Microsoft Sentinel: Maturity Model for Event Log Management Solution now in public preview

Lili Davoudian

This blog is co-authored by TJ Banasik, CISSP-ISSEP, ISSAP, ISSMP, Senior Program Manager, Microsoft Cloud & AI Security.

To help agencies align with federal cybersecurity directives, we’ve developed the Microsoft Sentinel: Maturity Model for Event Log Management Solution now available in public preview in Azure and Azure Government.

As cyber-attacks grow in number and severity against federal government systems, comprehensive cloud security mechanisms are more important than ever. Recent attacks, including SolarWinds, highlight the necessity of having sufficient logs for investigation and response when attacks occur.

The Biden Administration has introduced additional directives to prepare US government networks for cloud security threats, including Office of Management and Budget (OMB) Memorandum M-21-31, which requires federal agencies to rapidly move toward log event management capabilities to improve the ability to investigate and response to cloud security attacks.

This initiative guides federal agencies to understand log event management and is broken up into four tiers of maturity. For customers ingesting data from multiple sources, cloud provides, and on-premises environments, it’s a daunting task to consider and begin to address the complex requirements of M-21-31.

The Microsoft Sentinel: Maturity Model for Event Log Management Solution aims to ease this task and consists of (1) Workbook, (8) Analytics Rules, (4) Hunting Queries, and (3) Playbooks. Watch the demo to learn more and check out the steps below on getting started.

Getting started

This content is designed to enable a Maturity Model for Event Log Management and aligning with the M-21-31 requirements. Below are the steps to onboard required dependencies, enable connectors, review content, and provide feedback.

  1. Onboard Microsoft Sentinel and Microsoft Defender for Cloud
  2. Add the Azure Security Benchmark and NIST SP 800-53 Assessments to your dashboard
    1. Microsoft Defender for Cloud > Regulatory Compliance > Manage Compliance Policies > Select Subscription > Expand Industry & Regulatory Standards > Add More Standards > Add ASB and NIST SP 800-53 Assessments.
  3. Continuously Export Microsoft Defender for Cloud Data
    1. Microsoft Defender for Cloud > Settings > Select Subscription > Continuous Export > Log Analytics Workspace > Ensure Security Recommendations (All Selected: Low/Medium/High) and Regulatory Compliance (All Standards Selected) is checked > Select Sentinel Workspace as Target > Save
  4. Deploy Solution
    1. Commercial: Microsoft Sentinel > Content Hub > Search Maturity Model for Event Log Management > Configure Options > Create
    2. Government: Access Solution on Microsoft Sentinel’s GitHub Repo. Select Deploy to Azure Government Button > Configure Options > Create

Image M 21 31 IMAGE 1

  1. Review the Microsoft Sentinel: Maturity Model for Event Log Management (M2131) Workbook
    1. Microsoft Sentinel > Workbooks > Search Maturity Model for Event Log Management (M2131)
  2. Review/Enable Analytics Rules
    1. Microsoft Sentinel > Analytics > Search M2131
  3. Review Hunting Queries
    1. Microsoft Sentinel > Hunting > Queries >Search M2131
  4. Review Playbook Automation
    1. Microsoft Sentinel > Automation > Active playbooks > Search Notify-LogManagementTeam > Enable
    2. Create Automation Rule
      1. Analytics > Search M2131> Edit > Automated Response > Add new > Select Actions: Run Playbook > Select Notify-LogManagementTeam and configure automation options > Review > Save > Mirror configuration across all M2131 analytics rules. Note, Open JIRA Ticket and Create Azure DevOps Task are additional Playbooks available per organizational requirements.

Image M 21 31 IMAGE 2

  1. Review the content and provide feedback through our survey

Learn more

To learn more about meeting the Cybersecurity Executive Order with Microsoft Security, visit Microsoft Federal’s Executive Order on Improving the Nation’s Cybersecurity site.


Discussion is closed.

Feedback usabilla icon