Microsoft Sentinel Deployment Best Practices - 2nd Edition

BlueVoyant and Microsoft Security collaborated to produce the first edition of Azure Sentinel Deployment Best Practices in July 2021 to provide enterprise and public sector organizations with a practical field guide to deploying Microsoft’s then-new cloud SIEM platform. Since 2021 Microsoft Sentinel has seen rapid development, releasing many new and improved features, and has gained broad adoption from security teams around the world. The solution has even seen a name change over this time, rebranding from “Azure Sentinel” to “Microsoft Sentinel” to better reflect its capabilities as a full enterprise SIEM solution rather than a tool exclusively for Azure workloads.

Our initial guide was to fill a gap for security practitioners and leaders who needed a view of real-world considerations that come with deploying Microsoft Sentinel from an experienced security team. In the intervening months since its publication, both Microsoft and the global Partner community have produced a growing body of high-quality documentation on the deployment and migration of the Microsoft Sentinel platform. Thousands of global enterprises now have project experience in operationalizing and integrating the tool.

The 2nd edition of this guide will serve two purposes. First, we will continue to provide practical, experience-derived deployment recommendations covering the latest features and capabilities of the Microsoft Sentinel platform. Second, we will push further into more challenging examples and use cases that we have encountered in the field through our project work and how enterprise organizations were able to solve them.

The purpose of this whitepaper is to provide security organizations with a practical field guide to assist in developing a deployment strategy for Microsoft Sentinel. It will employ best practices to support a stable, cost-effective, and operationally effective implementation of Microsoft’s cloud-native security information and event management (SIEM) platform. This document is written from a security practitioner perspective, based on experience deploying and managing Microsoft Sentinel in a wide range of organizations.

We intend for this guide to serve as a reference and planning document primarily for chief information security officers, security architects, and enterprise architecture and project management leaders. It defines adoption and migration strategies, budgeting, project planning, and resourcing requirements for a successful implementation of Microsoft Sentinel. It can be read as a companion document to other Microsoft Sentinel technical whitepapers, such as the Microsoft Sentinel Technical Playbook for MSSPs.

Table of Contents

​​Preface to the 2nd Edition 4

​Introduction 4

​Microsoft Sentinel cloud-native SIEM architecture 5

​Microsoft Sentinel for Security Operations 5

​Case Studies 5

​Core Microsoft Sentinel Solution Components 6

​Azure Log Analytics Workspace 6

​Azure Logic Apps 8

​Data Sources 9

​Project Resourcing 22

​Project Planning 22

​Design Planning 29

​Architecture Planning and Considerations 29

​Data residency requirements 29

​Number of Azure AD Tenants 30

​Number of Azure Subscriptions 31

​Number of Azure Resource Groups 32

​Distribution of Azure PaaS Resources 33

​Data Segregation Requirements 34

​Complex Organizational Structures 34

​Role-based Access Control (RBAC) Requirements 35

​Ingestion of Operational Logs Versus Security Logs 37

​Estimation of Log Ingestion Volume and Pricing Model 38

​Architecture Design Output 39

​Deployment 41

​Azure Resources 41

​Log Source Onboarding 43

​Built-in Data Connectors 44

​Microsoft Monitoring Agent (MMA) 44

​Azure Monitor Agent (AMA) 45

​Deploying a Syslog Collector 48

​Microsoft Sentinel Automation Playbooks 51

​Azure Function Apps 53

​Third-party and Vendor-provided Log Retrieval – Log Ingestion Tools 55

​Automation Playbooks 56

​Automation Rules 59

​Deploying Workbooks 62

​Deploying User and Entity Behavior Analytics 64

​Using the MITRE ATT&CK Dashboard 66

​Deploying Notebooks 67

​Deploying Cyber Threat Intelligence Functionality 68

​Deploying Alert Rules 72

​Migration from Existing SIEM Solutions 77

​Cost Management 82

​Evaluating Your Data Ingestion Against Use Cases 82

​Log Ingestion Strategies 83

​Detailed Analysis Examples 85

​Firewall-allowed Traffic 85

​EDR (alerts/incidents) 85

​Windows Security Events 86

​Budgeting for Microsoft Sentinel Costs 88

​Enumerating In-scope Log Sources and Phasing Deployment Projects Over Time 88

​Collecting Log Samples 89

​Ongoing Cost Monitoring and Evaluation 89

​Using KQL Queries 89

​Conclusion and Resources 90