Project Resourcing (Part 2)

 





To read part 1, please click here



Engineering - SIEM

The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks:
  • Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints. 

  • Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting. 

  • Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics. 

  • Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use.

  • Tuning of alert rule parameters, including thresholds, detection logic, and assigned criticality levels to minimize false positives and correctly identify the behavior of a potential attacker. 

  • Working with project management for stakeholder engagement, creating workbooks for data visualization, and dashboarding of Microsoft Sentinel content. The security architect can also provide valuable input on the KPIs to be captured in dashboards.

  • It is recommended to create automated workflows with the help of Azure Logic Apps at the project phase. They can also work with security operations to document response workflows for various incident types and provisioning playbooks. It can automate response actions per incident, which is an effective way to provide immediate value from Microsoft Sentinel implementation. 

  • It is suggested to Work with systems owners for other IT systems, such as IT Service Management (ITSM) and helpdesk tools to build integrated ticket workflows, at the project phase. Microsoft Sentinel can easily integrate with the platforms like ServiceNow or other ITSM API-enabled tooling to provide workflow automation for incident handling. 
It is very much recommended for SIEM engineers in Microsoft Sentinel deployments to be trained as much as possible beforehand, ideally along with a good introduction of related products like the Microsoft Defender family of products. 

Network Engineer

Network engineering resources will be required on demand to apply changes to firewalls or network infrastructure to facilitate log forwarding from data sources to Azure.

Business Analyst

It is very important to capture and evaluate the budget as well as resource impact of Azure data ingestion and various data source ingestions of a Microsoft Sentinel project. The Business Analyst (BA) should be able to offer an Azure cost analysis of each technical requirement. With the help of SIEM engineer , the BA should model the expected Azure cost impact over time as the IT environment changes. An effective risk-based security program should be able to quantify the risk mitigation effects of security controls related to the mitigation cost for a specific control. 

Security Operations (SOC Analyst)

Security operations stakeholders are mainly assigned to detect the document, alerting, threat-hunting requirements of the solution. It is ultimately their responsibility as the end consumer of the service to articulate the build requirements.

Developer

Developer resources are generally overlooked requirements for a Microsoft Sentinel project. Programming languages like C# and Python along with the developer effort mainly require data from log sources (such as SaaS applications) and can be leveraged to a great extent by Azure functions. Developers can also build automation playbooks using Logic Apps, which can make use of a wide range of code to automate security operations tasks.

Compliance Manager

Interaction between the core Microsoft Sentinel team and compliance manager is mandatory if an organization has legal, regulatory, or industry-specific compliance requirements to be satisfied by Microsoft Sentinel. Decisions of log retention period, custom workbooks, and compliance reporting mandates are overseen by this resource. 

Conclusion

This ends the project resourcing topic with an overview of key components and recommended approaches to deploy the new Microsoft Sentinel environment. 






To read part 1, please click here














Comments

  1. APTRON Solutions offers a well-rounded curriculum that covers all essential topics of Microsoft Azure Fundamentals Institute in Noida. From understanding cloud concepts to exploring Azure services, our course is meticulously designed to provide a strong foundation. We also offer practical sessions, case studies, and projects that mirror real-life scenarios, helping you gain hands-on experience.

    ReplyDelete

Post a Comment

Popular posts from this blog

Deployment (Part 3)

Design Planning (Part 3)