Microsoft is previewing new Sentinel features that will make it easier for security admins to manage and analyze event logs. Credit: Getty Images Logging can be the most useful tool in your security arsenal, but it’s something we all tend to overlook and not assign appropriate resources to, as it can use up hard drive storage. Proper logs can provide evidence as to how an incident occurred and what the attacker did.Too often we don’t keep logs long enough. FireEye indicated that the median dwell time for attackers who use ransomware as their attack tool of choice is 72.75 days. A report on a ransomware attack from last year showed that the attacker lurked in the network for eight weeks before detonating the malware.Would you have stored log files for eight weeks or more to investigate a lurking attacker? Would we have been able to sift through the log files to quickly identify an attack sequence?The report recommended a “managed defense service or an equivalent is maintained to detect and respond to incidents on endpoints (i.e., laptops, desktops, servers) to provide protection.” I’d also argue that as part of that process, the service needs to log so that you can have evidence for analysis. Microsoft Sentinel cloud SIEMYou shouldn’t just log for logging’s sake. Too often an intrusion occurs but no one saw the evidence in the logging tool. Analysis of logging should be part of your solution. A good security information and event management (SIEM) tool can help you manage and review logs. You have many options, including whether the repository will be on a local disk or in a cloud storage.Microsoft’s cloud SIEM is called Sentinel. As a cloud service, Sentinel’s services are constantly updated. You can track changes in Sentinel by following this site that recaps new releases. For example, several public previews in January look to bring interesting new features to the platform:Support for MITRE ATT&CK techniquesCodeless data connectorsMaturity Model for Event Log Management (M-21-31) SolutionSentinelHealth data tableAlso rolled out were:More workspaces supported for Multiple Workspace ViewKusto Query Language (KQL) workbook and tutorialMapping MITRE ATT&CK techniquesThe support for MITRE ATT&CK techniques maps the information from your logs to attack sequences that have been identified. For example, you can search through the evidence you have stored using Technique 1595, also known as active scanning, where the attacker “may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.”Codeless connectorsBecause logging is needed for anything that do these days, Sentinel is previewing the use of codeless connectors that allow logging to be implemented from software-as-a-service (SaaS) platforms to be pulled into Sentinel. Especially as we move more to cloud and Azure applications that communicate with on-premises assets, having tools to pull in that information into logging is key to getting a better view into all your assets that you want to manage and protect.Meeting OMB event log mandatesThe Office of Management and Budget’s (OMB’s) M-21-31 mandates a maturity model for event log management. Four logging levels are set for all government agencies to aim for. The government agencies will receive a ranking ranging from EL0 to EL3. If logging requirements are only partially met by the agency, they will receive a ranking of EL0 or “not effective”. The goal is to raise to EL3 where the logging requirements at all criticality levels are reached.Sentinel will support collecting these government-mandated event logs: Properly formatted and accurate timestampStatus code for the event typeDevice identifier (MAC address5 or other unique identifier)Session/Transaction IDAutonomous system numberSource IP (IPv4)Source IP (IPv6)Destination IP (IPv4)Destination IP (IPv6)Status CodeResponse TimeAdditional headers (i.e., HTTP headers)Where appropriate, the username or userID shall be includedWhere appropriate, the command executed shall be includedWhere possible, all data shall be formatted as key-value-pairs allowing for easy extractionWhere possible, a unique event identifier shall be included for event correlation; a unique event identifier shall be defined per eventSentinelHealth monitors connector healthThe SentinelHealth data table helps monitor connector health, providing insights on health drifts such as latest failure events per connector, or connectors with changes from success to failure states.Support for MSSPsManaged Security Service Providers (MSSPs) need to monitor more than one activity. Sentinel allows multiple workspace views, which allows an MSSP to review multiple workspaces at the same time, even across tenants.KQL supportThe January release includes Advanced KQL for Microsoft Sentinel interactive workbook, which is designed to help you improve your Kusto Query Language proficiency by taking a use-case-driven approach. Related content feature How cybersecurity teams should prepare for geopolitical crisis spillover CISOs can anticipate and prepare for cyberattacks conducted by participants in geopolitical conflict such as the Israel/Hamas war by understanding the threat actors' motivations and goals. By Christopher Whyte Dec 05, 2023 12 mins Advanced Persistent Threats Advanced Persistent Threats Advanced Persistent Threats news analysis P2Pinfect Redis worm targets IoT with version for MIPS devices New versions of the worm include some novel approaches to infecting routers and internet-of-things devices, according to a report by Cado Security. By Lucian Constantin Dec 04, 2023 5 mins Botnets Hacker Groups Security Practices news Hackers book profit by scamming Booking.com customers Malicious elements are using Vidar infostealer to gain access to Booking.com’s management portal and defraud customers. By Gagandeep Kaur Dec 04, 2023 4 mins Cyberattacks opinion Proactive, not reactive: the path to ensuring operational resilience in cybersecurity The experience of the financial sector in dealing with threats is instructive to anyone in the cybersecurity space — there’s no substitute for getting out ahead of potential risks and problems. By Cameron Dicker Dec 04, 2023 6 mins Financial Services Industry Data and Information Security Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe