Section 9 - Mitigate threats using Microsoft Sentinel - Design and configure a Microsoft Sentinel workspace
We are already at the 9th section on my study guide and this time we will start with Sentinel.
First I want to point the Ninja training that Ofer Shezaf's and him team has made for you. It was updated last in February 2023 and it's an excellent collection of study materials for you all!
Become a Microsoft Sentinel Ninja: The complete level 400 training
Seeing how to plan a workplace and roles for it. Also where to store data and how to implement content hub and use other resources.
So, once again, let's get going!
Plan a Microsoft Sentinel workspace
Designing is one key element for Sentinel, here some things you should consider when doing your design.
Microsoft has this excellent page for different parts and even workflow to visualize your design choices
Design your Microsoft Sentinel workspace architecture
Tenant and workspace
While having fewer workplaces makes management easier, you may have special requirements for many tenants and workspaces. Many enterprises, for example, have a cloud infrastructure with several Azure Active Directory (Azure AD) tenants as a consequence of mergers and acquisitions or identity separation needs.
Consider how many tenants and workspaces to employ while considering how many tenants and workspaces to utilize. Most Microsoft Sentinel capabilities run on a single workspace or Microsoft Sentinel instance, and Microsoft Sentinel ingests all logs held within the workspace.
It's possible that not all the connectors can be connected to a workspace that is not located in the same tenant where the resource resides.
When you are designing a Sentinel workplace, you should use one Workspace for each tenant, geo-location and subsidiary.
See here for a table from Microsoft on the considerations
| Requirement | Description | Ways to reduce workspace count |
|---|---|---|
| Sovereignty and regulatory compliance | A workspace is tied to a specific region. To keep data in different Azure geographies to satisfy regulatory requirements, split up the data into separate workspaces. | |
| Data ownership | The boundaries of data ownership, for example by subsidiaries or affiliated companies, are better delineated using separate workspaces. | |
| Multiple Azure tenants | Microsoft Sentinel supports data collection from Microsoft and Azure SaaS resources only within its own Azure Active Directory (Azure AD) tenant boundary. Therefore, each Azure AD tenant requires a separate workspace. | |
| Granular data access control | An organization may need to allow different groups, within or outside the organization, to access some of the data collected by Microsoft Sentinel. For example: Resource owners' access to data pertaining to their resourcesRegional or subsidiary SOCs' access to data relevant to their parts of the organization | Use resource Azure RBAC or table level Azure RBAC |
| Granular retention settings | Historically, multiple workspaces were the only way to set different retention periods for different data types. This is no longer needed in many cases, thanks to the introduction of table level retention settings. | Use table level retention settings or automate (Managing personal data in Log Analytics and Application Insights |
| Split billing | By placing workspaces in separate subscriptions, they can be billed to different parties. | Usage reporting and cross-charging |
| Legacy architecture | The use of multiple workspaces may stem from a historical design that took into consideration limitations or best practices which don't hold true anymore. It might also be an arbitrary design choice that can be modified to better accommodate Microsoft Sentinel. Examples include: Using a per-subscription default workspace when deploying Microsoft Defender for CloudThe need for granular access control or retention settings, the solutions for which are relatively new | Re-architect workspaces |
And here for sample design to give you can idea what you should consider.
Sample Microsoft Sentinel workspace designs
Data residency
Residency is always important when validating designs for Cloud services.
- Sentinel can run on workspaces in nearly any place where Log Analytics is widely accessible.
- It may take some time for regions where Log Analytics is new to onboard the Microsoft Sentinel service.
- Microsoft Sentinel keeps client data in the same geographical location as the Log Analytics workspace that is linked with Microsoft Sentinel.
- Microsoft Sentinel handles client data in one of two places:
- Customer data is processed in Europe if the Log Analytics workspace is situated there.
- Customer data is processed in the United States for all other regions.
Azure Lighthouse
Lighthouse is an excellent solution for MSSPS as they provide cybersecurity monitoring and management for multiple clients.
Some benefits for Lighthouse integration are:
- Cross tenant queries
- Cross tenant workbooks
- Cross tenant incident screen
- Cross tenant automation
- Cross tenant analytics rules
See more from Learn on Azure Lighthouse onboarding
Onboard a customer to Azure Lighthouse - Azure Lighthouse
And more on the workspace design from Microsoft
Extend Microsoft Sentinel across workspaces and tenants
Workspace manager (preview)
And if you have those multiple workspaces, see the new Workspace manager. With workspace manager, you may manage several Microsoft Sentinel workplaces inside one or more Azure tenants.
What is needed?
- At least two Microsoft Sentinel workplaces are required. One workspace to manage and at least one additional workspace to manage.
- The Microsoft Sentinel Contributor role must be assigned on both the central workspace (when workspace manager is enabled) and the member workspace(s) that the contributor must manage.
- If you manage workspaces across different Azure AD tenants, enable Azure Lighthouse.
Manage multiple Microsoft Sentinel workspaces with workspace manager
Read here for the announcement
RSAC 2023: Microsoft Sentinel empowering the SOC with next-gen SIEM
Configure Microsoft Sentinel roles
There may be times when many teams require access to the same data and independent security teams may also require access to Microsoft Sentinel capabilities, but with different data sets.
Sentinel RBAC
Sentinel has it's own RBAC roles, like many other Azure based service does.
- Microsoft Sentinel Reader can view data, incidents, workbooks, and other Microsoft Sentinel resources.
- Microsoft Sentinel Responder can, in addition to the above, manage incidents (assign, dismiss, etc.).
- Microsoft Sentinel Contributor can, in addition to the above, create and edit workbooks, analytics rules, and other Microsoft Sentinel resources.
- Microsoft Sentinel Playbook Operator can list, view, and manually run playbooks.
- Microsoft Sentinel Automation Contributor allows Microsoft Sentinel to add playbooks to automation rules. It isn't meant for user accounts.
Depending services
And RBAC roles for depending services.
- Azure roles: Owner, Contributor, and Reader. Azure roles grant access across all your Azure resources, including Log Analytics workspaces and Microsoft Sentinel resources.
- Log Analytics roles: Log Analytics Contributor and Log Analytics Reader. Log Analytics roles grant access to your Log Analytics workspaces.
- Custom roles. In addition to, or instead of, using Azure built-in roles, you can create Azure custom roles for Microsoft Sentinel. You create Azure custom roles for Microsoft Sentinel in the same way as Azure custom roles, based on specific permissions to Microsoft Sentinel and to Azure Log Analytics resources.
Here is an table of the different permission and what they can do.
| Role | View and run playbooks | Create and edit playbooks | Create and edit analytics rules, workbooks, and other Microsoft Sentinel resources | Manage incidents (dismiss, assign, etc.) | View data, incidents, workbooks, and other Microsoft Sentinel resources |
|---|---|---|---|---|---|
| Microsoft Sentinel Reader | -- | -- | --* | -- | ✓ |
| Microsoft Sentinel Responder | -- | -- | --* | ✓ | ✓ |
| Microsoft Sentinel Contributor | -- | -- | ✓ | ✓ | ✓ |
| Microsoft Sentinel Playbook Operator | ✓ | -- | -- | -- | -- |
| Logic App Contributor | ✓ | ✓ | -- | -- | -- |
See here for recommendations from Microsoft
Roles and permissions in Microsoft Sentinel
Design and configure Microsoft Sentinel data storage
Azure Sentinel offers two storage options for data ingestion: Log Analytics workspace and Azure Data Explorer. Both storage options are highly scalable and flexible.
But did you know that Azure Sentinel is based on Azure Monitor (Log Analytics), which is based on Azure Data Explorer. As a result, moving between different services is simple. You may now leverage Kusto query language queries and dashboards across various services.
Log Analytics Workspace
Log Analytics workspace is the default data storage option in Azure Sentinel. Log Analytics workspace provides a scalable, highly available, and secure storage option for ingesting data. It enables you to collect data from different sources, including cloud services, on-premises servers, and custom applications. You can query, visualize, and analyze the data using Azure Monitor Log Analytics, which is integrated into Sentinel.
See more here on the onboarding of Sentinel to Log analytics workspace
Quickstart: Onboard in Microsoft Sentinel
Azure Data Explorer
Azure Data Explorer (ADX) is another storage option available for Azure Sentinel. ADX is a fully managed data analytics service that enables you to perform advanced analytics on large volumes of data. ADX provides a highly scalable and efficient data storage solution that is optimized for fast data ingestion, analysis, and querying. It is ideal for large-scale log analytics scenarios, including security analytics.
Integrate Azure Data Explorer for long-term log retention
Which one should you use?
Maybe pricing or maybe you architecture requirements determinate which one to use or maybe both.
Here is some questions that you should ask:
- Data Ingestion Volume: How much data are you planning on ingesting into Sentinel? To assess the amount of storage required, estimate your data input volume.
- Data Retention Period: How long must you keep your data? Take into account any applicable compliance obligations, as well as your organization's own data retention rules.
- Frequency of Data Access: How frequently will you need to access your data? To maximize data storage and retrieval, consider the frequency and kind of queries you'll be conducting.
- Cost Optimization: How can you reduce the cost of data storage? To limit the quantity of data you need to keep and lower storage expenses, consider data compression, tiered storage, and data sampling.
See here for an example Architecture from Azure Architecture Center.
Azure Data Explorer monitoring - Azure Architecture Center
Implement and use Content hub, repositories, and community resources
Content hub
Content Hub is a Microsoft Sentinel feature that serves as a repository for community-generated content. It includes templates, queries, workbooks, and playbooks to aid in the optimization of security monitoring and response. The Content Hub includes the Sentinel solutions catalog.
Use the Microsoft Sentinel Content Hub to find and install out-of-the-box (OOTB) content from a single location.
Microsoft Sentinel content hub catalog
Repository
Customers can store content, such as queries, workbooks, and playbooks, in the repository. They can employ them to complement Sentinel's skills. Organizations may build, manage, and share repositories across teams.
Here is once example of the GitHub repository
GitHub - Azure/Azure-Sentinel: Cloud-native SIEM for intelligent security analytics for your entire enterprise.
And here an excellent repo called Azure Sentinel All In One that let's you automate your deployment and configuration of Sentinel. When highly privileged users are required, this is great for Proof of Concept situations and connection onboarding.
Azure-Sentinel/Tools/Sentinel-All-In-One at master · Azure/Azure-Sentinel
The following content can be imported from a repo:
- Analytics rules
- Automation rules
- Hunting queries
- Parsers
- Playbooks
- Workbooks
See more on repository connection from Learn
Manage custom content with repository connections - Microsoft Sentinel
Community resources
Microsoft Sentinel provides a comprehensive set of community tools to assist clients in fast onboarding and reaping the benefits of Sentinel. GitHub repositories, community-provided playbooks and queries, community content, and threat intelligence feeds are among the resources available.
KQL Search is an aggregator for KQL queries that are shared on GitHub.
KQL Search
Microsoft has an excellent blog on Sentinel that has posts from Microsoft and also other contributors
Microsoft Sentinel Blog
And you want to skill-up even more, see this
Microsoft Sentinel skill-up training
Closure
Remember what you should consider when designing a workplace
- Tenant and workspace correlation
- Data residency
- When using multiple workspaces, using Azure Lighthouse
What RBAC roles Sentinel has? and what are the depending roles?
- Azure roles: Owner, Contributor, and Reader. Azure roles grant access across all your Azure resources, including Log Analytics workspaces and Microsoft Sentinel resources.
- Log Analytics roles: Log Analytics Contributor and Log Analytics Reader. Log Analytics roles grant access to your Log Analytics workspaces.
- Custom roles. In addition to, or instead of, using Azure built-in roles, you can create Azure custom roles for Microsoft Sentinel. You create Azure custom roles for Microsoft Sentinel in the same way as Azure custom roles, based on specific permissions to Microsoft Sentinel and to Azure Log Analytics resources.
What the different roles can do in your environment?
How Log Analytics and Data Explorer are different, what is the primary one and why you should choose one of them or should you?
Definition of Content hub and repository also what community resources are available?
Link to main post
Exam cram series for SC-200 exam
