Maturity Model For Event Log Management M2131

Solution: MaturityModelForEventLogManagementM2131

MaturityModelForEventLogManagementM2131 Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com
Categories	domains
Version	3.0.3
Author	Microsoft - support@microsoft.com
First Published	2021-12-05
Solution Folder	MaturityModelForEventLogManagementM2131
Marketplace	Azure Marketplace · Popularity: 🟡 Low (28%)

This solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to increase visibility before, during, and after a cybersecurity incident. The solution includes (1) workbook, (4) hunting queries, (8) analytics rules, and (3) playbooks providing a comprehensive approach to design, build, monitoring, and response in logging architectures. Information from logs on information systems1 (for both on-premises systems and connections hosted by third parties, such as cloud services providers (CSPs) is invaluable in the detection, investigation, and remediation of cyber threats. Executive Order 14028, Improving the Nation's Cybersecurity, directs decisive action to improve the Federal Government’s investigative and remediation capabilities. This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency. In addition, this memorandum establishes requirements for agencies3 to increase the sharing of such information, as needed and appropriate, to accelerate incident response efforts and to enable more effective defense of Federal information and executive branch departments and agencies. For more information, see (💡Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents (M-21-31)).

Data Connectors
Tables Used
Content Items
Additional Documentation

Data Connectors

This solution does not include data connectors.

This solution may contain other components such as analytics rules, workbooks, hunting queries, or playbooks.

Tables Used

This solution queries 45 table(s) from its content items:

Table	Used By Content
`AADManagedIdentitySignInLogs`	Workbooks
`AADServicePrincipalSignInLogs`	Workbooks
`AWSCloudTrail`	Workbooks
`AWSGuardDuty`	Workbooks
`AWSVPCFlow`	Workbooks
`AuditLogs`	Workbooks
`AzureActivity`	Analytics, Workbooks
`AzureDiagnostics`	Workbooks
`CarbonBlack_Alerts_CL`	Workbooks
`CloudAppEvents`	Workbooks
`CommonSecurityLog`	Workbooks
`ConfigurationChange`	Workbooks
`ConfigurationData`	Workbooks
`DeviceNetworkEvents`	Workbooks
`DeviceNetworkInfo`	Workbooks
`DeviceProcessEvents`	Workbooks
`DnsEvents`	Workbooks
`Dynamics365Activity`	Workbooks
`EmailAttachmentInfo`	Workbooks
`EmailEvents`	Workbooks
`EmailUrlInfo`	Workbooks
`GCP_IAM_CL`	Workbooks
`Heartbeat`	Analytics, Workbooks
`InformationProtectionLogs_CL`	Workbooks
`InsightsMetrics`	Workbooks
`IntuneAuditLogs`	Workbooks
`IntuneDevices`	Workbooks
`IntuneOperationalLogs`	Workbooks
`KubeEvents_CL`	Workbooks
`OfficeActivity`	Workbooks
`Operation`	Workbooks
`QualysHostDetectionV3_CL`	Workbooks
`SecurityEvent`	Workbooks
`SecurityRecommendation`	Analytics, Workbooks
`SecurityRegulatoryCompliance`	Workbooks
`SigninLogs`	Workbooks
`StorageBlobLogs`	Workbooks
`StorageFileLogs`	Workbooks
`Syslog`	Workbooks
`ThreatIntelligenceIndicator`	Workbooks
`Update`	Workbooks
`Usage`	Analytics, Hunting, Workbooks
`VMComputer`	Workbooks
`VMProcess`	Workbooks
`WindowsFirewall`	Workbooks

Internal Tables

The following 5 table(s) are used internally by this solution's content items:

Table	Used By Content
`AlertEvidence`	Workbooks
`BehaviorAnalytics`	Workbooks
`IdentityInfo`	Workbooks
`SecurityAlert`	Workbooks
`SecurityIncident`	Workbooks

Content Items

This solution includes 16 content item(s):

Content Type	Count
Analytic Rules	8
Hunting Queries	4
Playbooks	3
Workbooks	1

Analytic Rules

Name	Severity	Tactics	Tables Used
M2131_AssetStoppedLogging	Medium	Discovery	`Heartbeat`
M2131_DataConnectorAddedChangedRemoved	Medium	Discovery	`AzureActivity`
M2131_EventLogManagementPostureChanged_EL0	Medium	Discovery	`SecurityRecommendation`
M2131_EventLogManagementPostureChanged_EL1	Medium	Discovery	`SecurityRecommendation`
M2131_EventLogManagementPostureChanged_EL2	Medium	Discovery	`SecurityRecommendation`
M2131_EventLogManagementPostureChanged_EL3	Medium	Discovery	`SecurityRecommendation`
M2131_LogRetentionLessThan1Year	Medium	Discovery	`SecurityRecommendation`
M2131_RecommendedDatatableUnhealthy	Medium	Discovery	`Usage`

Hunting Queries

Name	Tactics	Tables Used
M2131_RecommendedDatatableNotLogged_EL0	Discovery	`Usage`
M2131_RecommendedDatatableNotLogged_EL1	Discovery	`Usage`
M2131_RecommendedDatatableNotLogged_EL2	Discovery	`Usage`
M2131_RecommendedDatatableNotLogged_EL3	Discovery	`Usage`

Workbooks

Name Tables Used

MaturityModelForEventLogManagement_M2131 AADManagedIdentitySignInLogs
AADServicePrincipalSignInLogs
AWSCloudTrail
AWSGuardDuty
AWSVPCFlow
AuditLogs
AzureActivity
AzureDiagnostics
CarbonBlack_Alerts_CL
CloudAppEvents
CommonSecurityLog
ConfigurationChange
ConfigurationData
DeviceNetworkEvents
DeviceNetworkInfo
DeviceProcessEvents
DnsEvents
Dynamics365Activity
EmailAttachmentInfo
EmailEvents
EmailUrlInfo
GCP_IAM_CL
Heartbeat
InformationProtectionLogs_CL
InsightsMetrics
IntuneAuditLogs
IntuneDevices
IntuneOperationalLogs
KubeEvents_CL
OfficeActivity
Operation
QualysHostDetectionV3_CL
SecurityEvent
SecurityRecommendation
SecurityRegulatoryCompliance
SigninLogs
StorageBlobLogs
StorageFileLogs
Syslog
ThreatIntelligenceIndicator
Update
Usage
VMComputer
VMProcess
WindowsFirewall
Internal use:
AlertEvidence
BehaviorAnalytics
IdentityInfo
SecurityAlert
SecurityIncident

Name	Tables Used
MaturityModelForEventLogManagement_M2131	`AADManagedIdentitySignInLogs` `AADServicePrincipalSignInLogs` `AWSCloudTrail` `AWSGuardDuty` `AWSVPCFlow` `AuditLogs` `AzureActivity` `AzureDiagnostics` `CarbonBlack_Alerts_CL` `CloudAppEvents` `CommonSecurityLog` `ConfigurationChange` `ConfigurationData` `DeviceNetworkEvents` `DeviceNetworkInfo` `DeviceProcessEvents` `DnsEvents` `Dynamics365Activity` `EmailAttachmentInfo` `EmailEvents` `EmailUrlInfo` `GCP_IAM_CL` `Heartbeat` `InformationProtectionLogs_CL` `InsightsMetrics` `IntuneAuditLogs` `IntuneDevices` `IntuneOperationalLogs` `KubeEvents_CL` `OfficeActivity` `Operation` `QualysHostDetectionV3_CL` `SecurityEvent` `SecurityRecommendation` `SecurityRegulatoryCompliance` `SigninLogs` `StorageBlobLogs` `StorageFileLogs` `Syslog` `ThreatIntelligenceIndicator` `Update` `Usage` `VMComputer` `VMProcess` `WindowsFirewall` Internal use: `AlertEvidence` `BehaviorAnalytics` `IdentityInfo` `SecurityAlert` `SecurityIncident`

Playbooks

Name	Description	Tables Used
Create Jira Issue	This playbook will open a Jira Issue when a new incident is opened in Microsoft Sentinel.	-
Create-AzureDevOpsTask	This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details.	-
Notify-LogManagementTeam	This Security Orchestration, Automation, & Response (SOAR) capability is designed for configuration ...	-

Additional Documentation

📄 Source: MaturityModelForEventLogManagementM2131/README.md

Overview

Microsoft Sentinel: Maturity Model for Event Log Management (M-21-31) Solution

This solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to increase visibility before, during, and after a cybersecurity incident. The solution includes (1) workbook, (4) hunting queries, (8) analytics rules, and (3) playbooks providing a comprehensive approach to design, build, monitoring, and response in logging architectures. Information from logs on information systems1 (for both on-premises systems and connections hosted by third parties, such as cloud services providers (CSPs) is invaluable in the detection, investigation, and remediation of cyber threats. "Executive Order 14028, Improving the Nation's Cybersecurity, directs decisive action to improve the Federal Government’s investigative and remediation capabilities. This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency. In addition, this memorandum establishes requirements for agencies3 to increase the sharing of such information, as needed and appropriate, to accelerate incident response efforts and to enable more effective defense of Federal information and executive branch departments and agencies." For more information, see 💡Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents (M-21-31).

Try on Portal

You can deploy the solution by clicking on the buttons below:

Workbook Overview

Getting Started

[Content truncated...]

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.3	26-09-2025	Updated the broken metrics in the workbook
3.0.2	31-01-2024	Updated the solution to fix Analytic Rules deployment issue
3.0.1	09-11-2023	Changes for rebranding from Azure Active Directory Identity Protection to Microsoft Entra ID Protection
3.0.0	20-07-2023	Updated Workbook template to remove unused variables.