{"id":20932,"date":"2022-01-26T07:43:30","date_gmt":"2022-01-26T15:43:30","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/azuregov\/?p=20932"},"modified":"2022-01-26T09:18:50","modified_gmt":"2022-01-26T17:18:50","slug":"microsoft-sentinel-maturity-model-for-event-log-management-solution-now-in-public-preview","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/azuregov\/microsoft-sentinel-maturity-model-for-event-log-management-solution-now-in-public-preview\/","title":{"rendered":"Microsoft Sentinel: Maturity Model for Event Log Management Solution now in public preview"},"content":{"rendered":"<p><em>This blog is co-authored by <\/em><a href=\"https:\/\/www.linkedin.com\/in\/tjbanasik\/\">TJ Banasik<\/a><em>, CISSP-ISSEP, ISSAP, ISSMP, Senior Program Manager, Microsoft Cloud &amp; AI Security.<\/em><\/p>\n<p>To help agencies align with federal cybersecurity directives, we\u2019ve developed the Microsoft Sentinel: Maturity Model for Event Log Management Solution now available in public preview in Azure and Azure Government.<\/p>\n<p>As cyber-attacks grow in number and severity against federal government systems, comprehensive cloud security mechanisms are more important than ever. Recent attacks, including SolarWinds, highlight the necessity of having sufficient logs for investigation and response when attacks occur.<\/p>\n<p>The Biden Administration has introduced additional directives to prepare US government networks for cloud security threats, including Office of Management and Budget (OMB) <a href=\"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2021\/08\/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf\">Memorandum M-21-31<\/a>, which requires federal agencies to rapidly move toward log event management capabilities to improve the ability to investigate and response to cloud security attacks.<\/p>\n<p>This initiative guides federal agencies to understand log event management and is broken up into four tiers of maturity. For customers ingesting data from multiple sources, cloud provides, and on-premises environments, it\u2019s a daunting task to consider and begin to address the complex requirements of M-21-31.<\/p>\n<p>The Microsoft Sentinel: Maturity Model for Event Log Management Solution aims to ease this task and consists of (1) Workbook, (8) Analytics Rules, (4) Hunting Queries, and (3) Playbooks. <a href=\"https:\/\/youtu.be\/quV_80ts__k\">Watch the demo<\/a> to learn more and check out the steps below on getting started.<\/p>\n<p style=\"text-align: center;\"><iframe title=\"YouTube video player\" src=\"\/\/www.youtube.com\/embed\/quV_80ts__k\" width=\"560\" height=\"315\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\" data-mce-fragment=\"1\"><\/iframe><\/p>\n<p><strong>Getting started<\/strong><\/p>\n<p>This content is designed to enable a Maturity Model for Event Log Management and aligning with the M-21-31 requirements. Below are the steps to onboard required dependencies, enable connectors, review content, and provide feedback.<\/p>\n<ol>\n<li>Onboard <a href=\"https:\/\/docs.microsoft.com\/azure\/sentinel\/quickstart-onboard\">Microsoft Sentinel<\/a> and <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/defender-for-cloud\/get-started\">Microsoft Defender for Cloud<\/a><\/li>\n<li>Add the <a style=\"background-color: #f7f7f9; font-size: 1rem;\" href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/defender-for-cloud\/update-regulatory-compliance-packages\">Azure Security Benchmark and NIST SP 800-53 Assessments to your dashboard<\/a>\n<ol style=\"list-style-type: lower-alpha;\">\n<li>Microsoft Defender for Cloud &gt; Regulatory Compliance &gt; Manage Compliance Policies &gt; Select Subscription &gt; Expand Industry &amp; Regulatory Standards &gt; Add More Standards &gt; Add ASB and NIST SP 800-53 Assessments.<\/li>\n<\/ol>\n<\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/defender-for-cloud\/continuous-export\">Continuously Export Microsoft Defender for Cloud Data<\/a>\n<ol style=\"list-style-type: lower-alpha;\">\n<li>Microsoft Defender for Cloud &gt; Settings &gt; Select Subscription &gt; Continuous Export &gt; Log Analytics Workspace &gt; Ensure Security Recommendations (All Selected: Low\/Medium\/High) and Regulatory Compliance (All Standards Selected) is checked &gt; Select Sentinel Workspace as Target &gt; Save<\/li>\n<\/ol>\n<\/li>\n<li>Deploy Solution\n<ol style=\"list-style-type: lower-alpha;\">\n<li><span style=\"font-size: 12pt;\">Commercial: Microsoft Sentinel &gt; Content Hub &gt; Search Maturity Model for Event Log Management &gt; Configure Options &gt; Create<\/span><\/li>\n<li><span style=\"font-size: 12pt;\">Government: Access Solution on <a style=\"background-color: #f7f7f9;\" href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/tree\/master\/Solutions\/MaturityModelForEventLogManagementM2131\">Microsoft Sentinel\u2019s GitHub Repo<\/a>. Select Deploy to Azure Government Button &gt; Configure Options &gt; Create<\/span><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p style=\"padding-left: 80px;\"><a href=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/01\/M-21-31-IMAGE-1.png\"><img decoding=\"async\" class=\"alignnone wp-image-20915\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/01\/M-21-31-IMAGE-1-300x95.png\" alt=\"Image M 21 31 IMAGE 1\" width=\"407\" height=\"129\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/01\/M-21-31-IMAGE-1-300x95.png 300w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/01\/M-21-31-IMAGE-1.png 379w\" sizes=\"(max-width: 407px) 100vw, 407px\" \/><\/a><\/p>\n<ol>\n<li value=\"5\">Review the Microsoft Sentinel: Maturity Model for Event Log Management (M2131) Workbook\n<ol style=\"list-style-type: lower-alpha;\">\n<li>Microsoft Sentinel &gt; Workbooks &gt; Search Maturity Model for Event Log Management (M2131)<\/li>\n<\/ol>\n<\/li>\n<li>Review\/Enable Analytics Rules\n<ol style=\"list-style-type: lower-alpha;\">\n<li>Microsoft Sentinel &gt; Analytics &gt; Search <em>M2131<\/em><\/li>\n<\/ol>\n<\/li>\n<li>Review Hunting Queries\n<ol style=\"list-style-type: lower-alpha;\">\n<li>Microsoft Sentinel &gt; Hunting &gt; Queries &gt;Search<em style=\"font-size: 1rem;\"> M2131<\/em><\/li>\n<\/ol>\n<\/li>\n<li>Review Playbook Automation\n<ol style=\"list-style-type: lower-alpha;\">\n<li>Microsoft Sentinel &gt; Automation &gt; Active playbooks &gt; Search <em style=\"font-size: 1rem;\">Notify-LogManagementTeam <\/em><span style=\"font-size: 1rem;\">&gt; Enable<\/span><\/li>\n<li>Create Automation Rule\n<ol style=\"list-style-type: lower-roman;\">\n<li>Analytics &gt; Search <em style=\"font-size: 1rem;\">M2131<\/em><span style=\"font-size: 1rem;\">&gt; Edit &gt; Automated Response &gt; Add new &gt; Select Actions: Run Playbook &gt; Select <\/span><em style=\"font-size: 1rem;\">Notify-LogManagementTeam<\/em><span style=\"font-size: 1rem;\"> and configure automation options &gt; Review &gt; Save &gt; Mirror configuration across all M2131 analytics rules. Note, Open JIRA Ticket and Create Azure DevOps Task are additional Playbooks available per organizational requirements.<\/span><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p style=\"padding-left: 80px;\"><a href=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/01\/M-21-31-IMAGE-2.png\"><img decoding=\"async\" class=\"alignnone wp-image-20916\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/01\/M-21-31-IMAGE-2-300x127.png\" alt=\"Image M 21 31 IMAGE 2\" width=\"721\" height=\"305\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/01\/M-21-31-IMAGE-2-300x127.png 300w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/01\/M-21-31-IMAGE-2.png 726w\" sizes=\"(max-width: 721px) 100vw, 721px\" \/><\/a><\/p>\n<ol>\n<li value=\"9\">Review the content and provide feedback through our <a style=\"background-color: #f7f7f9; font-size: 1rem;\" href=\"https:\/\/forms.office.com\/r\/0diZsXih6e\">survey<\/a><\/li>\n<\/ol>\n<p><strong>Learn more<\/strong><\/p>\n<p>To learn more about meeting the Cybersecurity Executive Order with Microsoft Security, visit Microsoft Federal\u2019s <a style=\"background-color: #f7f7f9; font-size: 1rem;\" href=\"https:\/\/www.microsoft.com\/en-us\/federal\/CyberEO.aspx\">Executive Order on Improving the Nation\u2019s Cybersecurity<\/a><span style=\"font-size: 1rem;\"> site.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>See how agencies ease the task of aligning with federal cybersecurity directives with the Microsoft Sentinel: Maturity Model for Event Log Management Solution now available in public preview in Azure and Azure Government.<\/p>\n","protected":false},"author":62910,"featured_media":20941,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1,14],"tags":[75,95,216,287,315,3460],"class_list":["post-20932","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azuregov","category-learning","tag-azure","tag-azure-government","tag-cybersecurity","tag-federal","tag-government","tag-microsoft-sentinel"],"acf":[],"blog_post_summary":"<p>See how agencies ease the task of aligning with federal cybersecurity directives with the Microsoft Sentinel: Maturity Model for Event Log Management Solution now available in public preview in Azure and Azure Government.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts\/20932","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/users\/62910"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/comments?post=20932"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts\/20932\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/media\/20941"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/media?parent=20932"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/categories?post=20932"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/tags?post=20932"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}