SlideShare a Scribd company logo

Microsoft Sentinel Deployment V1.pptx

Download as PPTX, PDF
S
saadatali65

Microsoft sentinel presentation

Engineering
1 of 18
Microsoft Sentinel Deployment
Scope of Work • Integration with components such as: • Virtual and physical servers (Windows & Linux) • Cloud servers • Switches • WiFi controllers • WAN accelerators • Firewalls • Security solutions • Storage arrays • AD • Exchange messaging • SharePoint web servers • SAP servers and databases • Microsoft Sentinel implementation • Event analysis: Use Cases & Hunting Queries • Automation of incident response: Incident identification & handling, alert and remediation management, workflows and tasks for response processes. • Global visibility of IT security: Dashboards & Reports Creation • Log Retention & Archiving • Log Integrity & Data Confidentiality • Service Continuity & Fault Tolerance • Integration with 3rd Party Services and APIs & Connectors Availability • Documentation (Design, Installation, Configuration, User & Maintenance Guide, Monitoring reports)
Microsoft Sentinel Optimize security operations with cloud-native SIEM + SOAR powered by AI and automation Harness the scale of the cloud Detect evolving threats Expedite incident response Get ahead of attackers
Microsoft Sentinel Architecture
Microsoft Sentinel Core Capabilities Monitor and Detect Collect Visibility Data Workbooks Watchlists Hunting Queries Notebooks Analytic Rules: Scheduled NRT Fusion Anomalies Data Connectors Intelligence TI Enrichment Incidents Incident Management and Investigations Investigate Automation Respond Remediation Playbooks And Automation Rules Analytics Hunting
VMs (Linux & Windows) servers Via Gateway MS Sentinel HTTP Data Collector API Log Analytics Gateway (HA) Syslog Server (HA) Proposed Design Syslog Servers Log Analytics Gateway Server 08 02 Benefits of Design • Minimum Risk • Low resource consumption • Syslog servers and Gateway server could also be reduced but due to bandwidth limitations we can’t reduce it further. Syslog Server (HA) Network Devices & Security Solutions Resources support API Custom Apps supporting Syslog Syslog Server (HA) VMs (Linux & Windows) servers directly
Pre - Deployment Steps • This section introduces the activities and prerequisites that needs to be planned before deploying Microsoft Sentinel. Steps Details 1. Plan & Prepare overview and Prerequisites Review & Set up the Azure tenant prerequisites. 2. Plan Workspace Architecture Reviewing and Implementing Log Analytics Workspace, Microsoft Sentinel, Data Retention & Archiving 3. Prioritize Data Connectors Prioritizing Integration of Data Sources 4. Plan Roles and Permissions Setting up Azure RBAC for Security Team 5. Plan Costs Using Pay-as-you-Go Pricing Tier.
Azure tenant Prerequisites • A Microsoft Entra ID license and tenant, or an individual account with a valid payment method, are required to access Azure and deploy resources. • After having a tenant, an Azure subscription is required to track resource creation and billing • An admin or higher from the Microsoft Entra tenant will be designated as the owner/contributor for the subscription. • A Log Analytics workspace is required to house all of the data that Microsoft Sentinel will be ingesting and using for its detections, analytics, and other features. • A resource group will be created that will be dedicated to Microsoft Sentinel and the resources that Microsoft Sentinel uses, including the Log Analytics workspace, any playbooks, workbooks, and so on. • Sentinel doesn’t provide Built-In archiving, for archiving, Azure Storage will be used and archiving process will be automated using Logic Apps.
Permissions Type Role Name Description Azure Access Requirements Owner Configuring Azure RBAC, Log Analytics Workspace, Microsoft Sentinel & Azure Storage Account Windows Server (Azure & Non-Azure) Temporary Admin Developing & Configuring Log Analytics Gateway and Installation of AMA Agents Syslog Server Root Access Developing & Configuring Syslog Server and Installation of AMA Agents for Security & Network Devices Logs VPN User VPN access For configuration, tuning and troubleshooting
Assets Prerequisites Asset Type Requirement Syslog Servers x 8 (Including HA) CPU & RAM Minimum of 4 CPU cores and *16 GB RAM Operating Systems 1. CentOS 8 including minor versions (64-bit/32-bit) (Recommended) 2. Red Hat Enterprise Linux (RHEL) Server 8 (64-bit/32-bit) 3. Debian GNU/Linux 8 and 9 (64-bit/32-bit) 4. Ubuntu Linux 20.04 LTS (64-bit only) Storage 1 TB for Primary Syslog Server 500 GB for Secondary Syslog Server Daemon versions Rsyslog version 8 Packages Python 3 Network Requirements Outbound connection over Port 443 on following domains: *.ods.opinsights.azure.com *.oms.opinsights.azure.com *.blob.core.windows.net *.azure-automation.net
Assets Prerequisites Asset Type Requirement Log Analytics Gateway X 2 (Including HA) CPU & RAM Minimum of 4 CPU cores and *16 GB RAM Operating Systems 1. Windows Server 2022 (64 Bit) 2. Windows Server 2019 (64 Bit) 3. Windows Server 2016 (64 Bit) Storage 500 GB for Primary Server 256 GB for Secondary Server Application/Framework Microsoft .NET Framework 4.5 Network Requirements Outbound connection over Port 443 on following domains: *.ods.opinsights.azure.com *.oms.opinsights.azure.com *.blob.core.windows.net *.azure-automation.net
Log Retention & Archiving • Retention Policy for 6 months can be set on Azure Portal, and it can be applied to each data sources table (SecurityEvents, AzureActivity, OfficeActivity and Custom tables) • Sentinel doesn’t provide Built-In archiving, for archiving, Azure Storage will be used and archiving process will be automated using Logic Apps. Log Integrity • Use Secure Data Storage: Store logs in a secure and tamper-resistant data storage solution. Azure Storage, particularly Azure Blob Storage, is a suitable choice for storing log data. • Encryption at Rest: Enable encryption at rest for the storage account where logs are stored. Azure Blob Storage supports encryption to protect data while it's stored on disk • Access Controls: Implement strong access controls and permissions on the log storage container and account. Use Azure Active Directory (Azure AD) to manage access and ensure that only authorized personnel can read or modify logs.
Data Confidentiality • Transport Layer Security (TLS) Encryption: Syslog over TLS: When sending logs using Syslog, configure your data sources to use TLS encryption. • HTTPS (Secure Web Services): When sending data from applications or services to Microsoft Sentinel, use HTTPS to encrypt data in transit. Sentinel supports HTTPS for data ingestion from various sources. • Role-Based Access Control (RBAC): • Implement RBAC in Azure Sentinel to control access to data. Ensure that only authorized personnel have access to log data and encryption keys. RBAC helps you enforce the principle of least privilege. • Encryption in Azure Sentinel Connectors: • Some Azure Sentinel connectors allow you to specify encryption settings during configuration. For instance, when setting up Microsoft 365 data connectors, you can enable encryption for data in transit and at rest.
Service continuity and fault recovery • Since you don't get any infrastructure to operate for this, we could consider Microsoft Sentinel as a SaaS (Software as a Service), meaning that the High Availability and Failover capabilities are provided by Microsoft. • Replicating data from a primary Log Analytics Workspace to a secondary workspace hosted in another region is not supported, However you can use the following methodology to achieve this target. 1. Set up a Secondary Log Analytics Workspace in another region 2. Use Azure blob storage: Geo-Redundant Storage (GRS). Azure automatically fails over to the secondary region, ensuring data availability. 3. If Syslog server is Non-Azure, Configure data sources to forward logs to both primary and secondary syslog servers, the secondary syslog servers will forward logs to Secondary LA workspace hosted on another region. There is another approach: • Export Data: Set up export rules in the source Log Analytics workspace to export the data. You can export data to various destinations, such as Azure Storage, Event Hubs, or a custom API. • Transfer Data: You may need to use Azure services or custom scripts to move the exported data to the target region. For example, you can use Azure Data Factory or Azure Logic Apps to move data to another region. • Import Data: In the target region, set up import processes to bring the data into the destination Log Analytics workspace. You may need to use custom scripts or Azure functions for this purpose. • Please note that this approach can be complex and may have implications for data retention, compliance, and costs.
Project Plan Activities Deliverables Acceptance Criteria Project KickOff Kick Off Kick Off Meeting Planning, Design and Pre-Deployment (Phase – 1) Deployment Plan Document Technical Discussion & Requirement Gathering Requirement Gathering Completed Technical Discussion Hardware Prerequisites Network Prerequisites Deployment (Phase – 2) Implementation of Log Analytics Workspace Microsoft Sentinel Implementation Microsoft Sentinel Configured & Data Retention & Archiving is set Implementation of Microsoft Sentinel Setting up RBAC, Log Retention & Archiving
Project Plan Activities Deliverables Acceptance Criteria Log Source Integrations (Phase – 3) Setting & Configuring Syslog Servers & Log Analytics Gateway Direct & Indirect Log sources Integration Log Sources Integrated and Logs are parsed Providing SOPs for configuring devices Integration of devices & validation of logs Custom Parsing Monitoring Configurations (Phase – 4 ) Use Cases Implementation Use Cases implemented Dashboards/Workbooks and Reports implemented Use Case, Dashboard & Reports Implemented and validated. Use Cases Fine Tuning Creation of Dashboards & Reports Setting up Workbooks
Project Plan Activities Deliverables Acceptance Criteria Automation (Phase – 5) Setting & Configuring Logic Apps (Playbooks) Automation of Incidents, IP Reputation, Defender alerts and IP blocking on Azure Firewall Automation Completed and Verified. Configuring HTTP API collectors Configuring Logic Apps with Outlook Configuring Health Report on Logic Apps Review & Validation (Phase – 6) Review of Configuration, Use cases, Playbooks Use cases, Playbooks, Dashboards and Reports Validation and Reviewed. Documentation for Design, Installation, Configuration, User & Maintenance Guide & SOPs for Integration validated and reviewed Documents and Knowledge Transfer completed, Customer Satisfaction. Documentation review and finalization Dashboards & Report Validation Knowledge Transfer Project Sign-off
Gantt Chart

Recommended

NVS_Sentinel
NVS_SentinelNVS_Sentinel
NVS_SentinelMike Mihm
 
Level 3 Certification: Setting up Sumo Logic - Oct 2018
Level 3 Certification: Setting up Sumo Logic - Oct 2018Level 3 Certification: Setting up Sumo Logic - Oct 2018
Level 3 Certification: Setting up Sumo Logic - Oct 2018Sumo Logic
 
KoprowskiT_SQLSatMoscow_WASDforBeginners
KoprowskiT_SQLSatMoscow_WASDforBeginnersKoprowskiT_SQLSatMoscow_WASDforBeginners
KoprowskiT_SQLSatMoscow_WASDforBeginnersTobias Koprowski
 
Tokyo azure meetup #8 azure update, august
Tokyo azure meetup #8 azure update, augustTokyo azure meetup #8 azure update, august
Tokyo azure meetup #8 azure update, augustTokyo Azure Meetup
 
Tokyo azure meetup #8 - Azure Update, August
Tokyo azure meetup #8 - Azure Update, AugustTokyo azure meetup #8 - Azure Update, August
Tokyo azure meetup #8 - Azure Update, AugustKanio Dimitrov
 
Microsoft Azure News - 2018 March
Microsoft Azure News - 2018 MarchMicrosoft Azure News - 2018 March
Microsoft Azure News - 2018 MarchDaniel Toomey
 
Microsoft Azure News - Dec 2016
Microsoft Azure News - Dec 2016Microsoft Azure News - Dec 2016
Microsoft Azure News - Dec 2016Daniel Toomey
 
Service Fabric and Azure Service Fabric Mesh introduction
Service Fabric and Azure Service Fabric Mesh introductionService Fabric and Azure Service Fabric Mesh introduction
Service Fabric and Azure Service Fabric Mesh introductionMikkel Mørk Hegnhøj
 

Recommended

NVS_Sentinel
NVS_SentinelNVS_Sentinel
NVS_SentinelMike Mihm
 
Level 3 Certification: Setting up Sumo Logic - Oct 2018
Level 3 Certification: Setting up Sumo Logic - Oct 2018Level 3 Certification: Setting up Sumo Logic - Oct 2018
Level 3 Certification: Setting up Sumo Logic - Oct 2018Sumo Logic
 
KoprowskiT_SQLSatMoscow_WASDforBeginners
KoprowskiT_SQLSatMoscow_WASDforBeginnersKoprowskiT_SQLSatMoscow_WASDforBeginners
KoprowskiT_SQLSatMoscow_WASDforBeginnersTobias Koprowski
 
Tokyo azure meetup #8 azure update, august
Tokyo azure meetup #8 azure update, augustTokyo azure meetup #8 azure update, august
Tokyo azure meetup #8 azure update, augustTokyo Azure Meetup
 
Tokyo azure meetup #8 - Azure Update, August
Tokyo azure meetup #8 - Azure Update, AugustTokyo azure meetup #8 - Azure Update, August
Tokyo azure meetup #8 - Azure Update, AugustKanio Dimitrov
 
Microsoft Azure News - 2018 March
Microsoft Azure News - 2018 MarchMicrosoft Azure News - 2018 March
Microsoft Azure News - 2018 MarchDaniel Toomey
 
Microsoft Azure News - Dec 2016
Microsoft Azure News - Dec 2016Microsoft Azure News - Dec 2016
Microsoft Azure News - Dec 2016Daniel Toomey
 
Service Fabric and Azure Service Fabric Mesh introduction
Service Fabric and Azure Service Fabric Mesh introductionService Fabric and Azure Service Fabric Mesh introduction
Service Fabric and Azure Service Fabric Mesh introductionMikkel Mørk Hegnhøj
 
SCCM on Microsoft Azure
SCCM on Microsoft AzureSCCM on Microsoft Azure
SCCM on Microsoft AzureMohamed Tawfik
 
Azure sentinel
Azure sentinelAzure sentinel
Azure sentinelMarius Sandbu
 
Microsoft Azure News - Oct 2016
Microsoft Azure News - Oct 2016Microsoft Azure News - Oct 2016
Microsoft Azure News - Oct 2016Daniel Toomey
 
KoprowskiT_SQLSat419_WADBforBeginners
KoprowskiT_SQLSat419_WADBforBeginnersKoprowskiT_SQLSat419_WADBforBeginners
KoprowskiT_SQLSat419_WADBforBeginnersTobias Koprowski
 
Kåre Rude Andersen - Create a scombot – automate and monitor azure
Kåre Rude Andersen - Create a scombot – automate and monitor azureKåre Rude Andersen - Create a scombot – automate and monitor azure
Kåre Rude Andersen - Create a scombot – automate and monitor azureNordic Infrastructure Conference
 
Service quality monitoring system architecture
Service quality monitoring system architectureService quality monitoring system architecture
Service quality monitoring system architectureMatsuo Sawahashi
 
Feature drift monitoring as a service for machine learning models at scale
Feature drift monitoring as a service for machine learning models at scaleFeature drift monitoring as a service for machine learning models at scale
Feature drift monitoring as a service for machine learning models at scaleNoriaki Tatsumi
 
ME_Snowflake_Introduction_for new students.pptx
ME_Snowflake_Introduction_for new students.pptxME_Snowflake_Introduction_for new students.pptx
ME_Snowflake_Introduction_for new students.pptxSamuel168738
 
Azure serverless computing
Azure serverless computingAzure serverless computing
Azure serverless computingUdaiappa Ramachandran
 
Azure 101
Azure 101Azure 101
Azure 101Korry Lavoie
 
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdf
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdfData & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdf
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdfChris Bingham
 
Deep Dive - Usage of on premises data gateway for hybrid integration scenarios
Deep Dive - Usage of on premises data gateway for hybrid integration scenariosDeep Dive - Usage of on premises data gateway for hybrid integration scenarios
Deep Dive - Usage of on premises data gateway for hybrid integration scenariosSajith C P Nair
 
Tokyo Azure Meetup #4 - Build 2016 Overview
Tokyo Azure Meetup #4 - Build 2016 OverviewTokyo Azure Meetup #4 - Build 2016 Overview
Tokyo Azure Meetup #4 - Build 2016 OverviewTokyo Azure Meetup
 
Top 10 IaaS Highlights for Developers
Top 10 IaaS Highlights for DevelopersTop 10 IaaS Highlights for Developers
Top 10 IaaS Highlights for DevelopersMicrosoft Tech Community
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureDevSecCon
 
Bquery Reporting & Analytics Architecture
Bquery Reporting & Analytics ArchitectureBquery Reporting & Analytics Architecture
Bquery Reporting & Analytics ArchitectureCarst Vaartjes
 
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s AssetsEnter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s AssetsBizTalk360
 
Azure satpn19 time series analytics with azure adx
Azure satpn19 time series analytics with azure adxAzure satpn19 time series analytics with azure adx
Azure satpn19 time series analytics with azure adxRiccardo Zamana
 
KoprowskiT_session1_SDNEvent_WASDforBeginners
KoprowskiT_session1_SDNEvent_WASDforBeginnersKoprowskiT_session1_SDNEvent_WASDforBeginners
KoprowskiT_session1_SDNEvent_WASDforBeginnersTobias Koprowski
 
Innovation morning agenda+azure arc
Innovation morning agenda+azure arcInnovation morning agenda+azure arc
Innovation morning agenda+azure arcClaudia Angelelli
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineeringmalavadedarshan25
 

More Related Content

Similar to Microsoft Sentinel Deployment V1.pptx

SCCM on Microsoft Azure
SCCM on Microsoft AzureSCCM on Microsoft Azure
SCCM on Microsoft AzureMohamed Tawfik
 
Microsoft Azure News - Oct 2016
Microsoft Azure News - Oct 2016Microsoft Azure News - Oct 2016
Microsoft Azure News - Oct 2016Daniel Toomey
 
KoprowskiT_SQLSat419_WADBforBeginners
KoprowskiT_SQLSat419_WADBforBeginnersKoprowskiT_SQLSat419_WADBforBeginners
KoprowskiT_SQLSat419_WADBforBeginnersTobias Koprowski
 
Kåre Rude Andersen - Create a scombot – automate and monitor azure
Kåre Rude Andersen - Create a scombot – automate and monitor azureKåre Rude Andersen - Create a scombot – automate and monitor azure
Kåre Rude Andersen - Create a scombot – automate and monitor azureNordic Infrastructure Conference
 
Service quality monitoring system architecture
Service quality monitoring system architectureService quality monitoring system architecture
Service quality monitoring system architectureMatsuo Sawahashi
 
Feature drift monitoring as a service for machine learning models at scale
Feature drift monitoring as a service for machine learning models at scaleFeature drift monitoring as a service for machine learning models at scale
Feature drift monitoring as a service for machine learning models at scaleNoriaki Tatsumi
 
ME_Snowflake_Introduction_for new students.pptx
ME_Snowflake_Introduction_for new students.pptxME_Snowflake_Introduction_for new students.pptx
ME_Snowflake_Introduction_for new students.pptxSamuel168738
 
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdf
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdfData & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdf
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdfChris Bingham
 
Deep Dive - Usage of on premises data gateway for hybrid integration scenarios
Deep Dive - Usage of on premises data gateway for hybrid integration scenariosDeep Dive - Usage of on premises data gateway for hybrid integration scenarios
Deep Dive - Usage of on premises data gateway for hybrid integration scenariosSajith C P Nair
 
Tokyo Azure Meetup #4 - Build 2016 Overview
Tokyo Azure Meetup #4 - Build 2016 OverviewTokyo Azure Meetup #4 - Build 2016 Overview
Tokyo Azure Meetup #4 - Build 2016 OverviewTokyo Azure Meetup
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureDevSecCon
 
Bquery Reporting & Analytics Architecture
Bquery Reporting & Analytics ArchitectureBquery Reporting & Analytics Architecture
Bquery Reporting & Analytics ArchitectureCarst Vaartjes
 
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s AssetsEnter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s AssetsBizTalk360
 
Azure satpn19 time series analytics with azure adx
Azure satpn19 time series analytics with azure adxAzure satpn19 time series analytics with azure adx
Azure satpn19 time series analytics with azure adxRiccardo Zamana
 
KoprowskiT_session1_SDNEvent_WASDforBeginners
KoprowskiT_session1_SDNEvent_WASDforBeginnersKoprowskiT_session1_SDNEvent_WASDforBeginners
KoprowskiT_session1_SDNEvent_WASDforBeginnersTobias Koprowski
 
Innovation morning agenda+azure arc
Innovation morning agenda+azure arcInnovation morning agenda+azure arc
Innovation morning agenda+azure arcClaudia Angelelli
 

Similar to Microsoft Sentinel Deployment V1.pptx (20)

SCCM on Microsoft Azure
SCCM on Microsoft AzureSCCM on Microsoft Azure
SCCM on Microsoft Azure
 
Azure sentinel
Azure sentinelAzure sentinel
Azure sentinel
 
Microsoft Azure News - Oct 2016
Microsoft Azure News - Oct 2016Microsoft Azure News - Oct 2016
Microsoft Azure News - Oct 2016
 
KoprowskiT_SQLSat419_WADBforBeginners
KoprowskiT_SQLSat419_WADBforBeginnersKoprowskiT_SQLSat419_WADBforBeginners
KoprowskiT_SQLSat419_WADBforBeginners
 
Kåre Rude Andersen - Create a scombot – automate and monitor azure
Kåre Rude Andersen - Create a scombot – automate and monitor azureKåre Rude Andersen - Create a scombot – automate and monitor azure
Kåre Rude Andersen - Create a scombot – automate and monitor azure
 
Service quality monitoring system architecture
Service quality monitoring system architectureService quality monitoring system architecture
Service quality monitoring system architecture
 
Feature drift monitoring as a service for machine learning models at scale
Feature drift monitoring as a service for machine learning models at scaleFeature drift monitoring as a service for machine learning models at scale
Feature drift monitoring as a service for machine learning models at scale
 
ME_Snowflake_Introduction_for new students.pptx
ME_Snowflake_Introduction_for new students.pptxME_Snowflake_Introduction_for new students.pptx
ME_Snowflake_Introduction_for new students.pptx
 
Azure serverless computing
Azure serverless computingAzure serverless computing
Azure serverless computing
 
Azure 101
Azure 101Azure 101
Azure 101
 
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdf
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdfData & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdf
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdf
 
Deep Dive - Usage of on premises data gateway for hybrid integration scenarios
Deep Dive - Usage of on premises data gateway for hybrid integration scenariosDeep Dive - Usage of on premises data gateway for hybrid integration scenarios
Deep Dive - Usage of on premises data gateway for hybrid integration scenarios
 
Tokyo Azure Meetup #4 - Build 2016 Overview
Tokyo Azure Meetup #4 - Build 2016 OverviewTokyo Azure Meetup #4 - Build 2016 Overview
Tokyo Azure Meetup #4 - Build 2016 Overview
 
Top 10 IaaS Highlights for Developers
Top 10 IaaS Highlights for DevelopersTop 10 IaaS Highlights for Developers
Top 10 IaaS Highlights for Developers
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azure
 
Bquery Reporting & Analytics Architecture
Bquery Reporting & Analytics ArchitectureBquery Reporting & Analytics Architecture
Bquery Reporting & Analytics Architecture
 
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s AssetsEnter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
 
Azure satpn19 time series analytics with azure adx
Azure satpn19 time series analytics with azure adxAzure satpn19 time series analytics with azure adx
Azure satpn19 time series analytics with azure adx
 
KoprowskiT_session1_SDNEvent_WASDforBeginners
KoprowskiT_session1_SDNEvent_WASDforBeginnersKoprowskiT_session1_SDNEvent_WASDforBeginners
KoprowskiT_session1_SDNEvent_WASDforBeginners
 
Innovation morning agenda+azure arc
Innovation morning agenda+azure arcInnovation morning agenda+azure arc
Innovation morning agenda+azure arc
 

Recently uploaded

Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineeringmalavadedarshan25
 
Analog to Digital and Digital to Analog Converter
Analog to Digital and Digital to Analog ConverterAnalog to Digital and Digital to Analog Converter
Analog to Digital and Digital to Analog ConverterAbhinavSharma374939
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxwendy cai
 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSCAESB
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxpranjaldaimarysona
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝soniya singh
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxDeepakSakkari2
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...RajaP95
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 

Recently uploaded (20)

Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineering
 
Analog to Digital and Digital to Analog Converter
Analog to Digital and Digital to Analog ConverterAnalog to Digital and Digital to Analog Converter
Analog to Digital and Digital to Analog Converter
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptx
 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentation
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptx
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 

Microsoft Sentinel Deployment V1.pptx

  • 2. Scope of Work • Integration with components such as: • Virtual and physical servers (Windows & Linux) • Cloud servers • Switches • WiFi controllers • WAN accelerators • Firewalls • Security solutions • Storage arrays • AD • Exchange messaging • SharePoint web servers • SAP servers and databases • Microsoft Sentinel implementation • Event analysis: Use Cases & Hunting Queries • Automation of incident response: Incident identification & handling, alert and remediation management, workflows and tasks for response processes. • Global visibility of IT security: Dashboards & Reports Creation • Log Retention & Archiving • Log Integrity & Data Confidentiality • Service Continuity & Fault Tolerance • Integration with 3rd Party Services and APIs & Connectors Availability • Documentation (Design, Installation, Configuration, User & Maintenance Guide, Monitoring reports)
  • 3. Microsoft Sentinel Optimize security operations with cloud-native SIEM + SOAR powered by AI and automation Harness the scale of the cloud Detect evolving threats Expedite incident response Get ahead of attackers
  • 5. Microsoft Sentinel Core Capabilities Monitor and Detect Collect Visibility Data Workbooks Watchlists Hunting Queries Notebooks Analytic Rules: Scheduled NRT Fusion Anomalies Data Connectors Intelligence TI Enrichment Incidents Incident Management and Investigations Investigate Automation Respond Remediation Playbooks And Automation Rules Analytics Hunting
  • 6. VMs (Linux & Windows) servers Via Gateway MS Sentinel HTTP Data Collector API Log Analytics Gateway (HA) Syslog Server (HA) Proposed Design Syslog Servers Log Analytics Gateway Server 08 02 Benefits of Design • Minimum Risk • Low resource consumption • Syslog servers and Gateway server could also be reduced but due to bandwidth limitations we can’t reduce it further. Syslog Server (HA) Network Devices & Security Solutions Resources support API Custom Apps supporting Syslog Syslog Server (HA) VMs (Linux & Windows) servers directly
  • 7. Pre - Deployment Steps • This section introduces the activities and prerequisites that needs to be planned before deploying Microsoft Sentinel. Steps Details 1. Plan & Prepare overview and Prerequisites Review & Set up the Azure tenant prerequisites. 2. Plan Workspace Architecture Reviewing and Implementing Log Analytics Workspace, Microsoft Sentinel, Data Retention & Archiving 3. Prioritize Data Connectors Prioritizing Integration of Data Sources 4. Plan Roles and Permissions Setting up Azure RBAC for Security Team 5. Plan Costs Using Pay-as-you-Go Pricing Tier.
  • 8. Azure tenant Prerequisites • A Microsoft Entra ID license and tenant, or an individual account with a valid payment method, are required to access Azure and deploy resources. • After having a tenant, an Azure subscription is required to track resource creation and billing • An admin or higher from the Microsoft Entra tenant will be designated as the owner/contributor for the subscription. • A Log Analytics workspace is required to house all of the data that Microsoft Sentinel will be ingesting and using for its detections, analytics, and other features. • A resource group will be created that will be dedicated to Microsoft Sentinel and the resources that Microsoft Sentinel uses, including the Log Analytics workspace, any playbooks, workbooks, and so on. • Sentinel doesn’t provide Built-In archiving, for archiving, Azure Storage will be used and archiving process will be automated using Logic Apps.
  • 9. Permissions Type Role Name Description Azure Access Requirements Owner Configuring Azure RBAC, Log Analytics Workspace, Microsoft Sentinel & Azure Storage Account Windows Server (Azure & Non-Azure) Temporary Admin Developing & Configuring Log Analytics Gateway and Installation of AMA Agents Syslog Server Root Access Developing & Configuring Syslog Server and Installation of AMA Agents for Security & Network Devices Logs VPN User VPN access For configuration, tuning and troubleshooting
  • 10. Assets Prerequisites Asset Type Requirement Syslog Servers x 8 (Including HA) CPU & RAM Minimum of 4 CPU cores and *16 GB RAM Operating Systems 1. CentOS 8 including minor versions (64-bit/32-bit) (Recommended) 2. Red Hat Enterprise Linux (RHEL) Server 8 (64-bit/32-bit) 3. Debian GNU/Linux 8 and 9 (64-bit/32-bit) 4. Ubuntu Linux 20.04 LTS (64-bit only) Storage 1 TB for Primary Syslog Server 500 GB for Secondary Syslog Server Daemon versions Rsyslog version 8 Packages Python 3 Network Requirements Outbound connection over Port 443 on following domains: *.ods.opinsights.azure.com *.oms.opinsights.azure.com *.blob.core.windows.net *.azure-automation.net
  • 11. Assets Prerequisites Asset Type Requirement Log Analytics Gateway X 2 (Including HA) CPU & RAM Minimum of 4 CPU cores and *16 GB RAM Operating Systems 1. Windows Server 2022 (64 Bit) 2. Windows Server 2019 (64 Bit) 3. Windows Server 2016 (64 Bit) Storage 500 GB for Primary Server 256 GB for Secondary Server Application/Framework Microsoft .NET Framework 4.5 Network Requirements Outbound connection over Port 443 on following domains: *.ods.opinsights.azure.com *.oms.opinsights.azure.com *.blob.core.windows.net *.azure-automation.net
  • 12. Log Retention & Archiving • Retention Policy for 6 months can be set on Azure Portal, and it can be applied to each data sources table (SecurityEvents, AzureActivity, OfficeActivity and Custom tables) • Sentinel doesn’t provide Built-In archiving, for archiving, Azure Storage will be used and archiving process will be automated using Logic Apps. Log Integrity • Use Secure Data Storage: Store logs in a secure and tamper-resistant data storage solution. Azure Storage, particularly Azure Blob Storage, is a suitable choice for storing log data. • Encryption at Rest: Enable encryption at rest for the storage account where logs are stored. Azure Blob Storage supports encryption to protect data while it's stored on disk • Access Controls: Implement strong access controls and permissions on the log storage container and account. Use Azure Active Directory (Azure AD) to manage access and ensure that only authorized personnel can read or modify logs.
  • 13. Data Confidentiality • Transport Layer Security (TLS) Encryption: Syslog over TLS: When sending logs using Syslog, configure your data sources to use TLS encryption. • HTTPS (Secure Web Services): When sending data from applications or services to Microsoft Sentinel, use HTTPS to encrypt data in transit. Sentinel supports HTTPS for data ingestion from various sources. • Role-Based Access Control (RBAC): • Implement RBAC in Azure Sentinel to control access to data. Ensure that only authorized personnel have access to log data and encryption keys. RBAC helps you enforce the principle of least privilege. • Encryption in Azure Sentinel Connectors: • Some Azure Sentinel connectors allow you to specify encryption settings during configuration. For instance, when setting up Microsoft 365 data connectors, you can enable encryption for data in transit and at rest.
  • 14. Service continuity and fault recovery • Since you don't get any infrastructure to operate for this, we could consider Microsoft Sentinel as a SaaS (Software as a Service), meaning that the High Availability and Failover capabilities are provided by Microsoft. • Replicating data from a primary Log Analytics Workspace to a secondary workspace hosted in another region is not supported, However you can use the following methodology to achieve this target. 1. Set up a Secondary Log Analytics Workspace in another region 2. Use Azure blob storage: Geo-Redundant Storage (GRS). Azure automatically fails over to the secondary region, ensuring data availability. 3. If Syslog server is Non-Azure, Configure data sources to forward logs to both primary and secondary syslog servers, the secondary syslog servers will forward logs to Secondary LA workspace hosted on another region. There is another approach: • Export Data: Set up export rules in the source Log Analytics workspace to export the data. You can export data to various destinations, such as Azure Storage, Event Hubs, or a custom API. • Transfer Data: You may need to use Azure services or custom scripts to move the exported data to the target region. For example, you can use Azure Data Factory or Azure Logic Apps to move data to another region. • Import Data: In the target region, set up import processes to bring the data into the destination Log Analytics workspace. You may need to use custom scripts or Azure functions for this purpose. • Please note that this approach can be complex and may have implications for data retention, compliance, and costs.
  • 15. Project Plan Activities Deliverables Acceptance Criteria Project KickOff Kick Off Kick Off Meeting Planning, Design and Pre-Deployment (Phase – 1) Deployment Plan Document Technical Discussion & Requirement Gathering Requirement Gathering Completed Technical Discussion Hardware Prerequisites Network Prerequisites Deployment (Phase – 2) Implementation of Log Analytics Workspace Microsoft Sentinel Implementation Microsoft Sentinel Configured & Data Retention & Archiving is set Implementation of Microsoft Sentinel Setting up RBAC, Log Retention & Archiving
  • 16. Project Plan Activities Deliverables Acceptance Criteria Log Source Integrations (Phase – 3) Setting & Configuring Syslog Servers & Log Analytics Gateway Direct & Indirect Log sources Integration Log Sources Integrated and Logs are parsed Providing SOPs for configuring devices Integration of devices & validation of logs Custom Parsing Monitoring Configurations (Phase – 4 ) Use Cases Implementation Use Cases implemented Dashboards/Workbooks and Reports implemented Use Case, Dashboard & Reports Implemented and validated. Use Cases Fine Tuning Creation of Dashboards & Reports Setting up Workbooks
  • 17. Project Plan Activities Deliverables Acceptance Criteria Automation (Phase – 5) Setting & Configuring Logic Apps (Playbooks) Automation of Incidents, IP Reputation, Defender alerts and IP blocking on Azure Firewall Automation Completed and Verified. Configuring HTTP API collectors Configuring Logic Apps with Outlook Configuring Health Report on Logic Apps Review & Validation (Phase – 6) Review of Configuration, Use cases, Playbooks Use cases, Playbooks, Dashboards and Reports Validation and Reviewed. Documentation for Design, Installation, Configuration, User & Maintenance Guide & SOPs for Integration validated and reviewed Documents and Knowledge Transfer completed, Customer Satisfaction. Documentation review and finalization Dashboards & Report Validation Knowledge Transfer Project Sign-off