Posts

Showing posts from August, 2024

Deployment (Part 3)

Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different groups of computers, re

Deployment (Part 2)

Image
  To read part 1, please click  here To read part 3, please click  here Microsoft Sentinel Content Hub Content in Microsoft Sentinel includes any of the following types: Data connectors offer log ingestion from different sources into Microsoft Sentinel. Parsers give log formatting/transformation into ASIM formats, supporting usage across various Microsoft Sentinel content types and scenarios. Workbooks provide monitoring, visualization, and interactively with data in Microsoft Sentinel, highlighting meaningful insights for users.  Analytics rules give alerts that point to relevant SOC actions via incidents.  Hunting Queries are used by SOC teams to proactively hunt for threats in Microsoft Sentinel. Notebooks help SOC teams in using advanced hunting features in Jupyter and Azure Notebooks. Watchlists support the ingestion of specific data for enhanced threat detection and reduced alert fatigue.  Playbooks and Azure Logic Apps Custom Connectors provide features for automated investigati

Deployment (Part 1)

Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and undocumented ch

Design Planning (Part 3)

Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can query the log data stor

Design Planning (Part 2)

Image
  To read part 1, please click  here To read part 3, please click  here Number of Azure Resource Groups A Microsoft Sentinel Log Analytics workspace resides in a resource group, which is a container holding related resources for an Azure solution or Microsoft Sentinel. These resource groups allows granularity in assigning permissions and logical grouping of resources according to their purpose. So, Microsoft Sentinel can use multiple resources like Log Analytics workspaces, workbooks, Logic Apps, API connections, functions apps, VMs, and many others. Generally, a single resource group is sufficient, but in some instances, the full solution may span multiple resource groups. Hence, it is recommended to maintain all Microsoft Sentinel-related resources in a dedicated resource group, if a dedicated subscriptions is not practical.  Distribution of Azure PaaS Resources There is no cost for traffic that spans between Azure PaaS region. However, the traffic egressed to non-Azure environments

Design Planning (Part 1)

Image
  To read part 2, please click  here To read part 3, please click  here Data Residency Requirements According to the type of business and customer residency, organizations might have compliance restrictions related to the logged data. These compliance regulations may not be defined clearly with respect to logging requirements and subject to change with time. Hence, organizations may choose local region to avoid complications. The selection of a region also carries implications for Microsoft Sentinel and Log Analytics costs as well as the availability of resources for the specific region. Regions like the U.S. can offer a significant cost advantage in comparison to other regions. The discount can be significant depending upon the volume of log ingestion. Therefore, the project team should obtain organizational requirements related to data residency before deploying. Number of Azure AD Tenants An Azure AD tenant offers Identity and Access Management (IAM) capabilities for applications an

Project Resourcing (Part 2)

Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning of alert rule parameter

Project Resourcing (Part 1)

Image
  To read part 2, please click  here Project Planning There are following key points that should be kept in mind during the project planning stage because they affect a project's duration: Access to log sources, system, and data owners. Types of log sources (such as, standard data connectors versus custom development). Complexity of Azure architecture (like, multiple tenants, cross-tenant searching). Requirement for custom SOAR automation playbooks, and interaction with other connected systems. Azure cost assessment and optimization strategy. Customer change management processes. Main roles required for a successful Microsoft Sentinel deployment include: Project Manager Security Architect Cloud Engineer Engineering - systems owner SIEM Engineer Network Engineer Business Analyst SOC Analyst Developer (languages vary, but C#, Java, and Python are often beneficial) Compliance manager Project Manager It is recommended to have an experienced project management staff with Project Managem

Core Microsoft Sentinel Solution Components

Image
  Azure Log Analytics Workspace In Log Analytics workspace all the ingested are analyzed and initially stored. It is created in a specific Azure region. It has a configurable retention period of 30 days, that can be extended to as long as 730 days (2 years). The free log storage can be extended to 90 days if Microsoft Sentinel is enabled for a log analytics workspace.  If an organization wants to keep data for more than 90 days in a cost effective way, then they can use Azure Data Explorer (ADX) which is a big data analytics platform highly optimized for all types of logs and telemetry data analytics. While configuring Azure Log Analytics for use with Microsoft Sentinel, following steps should be followed: Log Analytics workspace in an Azure region should be deployed for multi-region architectures. It will minimize the egress cost of data transfer between regions. However, for complex architectures with multiple Microsoft Sentinel instances, initial consideration should be paid to the

Microsoft Sentinel Deployment Best Practices

Image
  Microsoft Sentinel Cloud-Native SIEM Architecture The first cloud-native security information and management system (SIEM) from a major public cloud provider is Microsoft Sentinel. It can be deployed in enterprise's Azure tenant and can be accessed through Microsoft Azure gateway. It guarantees compatibility with previous policies for organizational access control.  Making use of integrations with Microsoft Defender tools and Azure services, like Log Analysis and Logic Apps for analysis and automation capabilities, Microsoft Sentinel enables organizations to obtain  security signals and analyze them completely. Harnessing the power of flexible computing and capability of storage, built into Azure for the use of heavy data programs like SIEM, is a significant benefit as compared to on-site solutions for analyzing logs.  Moreover, Microsoft Sentinel has the capability to utilize Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) features offered in Azure to provide