Cloud SIEM Architecture

By Ashwin Venugopal -

 







Overview

There are two ways to understand the Microsoft Sentinel Architecture- one is via SIEM solution in which security information and event are analyzed as well as processed; while the other one is related to the multitude of data sources themselves. Addressing the set up, operation of the SIEM solution, and thoughtful approach to the data sources themselves is very important for the success of any SIEM project.

Core Microsoft Sentinel Solution Components

Azure Log Analytics Workspace

A Log Analytics Workplace created within a particular Azure region, is a place where all the ingested data is stored for a defined period of time that can generally be 30 days, but can also be extended to 730 days (i.e. 2 years). Its cost can be calculated based on the volume of the ingested data as well as the data retention period.

The following measures must be taken while configuring Azure Log Analytics for use with Microsoft Sentinel:

  • If it's a multi-region architecture, then the Log Analytics workspace can be deployed in a region where the egress cost of the data transfer between the regions can be minimized; whereas most attention should be awarded to the region where majority of data is produced as well as consumed to avoid data export charges in the complex architecture with multiple Microsoft Sentinel instances. Export charges are only applicable for IaaS services, not the PaaS ones. 

  • Restricting the Log Analytics workspaces whenever required, having thorough knowledge of the security as well as the operational data and their ingestion in the beginning of a project will greatly help in saving the data ingestion charges in later stages.

  • Configuration of Microsoft Sentinel Analytic rules for monitoring the various parameters of data ingestion and costs can also help greatly.

  • The data that requires longer retention period can be stored via alternative solutions like Azure Data Explorer (ADX) or Azure Blob Storage.

 Microsoft Sentinel

After successfully completing the Log Analytics step, the SIEM functions can be easily performed by Microsoft Sentinel. 

Azure Logic Apps

As the name suggests, they offers a Security Orchestration and Automated Response (SOAR) and can power "Playbooks", that can help automate as well as orchestrate the response actions for security analysts. This one runs under consumption-based pricing and metering model i.e. the charges are directly proportional to the workflow actions executed by the Logic Apps.

Data Sources

Unlike the general misconception that Microsoft Sentinel can only be used for Azure Cloud resources, it can easily ingest and correlate data from a wide range of log resources present in the various cloud platforms like Azure, Amazon Web Services (AWS), Google Cloud, etc. Microsoft Sentinel public community is also showing latest use cases and data connectors to expand the capabilities of the solution. Microsoft Sentinel also contains more than 100 connectors that can create custom sources to meet with the individual requirements. 
























































































Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Deployment (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 3, please click  here Microsoft Sentinel Content Hub Content in Microsoft Sentinel includes any of the following types: Data connectors offer log ingestion from different sources into Microsoft Sentinel. Parsers give log formatting/transformation into ASIM formats, supporting usage across various Microsoft Sentinel content types and scenarios. Workbooks provide monitoring, visualization, and interactively with data in Microsoft Sentinel, highlighting meaningful insights for users.  Analytics rules give alerts that point to relevant SOC actions via incidents.  Hunting Queries are used by SOC teams to proactively hunt for threats in Microsoft Sentinel. Notebooks help SOC teams in using advanced hunting features in Jupyter and Azure Notebooks. Watchlists support the ingestion of specific data for enhanced threat detection and reduced alert fatigue.  Playbooks and Azure Logic Apps Custom Connectors provide featu...
Read more