Transcription of Azure Sentinel Deployment Best Practices
1 Microsoft Security Azure Sentinel Deployment Best Practices Authors: Adrian Grigorof, CISSP, CRISC, CCSK. Marius Mocanu, CISSP, SABSA, CISM, CEH. Jordan Shaw-Young, CISM. Table of Contents Azure Sentinel cloud -native Azure Sentinel unified cloud SIEM Core Azure Sentinel solution Azure Log Analytics Azure Azure Logic Data Implementing a new Azure Sentinel Project Project Project Security cloud Engineering systems Engineering Network Business Security Compliance Benchmark project effort and Design Architecture planning and 26. Azure 34. Log source 36. Automation 43. Deploying 47. Deploying user and entity behavior 48.
2 Deploying 50. Deploying cyber threat intelligence 50. Deploying alert 57. Migration from existing SIEM Scenario 60. Scenario 62. Scenario 63. Azure Sentinel business Cost Evaluating your data ingestion against use 65. Log ingestion 65. Budgeting for Azure Sentinel 69. Ongoing Cost monitoring and 70. Conclusion and Additional Introduction The purpose of this whitepaper is to provide Leveraging native integrations with Microsoft security organizations with a practical field guide Defender tools and Azure services such as to assist in developing a Deployment strategy Log Analytics and Logic Apps for analysis and for Microsoft Azure Sentinel that will employ automation capabilities, Azure Sentinel allows best Practices to support a stable, cost-effective, organizations to ingest, correlate, and analyze and operationally effective implementation of security signals from across the enterprise.
3 Microsoft's cloud -native security information and event management (SIEM) platform. This The ability to leverage elastic compute and document is written from a security practitioner storage capabilities inherent in Azure for data- perspective, based on experience deploying and intensive applications such as SIEM is a significant managing Azure Sentinel in a wide range advantage over premise-based log analysis of organizations. solutions. Additionally, Azure Sentinel can make use of infrastructure as a service (IaaS) and We intend for this guide to serve as a reference platform as a service (PaaS) available in Azure and planning document primarily for chief to deliver capabilities like workflow automation information security officers, security architects, and long-term log retention that are typically and enterprise architecture and project provided as add-on services from other management leaders in defining adoption and SIEM providers.
4 Migration strategies and budgets and in planning project and resourcing requirements for a Azure Sentinel unified successful implementation of Azure Sentinel . It integration can be read as a companion document to other Azure Sentinel technical whitepapers such as the Azure Sentinel integrates with Microsoft 365. Azure Sentinel Technical Playbook for Defender and Azure Defender to provide a unified way to manage risk in your digital Azure Sentinel landscape under a single umbrella. Incidents, cloud -native SIEM schema, and alerts can be shared between Azure Sentinel and Microsoft 365 Defender, providing a Azure Sentinel is Microsoft's cloud -native SIEM holistic view with seamless drill down for solution and the first cloud -native SIEM from a major public cloud provider.
5 Azure Sentinel is deployed in an organization's Azure tenant and accessed via the Microsoft Azure portal, ensuring alignment with preexisting organizational policies. Azure Sentinel Deployment Best Practices 4. SEIM | Azure Sentinel Identities Endpoints Apps SQL Server Containers VMs Email Docs cloud Apps Network Industrial Azure App Traffic IoT Services Microsoft 365 Defender Azure Defender XDR | Microsoft Defender SIEM Azure Sentinel Visibility across your entire organization3. Prevent Protect Microsoft Azure Defender 365 Defender Secure your infrastructure Secure your infrastructure XDR. Azure Sentinel Deployment Best Practices 5.
6 cloud SIEM Architecture We take a two-sided view to the Azure Sentinel Various forms of data may be ingested into the architecture. The first is the SIEM solution where Log Analytics database. Data sources include a security information and events are processed wide variety of structured data such as system and analyzed. The second includes the multitude information from Azure Monitor Agents (AMAs). of data sources themselves. In our experience, or Microsoft Monitoring Agents (MMAs) installed addressing both the setup and operation of the on Windows or Linux network endpoints,4. SIEM solution, as well as a thoughtful approach application programming interface (API).
7 To the data sources themselves, is critical to the integrations, and Azure PaaS services. success of any SIEM project. Log Analytics is a component of overall Azure Here we will look at both key aspects of SIEM Sentinel cost and is calculated based on the architecture and at the considerations that volume of ingested data and the data retention organizations can take when approaching period. Special consideration should be paid to a project. the extended retention period, as certain event tables might only contain system performance metrics or verbose logging of services, which may Core Azure Sentinel solution not be ideally suited for analysis within an SIEM.
8 Components solution. Data unrelated to security monitoring may not be worth storing over a long period In this section, we provide guidance on of time when balanced against ingestion costs. Deployment of the core Azure Sentinel Conducting a thorough analysis of the incoming solution components to be deployed in your data and aligning to organizational compliance Azure subscription. policies will determine if raw data must be kept online in Log Analytics or if alternative storage Azure Log Analytics workspace options are possible. Alternate solutions exist The first Deployment prerequisite of Azure within the Azure ecosystem to store raw data in Sentinel is a Log Analytics workspace where all cheaper storage options, where required.
9 Ingested data will be stored. A Log Analytics workspace is created within a specific Azure region and has a configurable retention period, defining how long data will be stored within the Log Analytics workspace (database). The default is 30 days, but this can be configured to as long as 730 days (2 years). Azure Sentinel Deployment Best Practices 6. There are a few initial best Practices to follow storage capabilities of Azure cloud . As such, it when configuring Azure Log Analytics for use can dynamically scale on demand to meet even with Azure Sentinel : the most demanding data ingest requirements. For larger enterprises organizations that In multi-region architectures, deploy your Log see more than 1 TB/day Microsoft offers an Analytics workspace in an Azure region that optional dedicated cluster for Azure Sentinel will minimize the egress cost of data transfer within Azure 's infrastructure.
10 This can improve between regions. In complex architectures search performance and, depending on your with multiple Azure Sentinel instances, initial configuration of Azure Sentinel workspaces, can consideration should be paid to the region provide cost savings and where most data are produced and consumed to avoid data export charges when providing For organizations that need to keep data Azure Sentinel with data from disparate Azure available for longer than 90 days in a cost- regions. In most cases, data export charges effective storage repository while still being between Azure regions are usually lower than able to perform real-time queries or Kusto the price difference for Log Analytics Query Language (KQL), there is the option to between regions.
