Posts

Deployment (Part 3)

Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different groups of computers, re

Deployment (Part 2)

Image
  To read part 1, please click  here To read part 3, please click  here Microsoft Sentinel Content Hub Content in Microsoft Sentinel includes any of the following types: Data connectors offer log ingestion from different sources into Microsoft Sentinel. Parsers give log formatting/transformation into ASIM formats, supporting usage across various Microsoft Sentinel content types and scenarios. Workbooks provide monitoring, visualization, and interactively with data in Microsoft Sentinel, highlighting meaningful insights for users.  Analytics rules give alerts that point to relevant SOC actions via incidents.  Hunting Queries are used by SOC teams to proactively hunt for threats in Microsoft Sentinel. Notebooks help SOC teams in using advanced hunting features in Jupyter and Azure Notebooks. Watchlists support the ingestion of specific data for enhanced threat detection and reduced alert fatigue.  Playbooks and Azure Logic Apps Custom Connectors provide features for automated investigati

Deployment (Part 1)

Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and undocumented ch

Design Planning (Part 3)

Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can query the log data stor

Design Planning (Part 2)

Image
  To read part 1, please click  here To read part 3, please click  here Number of Azure Resource Groups A Microsoft Sentinel Log Analytics workspace resides in a resource group, which is a container holding related resources for an Azure solution or Microsoft Sentinel. These resource groups allows granularity in assigning permissions and logical grouping of resources according to their purpose. So, Microsoft Sentinel can use multiple resources like Log Analytics workspaces, workbooks, Logic Apps, API connections, functions apps, VMs, and many others. Generally, a single resource group is sufficient, but in some instances, the full solution may span multiple resource groups. Hence, it is recommended to maintain all Microsoft Sentinel-related resources in a dedicated resource group, if a dedicated subscriptions is not practical.  Distribution of Azure PaaS Resources There is no cost for traffic that spans between Azure PaaS region. However, the traffic egressed to non-Azure environments

Design Planning (Part 1)

Image
  To read part 2, please click  here To read part 3, please click  here Data Residency Requirements According to the type of business and customer residency, organizations might have compliance restrictions related to the logged data. These compliance regulations may not be defined clearly with respect to logging requirements and subject to change with time. Hence, organizations may choose local region to avoid complications. The selection of a region also carries implications for Microsoft Sentinel and Log Analytics costs as well as the availability of resources for the specific region. Regions like the U.S. can offer a significant cost advantage in comparison to other regions. The discount can be significant depending upon the volume of log ingestion. Therefore, the project team should obtain organizational requirements related to data residency before deploying. Number of Azure AD Tenants An Azure AD tenant offers Identity and Access Management (IAM) capabilities for applications an

Project Resourcing (Part 2)

Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning of alert rule parameter