SOARing High for M-21-31

As most folks who work in the US Federal Civilian space are aware, we are now past the August 2023 date to meet Enterprise Logging Level 3 (EL3) in support of the M-21-31 OMB Mandate. As part of the Advanced Requirements in EL3, Logging Orchestration, Automation, & Response enters Finalizing Implementation, meaning agencies should be completing and rolling out automated incident response playbooks.

There are a few considerations that may help measure and lead to success as the implementation progresses.

Consider Using The MITRE D3FEND Knowledge Graph

Most network defenders have heard of the MITRE ATT&CK framework, which practically speaking, is very useful for modeling cyber adversaries' tactics and techniques. As we move further into the response realm, cybersecurity countermeasures become more of an integral part of the response process. Enter the MITRE D3FEND knowledge graph, which provides defensive technique knowledge and guidance for incident responders.

To help, a few months ago at Splunk .conf23, the product team highlighted new pre-built playbook packs that leverage MITRE D3FEND approaches to help solve common security use cases. Playbooks for tackling phishing attempts with dynamic identifier reputation analysis and threat hunting by querying several security technologies to determine if any artifacts present in data sources have been observed in your environment help provide some prescriptive defensive countermeasures. They are also great examples of how D3FEND can be used to support M-21-31.

Consider Using a SOAR Adoption Maturity Model

To help with SOAR implementations, Splunk developed “The SOAR Adoption Maturity Model.” This guide is particularly useful for M-21-31 because it provides a simple framework for moving from a reactive and manual approach to security to a proactive one. The SOAR specific factors can be related to any existing cyber security framework, such as the NIST Cybersecurity Framework (CSF). Further, they can help inform on the M-21-31 SOAR maturity factors as they apply to the FY 2023 CIO FISMA Metrics.

Consider Using Risk-Based Case Management

(Hint: It’s Eventually About Zero Trust)

Just over a year ago, Splunk released pre-built Playbook Packs that included a Risk Response workbook. As Kelby Shelton talks about in How Playbook Packs Drive Scalable Automation, this workbook provides a prescriptive means for automating Risk Notables from Splunk Enterprise Security (ES). As we’re moving toward implementing a zero trust architecture to support M-22-09, this is where M-21-31 crosses the path. As Kelby mentions, “In some high-risk situations, you need an automation platform that is capable of taking action immediately on affected entities before the situation gets out of control. A great example of taking this type of action is in the area of Zero Trust which you can learn more about here: Automating Across a Zero Trust Architecture (ZTA).”  

For more information on any of these topics or on how Splunk can help with any of the other technical requirements in OMB M-21-31 please reach out to

Derrick Lawson
Posted by

Derrick Lawson

Derrick Lawson has 25+ years in technology, development, operations, and security. He also has 10+ years working on Philanthropy for kids at Oracle.

Show All Tags
Show Less Tags