Sentinel POC- Architecture and Recommendations For MSSPs (Part 2)

By Ashwin Venugopal -

 




To read part 1, please click here
To read part 3, please click here
To read part 4, please click here
To read part 5, please click here







B2B or GDAP 

In order to access tenant level services, tenant level access is required. However, while testing Sentinel, this becomes more important because there are links provided to Microsoft Defender 365 and to make those links to work properly, the user must have access to the services.

GDAP and B2B offers the ability to access tenant level services. Everyone is quite familiar with B2B, which is available for all tenants to invite guests into their tenant to collaborate. But, some partners may have either compliance or cybersecurity insurance requirements preventing them from having an identity in their customers' tenants. Granular Delegated Admin Privileges (GDAP) is exclusively available to Cloud Solution Providers (CSPs) and it is configured by Partner Center. This one can help in accessing customer resources securely and does not require an identity in the customer's tenant.

Partners can choose either GDAP or B2B to access the tenants acting as customer tenant during the POC. For the purpose of Sentinel POC, the access and the behavior of using GDAP vs B2B is equivalent. However, if it is required to follow the same procedures during POC expected to be followed during go-live, then, it is recommended to configure GDAP. But, for simply testing the Sentinel's features for a period of time, then B2B can be used. 

More on CSPs

Cloud Solution Providers (CSPs) partners can create subscriptions for customers which is great for the customers not having security subscription and migrating from legacy SIEM solutions. Although this may not be used in POC, but can be tested according to the requirements of POC. That subscription will then be billed through the partner, but will remain associated with the customer's tenant. 

Where is data?

The customer's security subscription, where Sentinel is onboarded, should always be associated with the customer's tenant. Sentinel artifacts like, analytics rules, workbooks, automation rules, playbooks, etc., can easily exist either on MSSP workspace or the customer workspace. It should also be noted that features such as UEBA, and connectors like Defender 365, will only work with supported configuration depending on the data being ingested into the customer's workspace. The other types of data like Threat Intelligence (TI) data, can also be ingested into MSSP tenant.










To read part 1, please click here
To read part 3, please click here
To read part 4, please click here
To read part 5, please click here






























Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more