Design Planning (Part 3)

 





To read part 1, please click here
To read part 2, please click here



Complex Organizational Structures

SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions. 

Role-based Access Control (RBAC) Requirements

Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles:
  • Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks. 
  • Microsoft Sentinel Reader- Can query the log data stored in Microsoft Sentinel but cannot modify any settings.
  • Microsoft Sentinel Responder- Can query the log data , can view and update incidents raised by security rules, but cannot modify alert rules. 
  • Microsoft Sentinel Playbook Operator- Can view and run automation playbooks. 
  • Microsoft Sentinel Automation Contributor- Not applicable to users, is used to grant the ability to associate playbooks with automation rules. 

Also, there are additional roles that are required to fully configure and use Microsoft Sentinel:

  1. Logic App Contributor- For creation and management of SOAR playbooks.
  2. Workbook Contributor- For creation and management of workbooks.
  3. Workbook Reader- For accessing/reading workbooks. 

Moreover, custom RBAC roles can be created and associated with the Microsoft Sentinel instance. The roles can applied at the subscription or resource group level with the recommendation being to provide the minimum permissions required to perform the job. However, if access to data is required for only a subset of data in Microsoft Sentinel tables, read-only dashboards can be provided or the data can be presented according to the custom queries or via Microsoft Power BI. 

Estimation of Log Ingestion Volume and Pricing Model

The estimation of future log ingestion is a challenging exercise. Selecting a sample of log and configuring them to send full logs for a typical day or week is often the most precise way to estimate the log ingestion volume. Based on the expected logging volume, a pricing model can be selected to take advantage of the commitment tier discounts offered by Microsoft. 

Architecture Design Output

At the end of the high-level design phase, the following items should be decided and documented:
  • Azure region used for Microsoft Sentinel Log Analytics workspace or workspaces.
  • Azure subscription, resource group, and log analytics workspace, including naming convention and tags.
  • Azure AD groups and the RBAC to be applied to each.
  • Log sources in scope (on-premises, cloud, SaaS).
  • Microsoft Sentinel data connectors to be developed (if applicable).
  • On-premises syslog collectors (quantity, location, operating system type, any extra configuration)
  • Initial list of use cases to be implemented.
  • Internet/VPN/LAN/WAN connectivity between log sources and Microsoft Sentinel.
  • Estimated log ingestion volume (GB/day). Data retention policy (in days or months).
  • Pricing model versus reserved capacity, depending on the estimated log ingestion volume. 

Conclusion

This ends the topics related to the Architecture Planning and Considerations with all the key factors.




To read part 1, please click here
To read part 2, please click here





































Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)