Project Resourcing (Part 2)

By Ashwin Venugopal -

 





To read part 1, please click here



Engineering - SIEM

The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks:
  • Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints. 

  • Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting. 

  • Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics. 

  • Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use.

  • Tuning of alert rule parameters, including thresholds, detection logic, and assigned criticality levels to minimize false positives and correctly identify the behavior of a potential attacker. 

  • Working with project management for stakeholder engagement, creating workbooks for data visualization, and dashboarding of Microsoft Sentinel content. The security architect can also provide valuable input on the KPIs to be captured in dashboards.

  • It is recommended to create automated workflows with the help of Azure Logic Apps at the project phase. They can also work with security operations to document response workflows for various incident types and provisioning playbooks. It can automate response actions per incident, which is an effective way to provide immediate value from Microsoft Sentinel implementation. 

  • It is suggested to Work with systems owners for other IT systems, such as IT Service Management (ITSM) and helpdesk tools to build integrated ticket workflows, at the project phase. Microsoft Sentinel can easily integrate with the platforms like ServiceNow or other ITSM API-enabled tooling to provide workflow automation for incident handling. 
It is very much recommended for SIEM engineers in Microsoft Sentinel deployments to be trained as much as possible beforehand, ideally along with a good introduction of related products like the Microsoft Defender family of products. 

Network Engineer

Network engineering resources will be required on demand to apply changes to firewalls or network infrastructure to facilitate log forwarding from data sources to Azure.

Business Analyst

It is very important to capture and evaluate the budget as well as resource impact of Azure data ingestion and various data source ingestions of a Microsoft Sentinel project. The Business Analyst (BA) should be able to offer an Azure cost analysis of each technical requirement. With the help of SIEM engineer , the BA should model the expected Azure cost impact over time as the IT environment changes. An effective risk-based security program should be able to quantify the risk mitigation effects of security controls related to the mitigation cost for a specific control. 

Security Operations (SOC Analyst)

Security operations stakeholders are mainly assigned to detect the document, alerting, threat-hunting requirements of the solution. It is ultimately their responsibility as the end consumer of the service to articulate the build requirements.

Developer

Developer resources are generally overlooked requirements for a Microsoft Sentinel project. Programming languages like C# and Python along with the developer effort mainly require data from log sources (such as SaaS applications) and can be leveraged to a great extent by Azure functions. Developers can also build automation playbooks using Logic Apps, which can make use of a wide range of code to automate security operations tasks.

Compliance Manager

Interaction between the core Microsoft Sentinel team and compliance manager is mandatory if an organization has legal, regulatory, or industry-specific compliance requirements to be satisfied by Microsoft Sentinel. Decisions of log retention period, custom workbooks, and compliance reporting mandates are overseen by this resource. 

Conclusion

This ends the project resourcing topic with an overview of key components and recommended approaches to deploy the new Microsoft Sentinel environment. 






To read part 1, please click here














Comments

  1. AmritaAugust 16, 2024 at 5:23 AM

    APTRON Solutions offers a well-rounded curriculum that covers all essential topics of Microsoft Azure Fundamentals Institute in Noida. From understanding cloud concepts to exploring Azure services, our course is meticulously designed to provide a strong foundation. We also offer practical sessions, case studies, and projects that mirror real-life scenarios, helping you gain hands-on experience.

    ReplyDelete

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more