Azure Sentinel - Cost Optimized Initial Setup & Configuration

❕This article has not been completed yet. However, it may already contain helpful Information and therefore it has been published at this stage

Description:

In this blog post I present all the necessary steps for setting up a cost optimized Sentinel environment, as well as the onboarding / connection of a first data source (Azure Activity Logs).

Prerequisite:

an Azure Subscription
3 previously created resource groups in Azure

- rg-sentinel
- rg-sentinel-automation
- rg-sentinel-operation

Info: This 👆 helps to separate different areas of responsibility with different authorizations (see link).

Creation of the Sentinel Workspace (Log Analytic Workspace):

Info: As you can see 👇, a Log Analytic Workspace (LOG) must be created first. It is recommended to set up a separate workspace for reasons of data security and management as well as for cost reasons.

Assignment of Sentinel Capabilities to the new Log Analytic Workspace:

Result:

Setting up the necessary permissions:

Setting up the necessary data rentention:

Recommended RBAC / Group Mapping:

(see link)

Custom Sentinel - Groups -> RBAC - Roles Groups:

"Microsoft-Sentinel-Contributor-CL" -> rg-sentinel / Microsoft Sentinel Contributor
"Microsoft-Sentinel-Reader-CL" -> rg-sentinel / Microsoft Sentinel Reader
"Microsoft-Sentinel-Responder-CL" -> rg-sentinel / Microsoft Sentinel Responder
"Microsoft-Sentinel-Operation-Contributor-CL" -> rg-sentinel-operation / Contributor
"Microsoft-Sentinel-Logic-App-Contributor-CL" -> rg-sentinel-automation / Logic App Contributor

Free Connectors:

(see link)

Individual description:

Azure Activity Log is a subscription log that offers insight into events that happen in Azure at the subscription level. These events include service health events, write operations performed on the resources in your subscription, and the status of activities carried out in Azure. Events from Azure Resource Manager operational data are also included in this log.

Free Ingestion: Logs

Info: Onboarding with this connector will be shown later in this blog.

Monitor the health and audit the integrity of supported Microsoft Sentinel resources (see link).

Free Ingestion: Logs

The Microsoft Entra ID Protection solution for Microsoft Sentinel allows you to ingest Security alerts reported in Microsoft Entra ID Protection for risky users and events in Microsoft Entra ID.

Free Ingestion: Alerts

Info: Connection for Microsoft Entra ID Protection is managed via Microsoft Defender XDR.

The Microsoft 365 (formerly, Office 365) activity log connector provides insight into ongoing user activities. You will get details of operations such as file downloads, access requests sent, changes to group events, set-mailbox and details of the user who performed the actions. By connecting Microsoft 365 (formerly, Office 365) logs into Microsoft Sentinel you can use this data to view dashboards, create custom alerts, and improve your investigation process.

Free Ingestion: Logs

The Microsoft Defender XDR solution for Microsoft Sentinel enables you to ingest Security Alerts/Incidents and raw logs from the products within Microsoft Defender XDR suite into Microsoft Sentinel.

Info: Microsoft Defender for Office 365 (legacy) can't be activated if Microsoft Defender XDR is activated.

Free Ingestion: Alerts

The Microsoft Defender for Endpoint solution for Microsoft Sentinel enables you to ingest security alerts from the Defender for Endpoint platform, integrating them into your Microsoft Sentinel Incidents queue.

Info: Connection for Microsoft Defender for Endpoint is managed via Microsoft Defender XDR.

Free Ingestion: Alerts

The Microsoft Defender for Identity solution for Microsoft Sentinel allows you to ingest security alerts reported in the Microsoft Defender for Identity platform to get better insights into the identity posture of your organization’s Active Directory environment.

Info: Connection for Microsoft Defender for Endpoint is managed via Microsoft Defender XDR.

Free Ingestion: Alerts

The Microsoft Defender for IoT solution for Microsoft Sentinel allows you to ingest Security alerts reported in Microsoft Defender for IoT on assessing your Internet of Things (IoT)/Operational Technology (OT) infrastructure.

Free Ingestion: Alerts

Info: Defender for IoT has to be set up.

The Microsoft Defender for Cloud solution for Microsoft Sentinel allows you to ingest Security alerts reported in Microsoft Defender for Cloud on assessing your hybrid cloud workload's security posture.

Free Ingestion: Incident and Alerts

10)

By connecting with Microsoft Defender for Cloud Apps you will gain visibility into your cloud apps, get sophisticated analytics to identify and combat cyberthreats, and control how your data travels.