2. Scope of Work
• Integration with components
such as:
• Virtual and physical servers
(Windows & Linux)
• Cloud servers
• Switches
• WiFi controllers
• WAN accelerators
• Firewalls
• Security solutions
• Storage arrays
• AD
• Exchange messaging
• SharePoint web servers
• SAP servers and databases
• Microsoft Sentinel implementation
• Event analysis: Use Cases & Hunting Queries
• Automation of incident response: Incident identification & handling, alert
and remediation management, workflows and tasks for response processes.
• Global visibility of IT security: Dashboards & Reports Creation
• Log Retention & Archiving
• Log Integrity & Data Confidentiality
• Service Continuity & Fault Tolerance
• Integration with 3rd Party Services and APIs & Connectors Availability
• Documentation (Design, Installation, Configuration, User & Maintenance Guide, Monitoring reports)
3. Microsoft Sentinel
Optimize security operations with cloud-native SIEM + SOAR powered by AI and automation
Harness the scale
of the cloud
Detect
evolving threats
Expedite
incident response
Get ahead
of attackers
5. Microsoft Sentinel Core Capabilities
Monitor and Detect
Collect
Visibility
Data
Workbooks
Watchlists
Hunting
Queries
Notebooks
Analytic Rules:
Scheduled
NRT
Fusion
Anomalies
Data
Connectors
Intelligence
TI
Enrichment
Incidents
Incident
Management
and
Investigations
Investigate
Automation
Respond
Remediation
Playbooks
And
Automation
Rules
Analytics Hunting
6. VMs (Linux & Windows)
servers Via Gateway
MS
Sentinel
HTTP Data Collector
API
Log Analytics
Gateway (HA)
Syslog Server
(HA)
Proposed Design
Syslog Servers
Log Analytics Gateway Server
08
02
Benefits of Design
• Minimum Risk
• Low resource consumption
• Syslog servers and Gateway server could
also be reduced but due to bandwidth
limitations we can’t reduce it further.
Syslog Server
(HA)
Network Devices &
Security Solutions
Resources
support
API
Custom Apps
supporting
Syslog
Syslog Server
(HA)
VMs (Linux &
Windows) servers
directly
7. Pre - Deployment Steps
• This section introduces the activities and prerequisites that needs to be planned before deploying Microsoft
Sentinel.
Steps Details
1. Plan & Prepare overview and Prerequisites Review & Set up the Azure tenant prerequisites.
2. Plan Workspace Architecture Reviewing and Implementing Log Analytics
Workspace, Microsoft Sentinel, Data Retention &
Archiving
3. Prioritize Data Connectors Prioritizing Integration of Data Sources
4. Plan Roles and Permissions Setting up Azure RBAC for Security Team
5. Plan Costs Using Pay-as-you-Go Pricing Tier.
8. Azure tenant Prerequisites
• A Microsoft Entra ID license and tenant, or an individual account with a valid payment method, are required to
access Azure and deploy resources.
• After having a tenant, an Azure subscription is required to track resource creation and billing
• An admin or higher from the Microsoft Entra tenant will be designated as the owner/contributor for the
subscription.
• A Log Analytics workspace is required to house all of the data that Microsoft Sentinel will be ingesting and
using for its detections, analytics, and other features.
• A resource group will be created that will be dedicated to Microsoft Sentinel and the resources that Microsoft
Sentinel uses, including the Log Analytics workspace, any playbooks, workbooks, and so on.
• Sentinel doesn’t provide Built-In archiving, for archiving, Azure Storage will be used and archiving process will
be automated using Logic Apps.
9. Permissions
Type Role Name Description
Azure Access
Requirements
Owner Configuring Azure RBAC, Log Analytics Workspace,
Microsoft Sentinel & Azure Storage Account
Windows Server (Azure &
Non-Azure)
Temporary Admin Developing & Configuring Log Analytics Gateway
and Installation of AMA Agents
Syslog Server Root Access Developing & Configuring Syslog Server and
Installation of AMA Agents for Security & Network
Devices Logs
VPN User VPN access For configuration, tuning and troubleshooting
10. Assets Prerequisites
Asset Type Requirement
Syslog Servers x 8
(Including HA)
CPU & RAM Minimum of 4 CPU cores and *16 GB RAM
Operating Systems 1. CentOS 8 including minor versions (64-bit/32-bit)
(Recommended)
2. Red Hat Enterprise Linux (RHEL) Server 8 (64-bit/32-bit)
3. Debian GNU/Linux 8 and 9 (64-bit/32-bit)
4. Ubuntu Linux 20.04 LTS (64-bit only)
Storage 1 TB for Primary Syslog Server
500 GB for Secondary Syslog Server
Daemon versions Rsyslog version 8
Packages Python 3
Network Requirements Outbound connection over Port 443 on following domains:
*.ods.opinsights.azure.com
*.oms.opinsights.azure.com
*.blob.core.windows.net
*.azure-automation.net
11. Assets Prerequisites
Asset Type Requirement
Log Analytics Gateway X
2 (Including HA)
CPU & RAM Minimum of 4 CPU cores and *16 GB RAM
Operating Systems 1. Windows Server 2022 (64 Bit)
2. Windows Server 2019 (64 Bit)
3. Windows Server 2016 (64 Bit)
Storage 500 GB for Primary Server
256 GB for Secondary Server
Application/Framework Microsoft .NET Framework 4.5
Network Requirements Outbound connection over Port 443 on following domains:
*.ods.opinsights.azure.com
*.oms.opinsights.azure.com
*.blob.core.windows.net
*.azure-automation.net
12. Log Retention & Archiving
• Retention Policy for 6 months can be set on Azure Portal, and it can be applied to each data sources table
(SecurityEvents, AzureActivity, OfficeActivity and Custom tables)
• Sentinel doesn’t provide Built-In archiving, for archiving, Azure Storage will be used and archiving process will
be automated using Logic Apps.
Log Integrity
• Use Secure Data Storage: Store logs in a secure and tamper-resistant data storage solution. Azure Storage,
particularly Azure Blob Storage, is a suitable choice for storing log data.
• Encryption at Rest: Enable encryption at rest for the storage account where logs are stored. Azure Blob
Storage supports encryption to protect data while it's stored on disk
• Access Controls: Implement strong access controls and permissions on the log storage container and account.
Use Azure Active Directory (Azure AD) to manage access and ensure that only authorized personnel can read
or modify logs.
13. Data Confidentiality
• Transport Layer Security (TLS) Encryption: Syslog over TLS: When sending logs using Syslog, configure your data
sources to use TLS encryption.
• HTTPS (Secure Web Services): When sending data from applications or services to Microsoft Sentinel, use HTTPS
to encrypt data in transit. Sentinel supports HTTPS for data ingestion from various sources.
• Role-Based Access Control (RBAC):
• Implement RBAC in Azure Sentinel to control access to data. Ensure that only authorized personnel have
access to log data and encryption keys. RBAC helps you enforce the principle of least privilege.
• Encryption in Azure Sentinel Connectors:
• Some Azure Sentinel connectors allow you to specify encryption settings during configuration. For instance,
when setting up Microsoft 365 data connectors, you can enable encryption for data in transit and at rest.
14. Service continuity and fault recovery
• Since you don't get any infrastructure to operate for this, we could consider Microsoft Sentinel as a SaaS (Software
as a Service), meaning that the High Availability and Failover capabilities are provided by Microsoft.
• Replicating data from a primary Log Analytics Workspace to a secondary workspace hosted in another region is
not supported, However you can use the following methodology to achieve this target.
1. Set up a Secondary Log Analytics Workspace in another region
2. Use Azure blob storage: Geo-Redundant Storage (GRS). Azure automatically fails over to the secondary region,
ensuring data availability.
3. If Syslog server is Non-Azure, Configure data sources to forward logs to both primary and secondary syslog
servers, the secondary syslog servers will forward logs to Secondary LA workspace hosted on another region.
There is another approach:
• Export Data: Set up export rules in the source Log Analytics workspace to export the data. You can export data to
various destinations, such as Azure Storage, Event Hubs, or a custom API.
• Transfer Data: You may need to use Azure services or custom scripts to move the exported data to the target
region. For example, you can use Azure Data Factory or Azure Logic Apps to move data to another region.
• Import Data: In the target region, set up import processes to bring the data into the destination Log Analytics
workspace. You may need to use custom scripts or Azure functions for this purpose.
• Please note that this approach can be complex and may have implications for data retention, compliance, and
costs.
15. Project Plan
Activities Deliverables Acceptance Criteria
Project KickOff Kick Off Kick Off Meeting
Planning, Design and Pre-Deployment (Phase – 1)
Deployment Plan Document
Technical Discussion & Requirement Gathering Requirement Gathering Completed
Technical Discussion
Hardware Prerequisites
Network Prerequisites
Deployment (Phase – 2)
Implementation of Log Analytics Workspace Microsoft Sentinel Implementation Microsoft Sentinel Configured & Data Retention & Archiving is set
Implementation of Microsoft Sentinel
Setting up RBAC, Log Retention & Archiving
16. Project Plan
Activities Deliverables Acceptance Criteria
Log Source Integrations (Phase – 3)
Setting & Configuring Syslog Servers & Log
Analytics Gateway
Direct & Indirect Log sources Integration Log Sources Integrated and Logs are parsed
Providing SOPs for configuring devices
Integration of devices & validation of logs
Custom Parsing
Monitoring Configurations (Phase – 4 )
Use Cases Implementation Use Cases implemented
Dashboards/Workbooks and Reports implemented
Use Case, Dashboard & Reports Implemented and validated.
Use Cases Fine Tuning
Creation of Dashboards & Reports
Setting up Workbooks
17. Project Plan
Activities Deliverables Acceptance Criteria
Automation (Phase – 5)
Setting & Configuring Logic Apps (Playbooks)
Automation of Incidents, IP Reputation, Defender
alerts and IP blocking on Azure Firewall
Automation Completed and Verified.
Configuring HTTP API collectors
Configuring Logic Apps with Outlook
Configuring Health Report on Logic Apps
Review & Validation (Phase – 6)
Review of Configuration, Use cases, Playbooks Use cases, Playbooks, Dashboards and Reports
Validation and Reviewed.
Documentation for Design, Installation,
Configuration, User & Maintenance Guide & SOPs
for Integration validated and reviewed
Documents and Knowledge Transfer completed, Customer Satisfaction.
Documentation review and finalization
Dashboards & Report Validation
Knowledge Transfer
Project Sign-off