Design Planning (Part 3)

By Ashwin Venugopal -

 





To read part 1, please click here
To read part 2, please click here



Complex Organizational Structures

SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions. 

Role-based Access Control (RBAC) Requirements

Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles:
  • Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks. 
  • Microsoft Sentinel Reader- Can query the log data stored in Microsoft Sentinel but cannot modify any settings.
  • Microsoft Sentinel Responder- Can query the log data , can view and update incidents raised by security rules, but cannot modify alert rules. 
  • Microsoft Sentinel Playbook Operator- Can view and run automation playbooks. 
  • Microsoft Sentinel Automation Contributor- Not applicable to users, is used to grant the ability to associate playbooks with automation rules. 

Also, there are additional roles that are required to fully configure and use Microsoft Sentinel:

  1. Logic App Contributor- For creation and management of SOAR playbooks.
  2. Workbook Contributor- For creation and management of workbooks.
  3. Workbook Reader- For accessing/reading workbooks. 

Moreover, custom RBAC roles can be created and associated with the Microsoft Sentinel instance. The roles can applied at the subscription or resource group level with the recommendation being to provide the minimum permissions required to perform the job. However, if access to data is required for only a subset of data in Microsoft Sentinel tables, read-only dashboards can be provided or the data can be presented according to the custom queries or via Microsoft Power BI. 

Estimation of Log Ingestion Volume and Pricing Model

The estimation of future log ingestion is a challenging exercise. Selecting a sample of log and configuring them to send full logs for a typical day or week is often the most precise way to estimate the log ingestion volume. Based on the expected logging volume, a pricing model can be selected to take advantage of the commitment tier discounts offered by Microsoft. 

Architecture Design Output

At the end of the high-level design phase, the following items should be decided and documented:
  • Azure region used for Microsoft Sentinel Log Analytics workspace or workspaces.
  • Azure subscription, resource group, and log analytics workspace, including naming convention and tags.
  • Azure AD groups and the RBAC to be applied to each.
  • Log sources in scope (on-premises, cloud, SaaS).
  • Microsoft Sentinel data connectors to be developed (if applicable).
  • On-premises syslog collectors (quantity, location, operating system type, any extra configuration)
  • Initial list of use cases to be implemented.
  • Internet/VPN/LAN/WAN connectivity between log sources and Microsoft Sentinel.
  • Estimated log ingestion volume (GB/day). Data retention policy (in days or months).
  • Pricing model versus reserved capacity, depending on the estimated log ingestion volume. 

Conclusion

This ends the topics related to the Architecture Planning and Considerations with all the key factors.




To read part 1, please click here
To read part 2, please click here





































Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more