cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Sentinel: Maturity Model for Event Log Management (M-21-31) Solution
By
lili
Published Jan 27 2022 12:30 PM 11.9K Views
lili
Microsoft
‎Jan 27 2022 12:30 PM

Microsoft Sentinel: Maturity Model for Event Log Management (M-21-31) Solution

‎Jan 27 2022 12:30 PM

As cyber-attacks grow in number and severity against federal government systems, comprehensive cloud security mechanisms are more important than ever. Recent attacks, including SolarWinds, highlight the necessity of having sufficient logs for investigation and response when attacks occur.

 

Recently, the Biden Administration has introduced OMB M-21-31 which requires federal government customers to rapidly move towards log event management capabilities to improve the ability to investigate and respond to cloud security attacks.

 

This initiative guides federal agencies to understand log event management and is broken up into four tiers of maturity. For customers ingesting data from multiple sources, cloud providers, and on-premises environments, it is a daunting task to consider begin to address the complex requirements of M-21-31.

 

We are excited to announce the Microsoft Sentinel: Maturity Model for Event Log Management (M-21-31) Solution. This solution consists of (1) Workbook, (8) Analytics Rules, (4) Hunting Queries, and (3) Playbooks.

 

lili_11-1643309329550.gif

 

 

Watch the demo to learn more! Microsoft Sentinel: Maturity Model for Event Log Management Solution - YouTube

 

 

 

Content Use Cases

 

  • Microsoft Sentinel: Maturity Model for Event Log Management (M-21-31) Workbook: The solution provides actionable insights into log management posture and intuitive steps for remediation to driving compliance across event logging maturity levels. The workbook serves as a starting point for designing and reporting event log management capabilities by providing visibility into current posture mapped against the four maturity tiers.

lili_12-1643309364670.png

 

 

  • (8) Analytics Rules: Analytics rules and hunting queries empower security teams with ongoing monitoring and assessment. Analytics rules ensure compliance over time by tracking the agent, asset, data connector health and more to ensure log flow over time. 
    • Recommended Data table is unhealthy (last logged received drop)
    • Data Connector added, changed, or removed
    • Asset stopped logging (heartbeat)
    • Log Analytics Workspace: Active Storage is less than 12 Months
    • Event Log Management Posture Changed (Event Logging EL0)
    • Event Log Management Posture Changed (Basic Event Logging EL1)
    • Event Log Management Posture Changed (Intermediate Event Logging EL2)
    • Event Log Management Posture Changed (Advanced Event Logging EL3)

                    lili_13-1643309396662.png

 

 

  • (4) Hunting Queries: Hunting queries provide a proactive way to understand your logging environment, relative to the four maturity levels.
    • Recommended Datatable is not logged
      • Event Logging (EL0)
      • Basic Event Logging (EL1)
      • Intermediate Event Logging (EL2)
      • Advanced Event Logging (EL3)

                              lili_14-1643309421088.png

 

 

  • (3) Playbooks: Playbooks drive automated, consistent response, ensuring security teams can focus their time on what’s important: providing remediation and response based on collected insights from Microsoft Sentinel, rather than navigating across portals for relevant data.
    • Notify Log Management Team
      • Alert triggers email and teams chat to log management team
    • Open DevOps Task
      • Alert Triggers an Azure DevOps task to address the Microsoft Defender for Cloud policy recommendations.
    • Open JIRA Ticket
      • Alert Triggers a JIRA Ticket to address the Microsoft Defender for Cloud policy recommendations.
        lili_15-1643309453713.png

         

 

Solution Benefits

 

  • Single pane of glass for aggregating, managing, and actioning data from 25+ Microsoft products to address M-21-31 Logging requirements
  • Deep links for seamless pivots between products
  • Over-time analysis for more complete understanding of security and compliance posture
  • One-click, customizable reporting
  • Leverage pre-written KQL queries to gain insights from log telemetry with the option to customize for further analysis

 

lili_0-1643305915129.png

 

Reporting

 

  • 150+ visualizations, recommendations, queries across logs, azure resource graph, policy, metrics, and APIs
  • Single-click report exports via Print Workbooks feature
  • Integration with Microsoft Defender for Cloud: Regulatory Compliance Assessments
    MicrosoftTeams-image (30).png

     

 

Audience

 

  • Implementers: Design + Build
  • Assessors: Audit + Assessment
  • Analysts: Monitor + Respond
  • Decision Makers: Situational Awareness
  • MSSP: Consultants

 

Getting Started

 

This content is designed to enable a Maturity Model for Event Log Management and aligning with the M-21-31 requirements. Below are the steps to onboard required dependencies, enable connectors, review content, and provide feedback.

 

  1. Onboard Microsoft Sentinel and Microsoft Defender for Cloud
  2. Add the Azure Security Benchmark and NIST SP 800-53 Assessments to your dashboard
    1. Microsoft Defender for Cloud > Regulatory Compliance > Manage Compliance Policies > Select Subscription > Expand Industry & Regulatory Standards > Add More Standards > Add ASB and NIST SP 800-53 Assessments.
  3. Continuously Export Microsoft Defender for Cloud Data
    1. Microsoft Defender for Cloud > Enviornment Settings > Select Subscription > Continuous Export > Log Analytics Workspace > Ensure Security Recommendations (All Selected: Low/Medium/High) and Regulatory Compliance (All Standards Selected) is checked > Select Sentinel Workspace as Target > Save
  4. Deploy Solution
    1. Commercial: Azure Marketplace > Search Maturity Model for Event Log Management > Configure Options > Create
    2. Government: Access Solution on Microsoft Sentinel’s GitHub Repo. Select Deploy to Azure Government Button > Configure Options > Create 
    3. lili_1-1643305915133.png
  5. Review the Microsoft Sentinel: Maturity Model for Event Log Management (M-21-31) Workbook
    1. Microsoft Sentinel > Workbooks > Search Maturity Model for Event Log Management (M-21-31)
  6. Review/Enable Analytics Rules
    1. Microsoft Sentinel > Analytics > Search M-21-31
  7.  Review Hunting Queries
    1. Microsoft Sentinel > Hunting > Queries >Search M-21-31
  8.  Review Playbook Automation
    1. Microsoft Sentinel > Automation > Active playbooks > Search Notify-LogManagementTeam > Enable
    2. Create Automation Rule
      1.     Analytics > Search M-21-31> Edit > Automated Response > Add new > Select Actions: Run Playbook > Select Notify-LogManagementTeam and configure automation options > Review > Save > Mirror configuration across all M-21-31 analytics rules. Note, Open JIRA Ticket and Create Azure DevOps Task are additional Playbooks available per organizational requirements.

 

lili_2-1643305915140.png

 

    9. Review the content and provide feedback through the survey

 

Learn More About Meeting the Cybersecurity Executive Order with Microsoft Security

·         Executive Order on Improving the Nation’s Cybersecurity

 

 

 

 

 

 

1 Comment
Matt_Wotring
Copper Contributor
‎Dec 26 2023 05:43 PM
‎Dec 26 2023 05:43 PM

There are hundreds of recommendations seem to cover a much larger scope of cybersecurity compliance and not simply M-21-31.  Why is that?  Sure, having things like "Attestation that you are using FIPS 201 compliant PIV" is important, but how does that map back to requirements in the M-21-31 document?

Co-Authors
Version history
Last update:
‎Jan 27 2022 01:21 PM
Updated by: