❕This article has not been completed yet. However, it may already contain   helpful Information and therefore it has been published at this stage

Description:

In this blog post I present all the necessary steps for setting up a cost optimized Sentinel environment, as well as the onboarding / connection of a first data source (Azure Activity Logs).

Prerequisite:

  • an Azure Subscription
  • 3 previously created resource groups in Azure

    - rg-sentinel
    - rg-sentinel-automation
    - rg-sentinel-operation

    Info: This 👆 helps to separate different areas of responsibility with different authorizations (see link).

Creation of the Sentinel Workspace (Log Analytic Workspace):

Info: As you can see 👇, a Log Analytic Workspace (LOG) must be created first. It is recommended to set up a separate workspace for reasons of data security and management as well as for cost reasons.


Assignment of Sentinel Capabilities to the new Log Analytic Workspace:

Result:


Setting up the necessary permissions:


Setting up the necessary data rentention:


(see link)

Custom Sentinel - Groups -> RBAC - Roles Groups:

  • "Microsoft-Sentinel-Contributor-CL" -> rg-sentinel / Microsoft Sentinel Contributor
  • "Microsoft-Sentinel-Reader-CL" -> rg-sentinel / Microsoft Sentinel Reader
  • "Microsoft-Sentinel-Responder-CL" -> rg-sentinel / Microsoft Sentinel Responder
  • "Microsoft-Sentinel-Operation-Contributor-CL" -> rg-sentinel-operation / Contributor
  • "Microsoft-Sentinel-Logic-App-Contributor-CL" -> rg-sentinel-automation / Logic App Contributor

Free Connectors:

(see link)

Individual description:

1)

Azure Activity Log is a subscription log that offers insight into events that happen in Azure at the subscription level. These events include service health events, write operations performed on the resources in your subscription, and the status of activities carried out in Azure. Events from Azure Resource Manager operational data are also included in this log.

Free Ingestion: Logs

Info: Onboarding with this connector will be shown later in this blog.

2)

Monitor the health and audit the integrity of supported Microsoft Sentinel resources (see link).

Free Ingestion: Logs

3)

The Microsoft Entra ID Protection solution for Microsoft Sentinel allows you to ingest Security alerts reported in Microsoft Entra ID Protection for risky users and events in Microsoft Entra ID.

Free Ingestion: Alerts

Info: Connection for Microsoft Entra ID Protection is managed via Microsoft Defender XDR.

4)

The Microsoft 365 (formerly, Office 365) activity log connector provides insight into ongoing user activities. You will get details of operations such as file downloads, access requests sent, changes to group events, set-mailbox and details of the user who performed the actions.​ By connecting Microsoft 365 (formerly, Office 365) logs into Microsoft Sentinel you can use this data to view dashboards, create custom alerts, and improve your investigation process.​

Free Ingestion: Logs

5)

The Microsoft Defender XDR solution for Microsoft Sentinel enables you to ingest Security Alerts/Incidents and raw logs from the products within Microsoft Defender XDR suite into Microsoft Sentinel.

Info: Microsoft Defender for Office 365 (legacy) can't be activated if Microsoft Defender XDR is activated.

Free Ingestion: Alerts

6)

The Microsoft Defender for Endpoint solution for Microsoft Sentinel enables you to ingest security alerts from the Defender for Endpoint platform, integrating them into your Microsoft Sentinel Incidents queue.

Info: Connection for Microsoft Defender for Endpoint is managed via Microsoft Defender XDR.

Free Ingestion: Alerts

7)

The Microsoft Defender for Identity solution for Microsoft Sentinel allows you to ingest security alerts reported in the Microsoft Defender for Identity platform to get better insights into the identity posture of your organization’s Active Directory environment.

Info: Connection for Microsoft Defender for Endpoint is managed via Microsoft Defender XDR.

Free Ingestion: Alerts

8)

The Microsoft Defender for IoT solution for Microsoft Sentinel allows you to ingest Security alerts reported in Microsoft Defender for IoT on assessing your Internet of Things (IoT)/Operational Technology (OT) infrastructure.

Free Ingestion: Alerts

Info: Defender for IoT has to be set up.

9)

The Microsoft Defender for Cloud solution for Microsoft Sentinel allows you to ingest Security alerts reported in Microsoft Defender for Cloud on assessing your hybrid cloud workload's security posture.

Free Ingestion: Incident and Alerts

10)

By connecting with Microsoft Defender for Cloud Apps you will gain visibility into your cloud apps, get sophisticated analytics to identify and combat cyberthreats, and control how your data travels.

Free Ingestion: Alerts

Additional Info: New Microsoft Sentinel workspaces can ingest 10GB/day of log data for the first 31- days and no cost (see link).


Onboarding / Connecting Azure Activity:



References:

Which data connector and activity is free in Microsoft Sentinel?
Missing permission ‘Microsoft.OperationsManagement/register/action’ on scope ‘/subscriptions/8c507d2e-37ef-4ae1-864f-fd05f45b3cdb’ is required to add Microsoft Sentinel to the selected workspace - Microsoft Q&A
Hi I’m facing problem when I tried to subscribe to Microsoft Sentinel. When I tried to add Microsoft Sentinel to my desire workspace , this notification pops up. I do have the Owner and Security Administrator permission. Can someone please enlighten me…
Roles and permissions in Microsoft Sentinel
Learn how Microsoft Sentinel assigns permissions to users using Azure role-based access control, and identify the allowed actions for each role.
Quickstart: Onboard to Microsoft Sentinel
In this quickstart, you enable Microsoft Sentinel, and set up data connectors to monitor and protect your environment.
Plan costs, understand pricing and billing - Microsoft Sentinel
Learn how to plan your Microsoft Sentinel costs, and understand pricing and billing using the pricing calculator and other methods.
Free Data Ingestion into Microsoft Sentinel Explained