Core Microsoft Sentinel Solution Components
Azure Log Analytics Workspace
In Log Analytics workspace all the ingested are analyzed and initially stored. It is created in a specific Azure region. It has a configurable retention period of 30 days, that can be extended to as long as 730 days (2 years). The free log storage can be extended to 90 days if Microsoft Sentinel is enabled for a log analytics workspace.
If an organization wants to keep data for more than 90 days in a cost effective way, then they can use Azure Data Explorer (ADX) which is a big data analytics platform highly optimized for all types of logs and telemetry data analytics. While configuring Azure Log Analytics for use with Microsoft Sentinel, following steps should be followed:
- Log Analytics workspace in an Azure region should be deployed for multi-region architectures. It will minimize the egress cost of data transfer between regions. However, for complex architectures with multiple Microsoft Sentinel instances, initial consideration should be paid to the region where most of the data is produced and consumed to avoid data export charges. These export charges are only applicable to IaaS services [Virtual Machines (VMs)] not to Azure PaaS services.
- The organizations who works globally or in multiple countries, the data sovereignty compliance might require the creation of more than one log analytics workspaces, with their own unique settings for log retention and access to the stored data.
- The number of Log Analytics workspaces should be limited to some extent wherever possible. Also, in order to save future data ingestion charges, understand the relationship between security and operational data and how each will be ingested, beforehand.
- Implement a comprehensive Role-Based Access Control (RBAC) strategy for Log Analytics access early in the project.
- Configure Microsoft Sentinel Analytics rules for monitoring various data ingestion and costs related parameters. Analytic rules are powerful and can also be configured to perform monitoring on operational aspects of Microsoft Sentinel itself.
- Data that requires longer retention periods can be easily stored other alternative solutions, like Azure Data Explorer (ADX) or Azure Blob Storage.
- After selecting the built-in Microsoft Sentinel data archiving solution, the decision on the data retention and restoration available options in Microsoft Sentinel should be made soon. Search job limitations around the number of concurrent queries and time intervals may be an overly restrictive option for large enterprise organizations.
Azure Logic Apps
Azure Logic Apps are the great beneficiary of the capabilities of elastic compute and make use of the power of the Azure Cloud Platform to automatically scale and meet demand regardless of the complexity of the infrastructure capacity, hosting, maintenance, or availability of the workflows. They comes with many different out-of-the-box connectors that enables organizations to easily create Microsoft Sentinel playbooks for automated workflows.
Azure Logic Apps can easily run under a consumption-based pricing and metering model, which means that the fees is equivalent to the number of workflow actions Azure Logic Apps execute. The monthly price for deploying and using Logic Apps to orchestrate security event response is generally not a significant factor in the total running cost of Microsoft Sentinel. The versatility offers a wide range of options for reporting, alerting, and orchestration involving Microsoft Sentinel alerts.
Data Sources
Microsoft Sentinel can be successfully used to ingest and correlate data from a wide range of log sources located in a variety of cloud platforms (Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP) and Oracle Cloud Infrastructure (OCI)), on-premises network and compute infrastructure, third party security tools, and software as a service (SaaS) applications. Moreover, Microsoft Sentinel public community is regularly demonstrating new use cases and data connectors that expand the capabilities of the solution.
Conclusion
We have provided guidance on the deployment of the core Microsoft Sentinel solution components to be deployed in an Azure subscription.
Comments
Post a Comment