Implementing A New Microsoft Sentinel Solution (part 3)

By Ashwin Venugopal -

 






To read part 1, please click here
To read part 2, please click here
To read part 4, please click here





Deploy

After successfully completing the high-level designing, the initiation of the provisioning of the Microsoft Sentinel and its related resources can begin without any delay.

Azure Resources

The following resources are required by the Microsoft Sentinel:

  1. Subscription (if a dedicated subscription will be used)
  2. Resource group(s)
  3. Log Analytics workspace
  4. Automation rules/playbook
  5. Alert Rules
  6. Workbooks 

However, besides Azure region, some of the other configurations like log retention, selection of a pricing model, etc. are also required during deployment.

Deployment Methods

These are of two types:

  • Manual- As the name suggests, the administrator configures the Microsoft Sentinel resources manually with the help of Azure portal. However, like every other manual process, this one is also packed with the inherent risks of human operator error, lack of compliance with potential change control procedures, and undocumented changes. 

  • Automation tools- Various infrastructure-as-code tools like Hashicorp Terraform (offers consistency to the processes) are supported by the Microsoft Sentinel resources along with the other additional resources like AzSentinel PowerShell library as well as a wide range of Azure Resource Manager (ARM) templates for the different types of Microsoft Sentinel playbooks, alert rules, and workbooks. 

Log Source Onboarding 

There are data connectors for the various types of log sources like Azure, Microsoft 365 solutions, non-Azure cloud, on-premises sources, threat intelligence feeds, etc. and the onboarding process may vary according to the type of log sources from the simplest (just a few clicks of the mouse) to the most complex ones (that requires the deployment of extra log collection resources). Nonetheless, complete instructions regarding the onboarding and applicability of the particular log source along with the automation options, are provided by Microsoft Sentinel. 

Built-in Data Connectors

Microsoft Sentinel provides various connectors that can be  deployed within few clicks, they are- Azure AD, Azure subscription activity, Office 365, all the Microsoft Defender products along with the regularly added latest ones. It is recommended to consider the built-in data connectors instead of the custom ones, because they are fully supported by Microsoft as well as the Microsoft Sentinel community. 







To read part 1, please click here
To read part 2, please click here
To read part 4, please click here


































Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more