContainerEvent_CL",	"Basic Event Logging (EL1)",
"InsightsMetrics",	"Intermediate Event Logging (EL2)",
"EmailUrlInfo",	"Intermediate Event Logging (EL2)",
"EmailAttachmentInfo",	"Intermediate Event Logging (EL2)",
"InformationProtectionLogs_CL",	"Intermediate Event Logging (EL2)",
"CloudAppEvents",	"Intermediate Event Logging (EL2)",
"ContainerInventory",	"Intermediate Event Logging (EL2)",
"Update",	"Advanced Event Logging (EL3)",
"BehaviorAnalytics",	"Advanced Event Logging (EL3)",
"Anomalies",	"Advanced Event Logging (EL3)",
"SecurityRegulatoryCompliance",	"Advanced Event Logging (EL3)"
];
Usage
  | summarize Entries = count(), Size = sum(Quantity), last_log = datetime_diff("second",now(), max(TimeGenerated)) by DataType
  | join kind=fullouter(M2131Mapping) on $left.DataType == $right.DataTable
  | project RecommendedDataTable=DataTable, ExistingDataTable=DataType, MaturityLevel, Size
  | summarize Logged = countif(Size > 0), NotLogged = countif(isempty(Size)) by RecommendedDataTable, MaturityLevel
  | where NotLogged > 0 and MaturityLevel == "Basic Event Logging (EL1)" and RecommendedDataTable <> "Usage"
  //| where RecommendedDataTable <> "Data Table Name"
  | project RecommendedDataTable, MaturityLevel, NotLogged, TimeObserved=now()
  | extend CloudApplication = RecommendedDataTable
relevantTechniques:
- T1082
name: M2131_RecommendedDatatableNotLogged_EL1
requiredDataConnectors: []
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: RecommendedDataTable
  entityType: CloudApplication
query: |
  let M2131Mapping = datatable(DataTable:string, MaturityLevel:string)
  [
  "SigninLogs",	"Event Logging (EL0)",
  "AADManagedIdentitySignInLogs", "Event Logging (EL0)",
  "AADServicePrincipalSignInLogs",	"Event Logging (EL0)",
  "StorageBlobLogs",	"Event Logging (EL0)",
  "StorageFileLogs",	"Event Logging (EL0)",
  "AzureMetrics",	"Event Logging (EL0)",
  "AuditLogs",	"Event Logging (EL0)",
  "IdentityInfo",	"Event Logging (EL0)",
  "CommonSecurityLog",	"Event Logging (EL0)",
  "ThreatIntelligenceIndicator",	"Event Logging (EL0)",
  "DeviceNetworkInfo",	"Event Logging (EL0)",
  "DnsEvents",	"Event Logging (EL0)",
  "DeviceNetworkEvents",	"Event Logging (EL0)",
  "AzureDiagnostics",	"Event Logging (EL0)",
  "Usage",	"Event Logging (EL0)",
  "SecurityIncident",	"Event Logging (EL0)",
  "SecurityAlert",	"Event Logging (EL0)",
  "AzureActivity",	"Event Logging (EL0)",
  "Heartbeat",	"Event Logging (EL0)",
  "OfficeActivity",	"Event Logging (EL0)",
  "SecurityEvent",	"Event Logging (EL0)",
  "Syslog",	"Event Logging (EL0)",
  "AWSCloudTrail",	"Event Logging (EL0)",
  "GWorkspaceActivityReports",	"Event Logging (EL0)",
  "AWSGuardDuty",	"Event Logging (EL0)",
  "AWSVPCFlow",	"Event Logging (EL0)",
  "Perf",	"Basic Event Logging (EL1)",
  "SentinelHealth",	"Basic Event Logging (EL1)",
  "DeviceLogonEvents",	"Basic Event Logging (EL1)",
  "DeviceEvents",	"Basic Event Logging (EL1)",
  "DeviceNetworkEvents",	"Basic Event Logging (EL1)",
  "DeviceFileEvents",	"Basic Event Logging (EL1)",
  "DeviceRegistryEvents",	"Basic Event Logging (EL1)",
  "DeviceProcessEvents",	"Basic Event Logging (EL1)",
  "VMConnection",	"Basic Event Logging (EL1)",
  "EmailEvents",	"Basic Event Logging (EL1)",
  "ThreatIntelligenceIndicator",	"Basic Event Logging (EL1)",
  "SecurityRecommendation",	"Basic Event Logging (EL1)",
  "DeviceProcessEvents",	"Basic Event Logging (EL1)",
  "ConfigurationData",	"Basic Event Logging (EL1)",
  "ConfigurationChange",	"Basic Event Logging (EL1)",
  "GatewayDiagnosticLog",	"Basic Event Logging (EL1)",
  "TunnelDiagnosticLog",	"Basic Event Logging (EL1)",
  "IKEDiagnosticLog",	"Basic Event Logging (EL1)",
  "RouteDiagnosticLog",	"Basic Event Logging (EL1)",
  "PS2DiagnosticLog",	"Basic Event Logging (EL1)",
  "Event",	"Basic Event Logging (EL1)",
  "SqlAtpStatus",	"Basic Event Logging (EL1)",
  "ConstainerInstanceLog_CL",	"Basic Event Logging (EL1)",
  "ContainerEvent_CL",	"Basic Event Logging (EL1)",
  "InsightsMetrics",	"Intermediate Event Logging (EL2)",
  "EmailUrlInfo",	"Intermediate Event Logging (EL2)",
  "EmailAttachmentInfo",	"Intermediate Event Logging (EL2)",
  "InformationProtectionLogs_CL",	"Intermediate Event Logging (EL2)",
  "CloudAppEvents",	"Intermediate Event Logging (EL2)",
  "ContainerInventory",	"Intermediate Event Logging (EL2)",
  "Update",	"Advanced Event Logging (EL3)",
  "BehaviorAnalytics",	"Advanced Event Logging (EL3)",
  "Anomalies",	"Advanced Event Logging (EL3)",
  "SecurityRegulatoryCompliance",	"Advanced Event Logging (EL3)"
  ];
  Usage
    | summarize Entries = count(), Size = sum(Quantity), last_log = datetime_diff("second",now(), max(TimeGenerated)) by DataType
    | join kind=fullouter(M2131Mapping) on $left.DataType == $right.DataTable
    | project RecommendedDataTable=DataTable, ExistingDataTable=DataType, MaturityLevel, Size
    | summarize Logged = countif(Size > 0), NotLogged = countif(isempty(Size)) by RecommendedDataTable, MaturityLevel
    | where NotLogged > 0 and MaturityLevel == "Basic Event Logging (EL1)" and RecommendedDataTable <> "Usage"
    //| where RecommendedDataTable <> "Data Table Name"
    | project RecommendedDataTable, MaturityLevel, NotLogged, TimeObserved=now()
    | extend CloudApplication = RecommendedDataTable  
id: f9e0ae98-6828-4d5a-b596-7c4586bb14f6
tactics:
- Discovery
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131/Hunting Queries/M2131RecommendedDatatableNotLoggedEL1.yaml
kind: Scheduled
severity: Medium
description: |
    'This alert audits your logging architecture for recommended data tables aligned to Basic Event Logging (EL1) of the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when recommended data tables in EL1 are not present.'
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f9e0ae98-6828-4d5a-b596-7c4586bb14f6')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f9e0ae98-6828-4d5a-b596-7c4586bb14f6')]",
      "properties": {
        "alertRuleTemplateName": "f9e0ae98-6828-4d5a-b596-7c4586bb14f6",
        "customDetails": null,
        "description": "'This alert audits your logging architecture for recommended data tables aligned to Basic Event Logging (EL1) of the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when recommended data tables in EL1 are not present.'\n",
        "displayName": "M2131_RecommendedDatatableNotLogged_EL1",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "RecommendedDataTable",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131/Hunting Queries/M2131RecommendedDatatableNotLoggedEL1.yaml",
        "query": "let M2131Mapping = datatable(DataTable:string, MaturityLevel:string)\n[\n\"SigninLogs\",\t\"Event Logging (EL0)\",\n\"AADManagedIdentitySignInLogs\", \"Event Logging (EL0)\",\n\"AADServicePrincipalSignInLogs\",\t\"Event Logging (EL0)\",\n\"StorageBlobLogs\",\t\"Event Logging (EL0)\",\n\"StorageFileLogs\",\t\"Event Logging (EL0)\",\n\"AzureMetrics\",\t\"Event Logging (EL0)\",\n\"AuditLogs\",\t\"Event Logging (EL0)\",\n\"IdentityInfo\",\t\"Event Logging (EL0)\",\n\"CommonSecurityLog\",\t\"Event Logging (EL0)\",\n\"ThreatIntelligenceIndicator\",\t\"Event Logging (EL0)\",\n\"DeviceNetworkInfo\",\t\"Event Logging (EL0)\",\n\"DnsEvents\",\t\"Event Logging (EL0)\",\n\"DeviceNetworkEvents\",\t\"Event Logging (EL0)\",\n\"AzureDiagnostics\",\t\"Event Logging (EL0)\",\n\"Usage\",\t\"Event Logging (EL0)\",\n\"SecurityIncident\",\t\"Event Logging (EL0)\",\n\"SecurityAlert\",\t\"Event Logging (EL0)\",\n\"AzureActivity\",\t\"Event Logging (EL0)\",\n\"Heartbeat\",\t\"Event Logging (EL0)\",\n\"OfficeActivity\",\t\"Event Logging (EL0)\",\n\"SecurityEvent\",\t\"Event Logging (EL0)\",\n\"Syslog\",\t\"Event Logging (EL0)\",\n\"AWSCloudTrail\",\t\"Event Logging (EL0)\",\n\"GWorkspaceActivityReports\",\t\"Event Logging (EL0)\",\n\"AWSGuardDuty\",\t\"Event Logging (EL0)\",\n\"AWSVPCFlow\",\t\"Event Logging (EL0)\",\n\"Perf\",\t\"Basic Event Logging (EL1)\",\n\"SentinelHealth\",\t\"Basic Event Logging (EL1)\",\n\"DeviceLogonEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceNetworkEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceFileEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceRegistryEvents\",\t\"Basic Event Logging (EL1)\",\n\"DeviceProcessEvents\",\t\"Basic Event Logging (EL1)\",\n\"VMConnection\",\t\"Basic Event Logging (EL1)\",\n\"EmailEvents\",\t\"Basic Event Logging (EL1)\",\n\"ThreatIntelligenceIndicator\",\t\"Basic Event Logging (EL1)\",\n\"SecurityRecommendation\",\t\"Basic Event Logging (EL1)\",\n\"DeviceProcessEvents\",\t\"Basic Event Logging (EL1)\",\n\"ConfigurationData\",\t\"Basic Event Logging (EL1)\",\n\"ConfigurationChange\",\t\"Basic Event Logging (EL1)\",\n\"GatewayDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"TunnelDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"IKEDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"RouteDiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"PS2DiagnosticLog\",\t\"Basic Event Logging (EL1)\",\n\"Event\",\t\"Basic Event Logging (EL1)\",\n\"SqlAtpStatus\",\t\"Basic Event Logging (EL1)\",\n\"ConstainerInstanceLog_CL\",\t\"Basic Event Logging (EL1)\",\n\"ContainerEvent_CL\",\t\"Basic Event Logging (EL1)\",\n\"InsightsMetrics\",\t\"Intermediate Event Logging (EL2)\",\n\"EmailUrlInfo\",\t\"Intermediate Event Logging (EL2)\",\n\"EmailAttachmentInfo\",\t\"Intermediate Event Logging (EL2)\",\n\"InformationProtectionLogs_CL\",\t\"Intermediate Event Logging (EL2)\",\n\"CloudAppEvents\",\t\"Intermediate Event Logging (EL2)\",\n\"ContainerInventory\",\t\"Intermediate Event Logging (EL2)\",\n\"Update\",\t\"Advanced Event Logging (EL3)\",\n\"BehaviorAnalytics\",\t\"Advanced Event Logging (EL3)\",\n\"Anomalies\",\t\"Advanced Event Logging (EL3)\",\n\"SecurityRegulatoryCompliance\",\t\"Advanced Event Logging (EL3)\"\n];\nUsage\n  | summarize Entries = count(), Size = sum(Quantity), last_log = datetime_diff(\"second\",now(), max(TimeGenerated)) by DataType\n  | join kind=fullouter(M2131Mapping) on $left.DataType == $right.DataTable\n  | project RecommendedDataTable=DataTable, ExistingDataTable=DataType, MaturityLevel, Size\n  | summarize Logged = countif(Size > 0), NotLogged = countif(isempty(Size)) by RecommendedDataTable, MaturityLevel\n  | where NotLogged > 0 and MaturityLevel == \"Basic Event Logging (EL1)\" and RecommendedDataTable <> \"Usage\"\n  //| where RecommendedDataTable <> \"Data Table Name\"\n  | project RecommendedDataTable, MaturityLevel, NotLogged, TimeObserved=now()\n  | extend CloudApplication = RecommendedDataTable\n",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [
          "T1082"
        ],
        "templateVersion": "1.0.0"
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}