From a4da6d1cc821e660aae209c4c62b4264b182e855 Mon Sep 17 00:00:00 2001
From: jmorascalyr <42879226+jmorascalyr@users.noreply.github.com>
Date: Mon, 10 Mar 2025 19:42:55 -0600
Subject: [PATCH 1/3] Create README.md

---
 dashboards/m-21-31/README.md | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 dashboards/m-21-31/README.md

diff --git a/dashboards/m-21-31/README.md b/dashboards/m-21-31/README.md
new file mode 100644
index 0000000..1333ed7
--- /dev/null
+++ b/dashboards/m-21-31/README.md
@@ -0,0 +1 @@
+TODO

From f4d17cc1fc7ace5b2d0dc47017857b9bc5d1c056 Mon Sep 17 00:00:00 2001
From: jmorascalyr <42879226+jmorascalyr@users.noreply.github.com>
Date: Mon, 10 Mar 2025 19:46:39 -0600
Subject: [PATCH 2/3] Create m-21-31.conf

---
 dashboards/m-21-31/m-21-31.conf | 69 +++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)
 create mode 100644 dashboards/m-21-31/m-21-31.conf

diff --git a/dashboards/m-21-31/m-21-31.conf b/dashboards/m-21-31/m-21-31.conf
new file mode 100644
index 0000000..8b7b387
--- /dev/null
+++ b/dashboards/m-21-31/m-21-31.conf
@@ -0,0 +1,69 @@
+{
+    parameters: [
+    
+    
+      { "name": "Category", values: ["Identity & Credential Management", "Privileged Identity & Credential Management", "Email Filtering, Spam, and Phishing ", "Operating Systems - Windows", "Operating Systems- Windows", "Operating Systems - macOS", "Operating Systems - BSD (Linux) ", "Operating Systems - BSD (Linux)", "Network Device Infrastructure (for Devices with Multiple Interfaces)", "Network Device Infratructure ", "Network Device Infrastructure", "Network Device Infrastructure (General Logging)", "Network Device Infrastructure (Multiple Device Interfaces)", "Network Device Infrastructure ", "Network Device Infrastructure (Access, Authorization, and Accounting)", "Cloud Environments (General Logging)", "Amazon Web Services (AWS)", "Cloud Azure", "Microsoft 365", "Google Cloud Platform (GCP)", "System Configuration and Performance", "Authentication and Authorization - Administrative", "Authentication and Authorization - Authorization", "Anti-Virus/Behavioral-Based Malware Protection", "Network Device Infrastructure - Firwewalls", "Network Device Infrastructure - All Devices", "PKI Infrastructure", "Vulnerability Assessments", "Database Level", "Application Level", "Application Level - Web Application & Middleware", "Virtualization on System", "Mobile (Smartphones/Tablets)/MTD Server Logs", "Mobile (Smartphones/Tablets)/MTD Agent Logs", "Container - Supply Chain", "DLP", "Application Level - Commercial Off the Shelf (COTS)", "Application Level - Non-COTS", "Container - Image", "Contaimer - image", "Container - Management/Orchestration", "Container - OS", "Mainframes", "Container - Cluster/Pod Events"], defaultValue: "Network"} 
+    { "name": "Criticality",   defaultValue: "('0', '1', '2', '3')"} 
+
+  ], 
+  graphs: [
+    {
+      title: "Summary",
+      query: "| left join \nreq = (timestamp = *\n| limit 1000\n| group c = running_count() by timestamp\n| let id = format(\"%d\", c)\n| lookup Log, Category, Criticality from m2131.csv by id=id \n| filter  Category  contains (\"#Category#\") Criticality contains #Criticality#\n),\n\nall = (\ntag='alertState' param_requirement = * \n| group triggered = count(status='TRIGGERED'), count = count() by param_description, id = param_requirement, status = 1, param_query-m21\t\n\n)\n\non id\n\n| columns Log, param_query-m21,  log_status = abs(status) > 0 ? 10 : 0, Category, id, triggered, count\n| let status = param_query-m21 = null ? \"Needs Configuration\" : triggered > 0 ? \"Compliant\" : triggered = 0 AND count > 0  ? \"Non Compliant\" : \"Non Compliant\"\n| columns Log, status, id\n",
+      layout: {
+  h: 14,
+  w: 60,
+  x: 0,
+  y: 29
+},
+      graphStyle: "",
+      showBarsColumn: "false"
+    },
+    {
+      graphStyle: "",
+      title: "CISA Requirements (Criticality 0)",
+      query: "timestamp = *\n| limit 1000\n| group c = running_count() by timestamp\n| let id = format(\"%d\", c)\n| lookup Log, Category, Criticality from m2131.csv by id=id\n| columns Criticality, Category, Log, id\n| filter  Category  contains \"#Category#\"\n| columns Criticality, Category, Log\n",
+      showBarsColumn: "false",
+      layout: {
+  h: 14,
+  w: 30,
+  x: 30,
+  y: 15
+}
+    ,
+    },
+    {
+      graphStyle: "honeycomb",
+      honeyCombColor: {
+        hover: "#B9E885",
+        label: "Green",
+        value: "#6DB222"
+      },
+      honeyCombGroupBy: "",
+      honeyCombLinkTo: "/events?startTime=1+hour&view=standard&filter=[query]",
+      honeyCombThresholds: ["0", "1", "9", "10"],
+      layout: {
+  h: 14,
+  w: 30,
+  x: 0,
+  y: 15
+},
+      query: "| left join \nreq = (timestamp = *\n| limit 1000\n| group c = running_count() by timestamp\n| let id = format(\"%d\", c)\n| lookup Log, Category, Criticality from m2131.csv by id=id \n| filter  Category  contains (\"#Category#\") and Criticality contains #Criticality#\n),\n\nall = (\n tag='alertState' param_requirement = * \n| group count = count(), triggered = count(status='TRIGGERED') by param_description, id = param_requirement, status = 1, param_query-m21\t\n\n)\n\non id\n\n| columns Log, param_query-m21 ,   log_status = abs(status) > 0 ? 10 : 1, triggered, count\n| let status = param_query-m21 = null ? 1 : triggered > 0 ? 10 : triggered = 0 AND count > 0  ? 2: 2\n| let query = param_query-m21 = null ? \"needs config\" : triggered > 0 ? param_query-m21 : triggered = 0 AND count > 0  ? param_query-m21: param_query-m21\n| columns Log, query,status",
+      title: "At a Glance (Watchlist)"
+    },
+    {
+      graphStyle: "markdown",
+      markdown: "# M-21-31 Compliance Detections Dashboards\n\nSentinelOne Engineering and Government teams have reviewed each of the requirements of M-21-31 and compiled a list of those requirements. Where possible, we've mapped these requirements to a search to aid in compliance verification.\n\n## How to Use\n\nThe dashboard includes three statuses to indicate compliance levels:\n\n1. **Status 1**:  \n   Requires configuration of the bureau.  \n   - This status is for items that are bureau-specific and need additional setup.  \n\n2. **Status 2**:  \n   Non-compliant.  \n   - This status means the search has returned no results within the configured time frame.  \n\n3. **Status 10**:  \n   Compliant.  \n   - This status means the search has successfully found the logs in question.",
+      title: "ReadMe",
+      layout: {
+  h: 15,
+  w: 60,
+  x: 0,
+  y: 0
+}
+    }
+  ],
+  filters: [
+  ],
+  description: ""
+}

From 7839aa24ec58fee9b7687e095d3d8a571aa7d1dd Mon Sep 17 00:00:00 2001
From: jmorascalyr <42879226+jmorascalyr@users.noreply.github.com>
Date: Mon, 10 Mar 2025 20:02:44 -0600
Subject: [PATCH 3/3] Update README.md

---
 dashboards/m-21-31/README.md | 78 +++++++++++++++++++++++++++++++++++-
 1 file changed, 77 insertions(+), 1 deletion(-)

diff --git a/dashboards/m-21-31/README.md b/dashboards/m-21-31/README.md
index 1333ed7..cb68197 100644
--- a/dashboards/m-21-31/README.md
+++ b/dashboards/m-21-31/README.md
@@ -1 +1,77 @@
-TODO
+# M-21-31 Documentation
+
+## 1. To Deploy
+
+Deploying M-21-31 is simple. Follow these steps:
+
+1. Take the dashboard configuration file `m-21-31.conf` and paste it into the account.
+
+<img width="1893" alt="image" src="https://github.com/user-attachments/assets/90feb949-fa97-4469-a26a-ccc66dd330a9" />
+
+
+2. Export the following Google Spreadsheet as a CSV file:
+   - [M-21-31 Mapping Sheet](https://docs.google.com/spreadsheets/d/120NWtQXE-DAgBftd-h6weXnqPqdLBy_reTTNcdMusOE/edit?pli=1&gid=1925210520#gid=1925210520)
+3. Save the exported file as `m2131.csv` and save it to `/datatables/m2131.csv`
+4. Add the following stanza to the alerts (watchlist JSON):
+   - [M-21-31 Alerts File](https://docs.google.com/document/d/1TD2jRa5ypT0yfoTrqS82rXijDS7hPHasF7gO4emIf1Q/edit?tab=t.0)
+
+Once these steps are completed, you will have:
+- A functional dashboard
+- A lookup table (`m2131.csv`) for mappings
+- An alerts file that checks every minute if alerts match the defined mappings
+
+---
+
+## 2. Adding Detections
+
+To add detections:
+
+1. Open the `alerts.json` file.
+2. Add more `query-m21` queries to the alerts file.
+3. Map each `query-m21` to a corresponding requirement in the `m2131.csv` file.
+
+### Example:
+If the `m2131.csv` file contains the following:
+```csv
+1,Identity & Credential Management,Account Creation,0
+```
+
+Then in `alerts.json`, you will map it as:
+```json
+{
+  "requirement": "1",
+  "query-m21": "type_uid = 300101"
+}
+```
+
+Each new detection should follow the same structure, ensuring that queries align with requirement IDs.
+
+---
+
+## 3. Managing Mappings
+
+Mappings between requirements and queries are handled via the `m2131.csv` file and the `alerts.json` file:
+
+- The **primary key** in `m2131.csv` is the **requirement ID**.
+- In `alerts.json`, each query is mapped to a requirement using the requirement ID.
+- Queries in `alerts.json` should reference the correct requirement ID from `m2131.csv`.
+
+### Example Mapping:
+#### `m2131.csv`:
+```csv
+1,Identity & Credential Management,Account Creation,0
+```
+#### `alerts.json`:
+```json
+{
+  "requirement": "1",
+  "query-m21": "type_uid = 300101"
+}
+```
+
+### Managing Mappings Effectively:
+1. Ensure each requirement ID in `m2131.csv` corresponds to an entry in `alerts.json`.
+2. Update `alerts.json` whenever a new detection rule is added.
+3. Regularly validate the mappings to ensure they are still relevant.
+
+By following this structure, M-21-31 remains organized and easy to maintain.