Core Microsoft Sentinel Solution Components

By Ashwin Venugopal -

 





Azure Log Analytics Workspace

In Log Analytics workspace all the ingested are analyzed and initially stored. It is created in a specific Azure region. It has a configurable retention period of 30 days, that can be extended to as long as 730 days (2 years). The free log storage can be extended to 90 days if Microsoft Sentinel is enabled for a log analytics workspace. 

If an organization wants to keep data for more than 90 days in a cost effective way, then they can use Azure Data Explorer (ADX) which is a big data analytics platform highly optimized for all types of logs and telemetry data analytics. While configuring Azure Log Analytics for use with Microsoft Sentinel, following steps should be followed:

  • Log Analytics workspace in an Azure region should be deployed for multi-region architectures. It will minimize the egress cost of data transfer between regions. However, for complex architectures with multiple Microsoft Sentinel instances, initial consideration should be paid to the region where most of the data is produced and consumed to avoid data export charges. These export charges are only applicable to IaaS services [Virtual Machines (VMs)] not to Azure PaaS services.

  • The organizations who works globally or in multiple countries, the data sovereignty compliance might require the creation of more than one log analytics workspaces, with their own unique settings for log retention and access to the stored data.

  • The number of Log Analytics workspaces should be limited to some extent wherever possible. Also, in order to save future data ingestion charges, understand the relationship between security and operational data and how each will be ingested, beforehand. 

  • Implement a comprehensive Role-Based Access Control (RBAC) strategy for Log Analytics access early in the project.

  • Configure Microsoft Sentinel Analytics rules for monitoring various data ingestion and costs related parameters. Analytic rules are powerful and can also be configured to perform monitoring on operational aspects of Microsoft Sentinel itself. 

  • Data that requires longer retention periods can be easily stored other alternative solutions, like Azure Data Explorer (ADX) or Azure Blob Storage.

  • After selecting the built-in Microsoft Sentinel data archiving solution, the decision on the data retention and restoration available options in Microsoft Sentinel should be made soon. Search job limitations around the number of concurrent queries and time intervals may be an overly restrictive option for large enterprise organizations.

Azure Logic Apps

Azure Logic Apps are the great beneficiary of the capabilities of elastic compute and make use of the power of the Azure Cloud Platform to automatically scale and meet demand regardless of the complexity of the infrastructure capacity, hosting, maintenance, or availability of the workflows. They comes with many different out-of-the-box connectors that enables organizations to easily create Microsoft Sentinel playbooks for automated workflows. 

Azure Logic Apps can easily run under a consumption-based pricing and metering model, which means that the fees is equivalent to the number of workflow actions Azure Logic Apps execute. The monthly price for deploying and using Logic Apps to orchestrate security event response is generally not a significant factor in the total running cost of Microsoft Sentinel. The versatility offers a wide range of options for reporting, alerting, and orchestration involving Microsoft Sentinel alerts. 

Data Sources

Microsoft Sentinel can be successfully used to ingest and correlate data from a wide range of log sources located in a variety of cloud platforms (Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP) and Oracle Cloud Infrastructure (OCI)), on-premises network and compute infrastructure, third party security tools, and software as a service (SaaS) applications. Moreover, Microsoft Sentinel public community is regularly demonstrating new use cases and data connectors that expand the capabilities of the solution. 

Conclusion

We have provided guidance on the deployment of the core Microsoft Sentinel solution components to be deployed in an Azure subscription. 
































































Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more