Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
| Attribute | Value |
|---|---|
| Type | Workbook |
| Solution | MaturityModelForEventLogManagementM2131 |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
AADManagedIdentitySignInLogs |
✓ | ✗ | ✓ | |
AADServicePrincipalSignInLogs |
✓ | ✗ | ✓ | |
AWSCloudTrail |
✓ | ✓ | ✓ | |
AWSGuardDuty |
✓ | ✓ | ✓ | |
AWSVPCFlow |
✓ | ✓ | ✓ | |
AlertEvidence |
✓ | ✗ | ✓ | |
AuditLogs |
OperationName in "Add member to role,Add user,ApplicationGatewayFirewall,AzureFirewallIDSLog,Reset user password,Update user"OperationName !contains "external"OperationName !contains "invite"OperationName !contains "licnense"OperationName contains "group"OperationName contains "member"OperationName contains "principal"OperationName contains "role"OperationName contains "user" |
✓ | ✗ | ✓ |
AzureActivity |
ActivityStatusValue == "Success"ActivitySubstatusValue in "Created,OK"OperationNameValue contains "Microsoft.Network/loadBalancers/"OperationNameValue contains "Network"ResourceProviderValue in "MICROSOFT.CONTAINERSERVICE,MICROSOFT.LOGIC" |
✗ | ✗ | ✗ |
AzureDiagnostics 🔶 |
Category in "AzureFirewallApplicationRule,AzureFirewallNetworkRule,EntitlementManagement,FrontdoorWebApplicationFirewallLog,GatewayDiagnosticLog,GroupManagement,IKEDiagnosticLog,NetworkSecurityGroupEvent,RouteDiagnosticLog,TunnelDiagnosticLog,UserManagement,WebApplicationFirewallLogs,kube-audit"Category contains "SQL"Resource == "SOC-NS-AG-WAFV2"ResourceProvider in "MICROSOFT.CONTAINERSERVICE,MICROSOFT.KEYVAULT"ResourceType in "APPLICATIONGATEWAYS,AZUREFIREWALLS,CDNWEBAPPLICATIONFIREWALLPOLICIES,FRONTDOORS,PROFILES,PUBLICIPADDRESSES,SERVERS/DATABASES"msg_s !has ". Url"msg_s !has "No rule matched"msg_s !has "Reason:"msg_s !has "Rule Collection"msg_s !has "TLS extension was missing"msg_s !has "Web Category:"msg_s has ". No rule matched"msg_s has ". Url"msg_s has "Reason:"msg_s has "Rule Collection Group"msg_s has "Web Category:" |
✗ | ✗ | ✗ |
BehaviorAnalytics |
✓ | ✗ | ? | |
CarbonBlack_Alerts_CL |
✗ | ✓ | ✗ | |
CloudAppEvents |
✓ | ✗ | ✓ | |
CommonSecurityLog |
✓ | ✓ | ✓ | |
ConfigurationChange |
ConfigChangeType == "Registry" |
✓ | ✗ | ? |
ConfigurationData |
ConfigDataType == "Registry" |
✓ | ✗ | ? |
DeviceNetworkEvents |
✓ | ✗ | ? | |
DeviceNetworkInfo |
✓ | ✗ | ? | |
DeviceProcessEvents |
ActionType in "Add member to role,Add user,InteractiveLogon,RemoteInteractiveLogon,Reset user password,ResourceAccess,Sign-in,Update user" |
✓ | ✗ | ? |
DnsEvents |
✓ | ✗ | ✓ | |
Dynamics365Activity |
✓ | ✗ | ✗ | |
EmailAttachmentInfo |
✓ | ✗ | ? | |
EmailEvents |
DeliveryAction == "Junked"DetectionMethods contains "spam" |
✓ | ✗ | ✓ |
EmailUrlInfo |
✓ | ✗ | ? | |
GCP_IAM_CL 🔶 |
? | ✓ | ? | |
Heartbeat |
? | ✗ | ? | |
IdentityInfo |
✓ | ✗ | ? | |
InformationProtectionLogs_CL 🔶 |
? | ✓ | ? | |
InsightsMetrics |
Namespace in "Memory,Network,Processor" |
✓ | ✗ | ? |
IntuneAuditLogs |
✓ | ✗ | ? | |
IntuneDevices |
✓ | ✗ | ? | |
IntuneOperationalLogs |
✓ | ✗ | ? | |
KubeEvents_CL |
? | ✓ | ? | |
OfficeActivity |
OfficeWorkload == "Exchange"Operation !contains "access"Operation contains "policy"RecordType == "ExchangeAdmin" |
✓ | ✗ | ✓ |
Operation |
? | ✗ | ? | |
QualysHostDetectionV3_CL |
✓ | ✓ | ✓ | |
SecurityAlert |
✓ | ✗ | ✓ | |
SecurityEvent |
GroupMembership contains "admin"GroupMembership contains "contributor" |
✓ | ✓ | ✓ |
SecurityIncident |
✓ | ✗ | ✓ | |
SecurityRecommendation |
RecommendationDisplayName contains "AWS"RecommendationDisplayName contains "Amazon"RecommendationDisplayName contains "certificate"RecommendationDisplayName contains "container"RecommendationDisplayName contains "database"RecommendationDisplayName contains "encrypt"RecommendationDisplayName contains "endpoint protection"RecommendationDisplayName contains "exploit"RecommendationDisplayName contains "key"RecommendationDisplayName contains "kube"RecommendationDisplayName contains "pod"RecommendationDisplayName contains "sql"RecommendationDisplayName contains "vault"RecommendationDisplayName contains "virus"RecommendationDisplayName contains "vuln"RecommendationDisplayName has "GCP"RecommendationDisplayName has "Google"RecommendationName contains "container"RecommendationName contains "kube"RecommendationName contains "kubernetes"RecommendationName contains "pod"RecommendationName contains "update"RecommendationState in "Healthy,NotApplicable,Removed,Unhealthy" |
✓ | ✗ | ? |
SecurityRegulatoryCompliance |
✓ | ✗ | ? | |
SigninLogs |
AppDisplayName in "Azure Active Directory PowerShell,Microsoft Azure CLI"AppDisplayName contains "ACOM"AppDisplayName contains "CLI"AppDisplayName contains "PowerShell"AppDisplayName contains "command"AppDisplayName contains "graph" |
✓ | ✗ | ✓ |
StorageBlobLogs |
✓ | ✗ | ✓ | |
StorageFileLogs |
✓ | ✗ | ✓ | |
Syslog |
SyslogMessage contains "runas"SyslogMessage contains "sudo"ProcessName has_any "hostd-probe,vmkwarning,vpxd-main" |
✓ | ✓ | ✓ |
ThreatIntelligenceIndicator |
✓ | ✓ | ✗ | |
Update |
✓ | ✗ | ? | |
Usage |
? | ✗ | ? | |
VMComputer |
? | ✗ | ? | |
VMProcess |
? | ✗ | ? | |
WindowsFirewall |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Workbooks · Back to MaturityModelForEventLogManagementM2131