Implementing A New Microsoft Sentinel Solution (part 3)
Deploy
After successfully completing the high-level designing, the initiation of the provisioning of the Microsoft Sentinel and its related resources can begin without any delay.
Azure Resources
The following resources are required by the Microsoft Sentinel:
- Subscription (if a dedicated subscription will be used)
- Resource group(s)
- Log Analytics workspace
- Automation rules/playbook
- Alert Rules
- Workbooks
However, besides Azure region, some of the other configurations like log retention, selection of a pricing model, etc. are also required during deployment.
Deployment Methods
These are of two types:
- Manual- As the name suggests, the administrator configures the Microsoft Sentinel resources manually with the help of Azure portal. However, like every other manual process, this one is also packed with the inherent risks of human operator error, lack of compliance with potential change control procedures, and undocumented changes.
- Automation tools- Various infrastructure-as-code tools like Hashicorp Terraform (offers consistency to the processes) are supported by the Microsoft Sentinel resources along with the other additional resources like AzSentinel PowerShell library as well as a wide range of Azure Resource Manager (ARM) templates for the different types of Microsoft Sentinel playbooks, alert rules, and workbooks.
Log Source Onboarding
There are data connectors for the various types of log sources like Azure, Microsoft 365 solutions, non-Azure cloud, on-premises sources, threat intelligence feeds, etc. and the onboarding process may vary according to the type of log sources from the simplest (just a few clicks of the mouse) to the most complex ones (that requires the deployment of extra log collection resources). Nonetheless, complete instructions regarding the onboarding and applicability of the particular log source along with the automation options, are provided by Microsoft Sentinel.
Built-in Data Connectors
Microsoft Sentinel provides various connectors that can be deployed within few clicks, they are- Azure AD, Azure subscription activity, Office 365, all the Microsoft Defender products along with the regularly added latest ones. It is recommended to consider the built-in data connectors instead of the custom ones, because they are fully supported by Microsoft as well as the Microsoft Sentinel community.
Comments
Post a Comment