Logging can be the most useful tool in your security arsenal, but it\u2019s something we all tend to overlook and not assign appropriate resources to, as it can use up hard drive storage. Proper logs can provide evidence as to how an incident occurred and what the attacker did.Too often we don\u2019t keep logs long enough. FireEye indicated that the median dwell time for attackers who use ransomware as their attack tool of choice is 72.75 days. A report on a ransomware attack from last year showed that the attacker lurked in the network for eight weeks before detonating the malware.Would you have stored log files for eight weeks or more to investigate a lurking attacker? Would we have been able to sift through the log files to quickly identify an attack sequence?The report recommended a \u201cmanaged defense service or an equivalent is maintained to detect and respond to incidents on endpoints (i.e., laptops, desktops, servers) to provide protection.\u201d I\u2019d also argue that as part of that process, the service needs to log so that you can have evidence for analysis.Microsoft Sentinel cloud SIEMYou shouldn\u2019t just log for logging\u2019s sake. Too often an intrusion occurs but no one saw the evidence in the logging tool. Analysis of logging should be part of your solution. A good security information and event management (SIEM) tool can help you manage and review logs. You have many options, including whether the repository will be on a local disk or in a cloud storage.Microsoft\u2019s cloud SIEM is called Sentinel. As a cloud service, Sentinel\u2019s services are constantly updated. You can track changes in Sentinel by following this site that recaps new releases.For example, several public previews in January look to bring interesting new features to the platform:Support for MITRE ATT&CK techniquesCodeless data connectorsMaturity Model for Event Log Management (M-21-31) SolutionSentinelHealth data tableAlso rolled out were:More workspaces supported for Multiple Workspace ViewKusto Query Language (KQL) workbook and tutorialMapping MITRE ATT&CK techniquesThe support for MITRE ATT&CK techniques maps the information from your logs to attack sequences that have been identified. For example, you can search through the evidence you have stored using Technique 1595, also known as active scanning, where the attacker \u201cmay execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.\u201dCodeless connectorsBecause logging is needed for anything that do these days, Sentinel is previewing the use of codeless connectors that allow logging to be implemented from software-as-a-service (SaaS) platforms to be pulled into Sentinel. Especially as we move more to cloud and Azure applications that communicate with on-premises assets, having tools to pull in that information into logging is key to getting a better view into all your assets that you want to manage and protect.Meeting OMB event log mandatesThe Office of Management and Budget\u2019s (OMB\u2019s) M-21-31 mandates a maturity model for event log management. Four logging levels are set for all government agencies to aim for. The government agencies will receive a ranking ranging from EL0 to EL3. If logging requirements are only partially met by the agency, they will receive a ranking of EL0 or \u201cnot effective\u201d. The goal is to raise to EL3 where the logging requirements at all criticality levels are reached.Sentinel will support collecting these government-mandated event logs:Properly formatted and accurate timestampStatus code for the event typeDevice identifier (MAC address5 or other unique identifier)Session\/Transaction IDAutonomous system numberSource IP (IPv4)Source IP (IPv6)Destination IP (IPv4)Destination IP (IPv6)Status CodeResponse TimeAdditional headers (i.e., HTTP headers)Where appropriate, the username or userID shall be includedWhere appropriate, the command executed shall be includedWhere possible, all data shall be formatted as key-value-pairs allowing for easy extractionWhere possible, a unique event identifier shall be included for event correlation; a unique event identifier shall be defined per eventSentinelHealth monitors connector healthThe SentinelHealth data table helps monitor connector health, providing insights on health drifts such as latest failure events per connector, or connectors with changes from success to failure states.Support for MSSPsManaged Security Service Providers (MSSPs) need to monitor more than one activity. Sentinel allows multiple workspace views, which allows an MSSP to review multiple workspaces at the same time, even across tenants.KQL supportThe January release includes Advanced KQL for Microsoft Sentinel interactive workbook, which is designed to help you improve your Kusto Query Language proficiency by taking a use-case-driven approach.