Implementing A New Microsoft Sentinel Solution (part 2)

By Ashwin Venugopal -

 







To read part 1, please click here
To read part 3, please click here
To read part 4, please click here









Design Planning

Architectural Planning & Considerations

Some of the factors that can majorly affect the initial architecture used for the deployments of new Microsoft Sentinel instances or the migration from the existing SIEM platforms, are as follows:
  • Data Residency Requirements- Organizations may have certain compliance restrictions regarding logged data (which are not always very clear) depending on the type of business and customer residency. They can also choose local regions according to the charges as well as the available resources in order to avoid any kind of complications due to the legislation changes or auditing processes. Regions like East U.S. can offer a significant cost advantages as compared to the other regions.

  • Number of Azure Active Directory Tenants- As Azure AD offers Identity and Access Management (IAM) capabilities to the applications and resources of an organization, they can  have single or multiple Active Directory tenant in order to authenticate and authorize an access to a resource. 

  • Number of Azure Subscriptions- Although a single Microsoft Sentinel instance can easily integrate data from from multiple subscriptions, some security solutions might have restrictions on their logging capabilities to limit the sending of logging/diagnostics data to different subscriptions. However, Microsoft Sentinel can be easily deployed in the existing or in its own subscription without any implications for its functionality; and if it's deployed in multiple subscriptions they can be easily managed centrally via regular assignment of Azure Active Directory roles.

  • Number of Azure Resource Group- A resource group can be termed as a container that can hold related resources for an Azure solution. Although generally a single resource group is more than enough, but sometimes the full solution may span multiple resource groups. 

  • Distribution of Azure PaaS Resources- As there is no cost for the traffic spanning between Azure PaaS regions while non-Azure environments incurs a bandwidth cost, the preferred location should be in the region having the majority of log-generating Azure resources. 

  • Data Segregation Requirements- As stated above, some organizations have strict requirements regarding the accessibility of the logging data between different business units, a single Microsoft Sentinel unit may work for these types of logging data's permissions; however, in order to gain full isolation, a dedicated Microsoft Sentinel instance will prove to be more suitable. 

  • Complex Organizational Structures- As an SIEM can prove to be an expensive security control, the multiple business units generally contribute to the overall expense which leads to the requirement of different levels of access to specific dashboards or sets of data by various organizational units.

  • Role-Based Access Control (RBAC) Requirements- Microsoft Sentinel offers a long list of Azure built-in roles that can provide granular access according to the job requirements and permitted level of access. 

  • Ingestion of Operational Logs versus Security Logs- Since organizations may also accumulate performance as well as operational logs for monitoring and day-to-day operational analytics purposes, these data may overlap with the security-related logging data for which Microsoft Sentinel will cost additionally to this full set of data, hence it's recommended to separate them. However, some organizations also consider that the extra visibility or correlation across the whole data set justifies the additional expense. 

  • Estimation of Log Ingestion Volume & Pricing Model- It is very difficult to know about the future log ingestion as organizations either generally try to include many new log sources that are not included in prior SIEM solution, or try to include the full range of logs from the existing log sources that were previously only logging partially or not at all.  

Architecture Design Output

In the end, the following items should be decided and documented before concluding a high-level design phase:
  • Azure region used for the Microsoft Sentinel Log Analytic Workspace(s).
  • Azure subscription, resource group, and log analytics workspace along with the naming convention and tags. 
  • Azure AD groups and the RBAC to be applied to each.
  • Log sources in scope (on-premises, Cloud, SaaS).
  • Microsoft Sentinel data connectors to be developed (if any).
  • Custom data connectors to be developed (if any).
  • On-premises syslog collectors.
  • Initial list of used cases to be implemented.
  • Internet/VPN/LAN/WAN connectivity between log sources and Microsoft Sentinel.
  • Estimated log ingestion volume (GB/day).
  • Data retention policy (in days or months).
  • Pricing model vs reserved capacity, depends upon the estimated log ingestion volume. 












To read part 1, please click here
To read part 3, please click here
To read part 4, please click here











































































































Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more